OWASP Thick Client Application Security Verification Standard

Introduction

The OWASP Thick Client Application Security Verification Standard (TASVS) Project aims to establish an open standard for securing thick client applications. This project provides a comprehensive framework for designing, building, and testing technical application security controls, addressing architectural concerns, secure development lifecycle, threat modeling, agile security practices, continuous integration/deployment, serverless environments, and configuration management.

The TASVS Project fills the gap between the OWASP Application Security Verification Standard (ASVS) for web applications and the Mobile Application Security Verification Standard (MASVS). While the MASVS can be applied to thick client testing, it is not an ideal fit. The TASVS Project seeks to create a more suitable standard for these scenarios.

Project Leaders and Working Group

The project is mainly maintained by a single project leader Dave Hanson. However he is heavily supported by his active AppSec team at Bentley Systems who include Samuel Aubert, Einaras Bartkus, Thomas Chauchefoin, and John Cotter.

The project is also supported by the OWASP community and the OWASP Foundation. Special, thanks to Starr Brown for her support in her capacity as Director of Projects.

Roadmap

The first public version that was suitable for use was released in September 2024. The project is in the process of refining the standard and adding more content.

As we mature, we will be looking to create a more structured approach to the roadmap. As with most activities we will allow ourselves to be steered by the work completed by the ASVS project to find that strucutre.

Contributing

The project is looking for contributors to help with the following tasks:

  • Getting the word out about the project. If you do ntohing else, please share this project with your network.
  • Review and provide feedback on the current standard.
  • Create new control objectives.
  • Update existing control group definitions, particularly those ones that:
    • might benefit from code examples and
    • those that could be elaborated on further in simpler terms to make it more accessible to juniors in our field and developers with less security experience.

Special thanks to our contributers

The OWASP Thick Client Application Security Verification Standard (TASVS) Project would like to thank the following contributors for their support and dedication to the project:

Sponsors

Bentley Systems

Bentley is the leading provider of infrastructure engineering software, advancing infrastructure for better quality of life and sustainability.

Visit bentley.com to learn more.

</a>

Watch Star