Application Security Verification Standard (ASVS) for web applications version 2.0 has been published by OWASP. The ASVS standard provides a basis for verifying application technical security controls, as well as any technical security controls in the environment that are relied on to protect against application security vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection.
ASVS Web Application Standard 2.0 has been comprehensively reviewed, reassessed and updated primarily by Sahba Kazerooni, Daniel Cuthbert, Andrew van der Stock and Krishna Raja, along with a dozen or so other contributors and reviewers.
The standard can be used to define application security requirements based on an assessment of risk, and to assist application security verification activities. Three new classes of requirement have been defined that did not exist in the previous 2009 edition:
- V15 Business Logic verification requirements
- V16 Files and Resources verification requirements
- V17 Mobile verification requirements.
Furthermore, the following classes no longer exist, to focus on the application requirements, and also due to the merging of encoding/escaping within the input validation section:
- V1 Security Architecture documentation requirements
- V6 Output Encoding/Escaping verification requirements
- V12 Security Configuration verification requirements
- V14 Internal Security verification requirements.
For organisations already using the previous version, the numbering of matching requirements has not changed, but it does mean that there are also new requirements within each section, and some gaps in numbering where a previous requirement has been removed.
The standard defines verification requirements for three levels of verification, labelled opportunistic, standard and advanced. Appendix A of the document provides some example scenarios for the ASVS level that might be used for different industry sector.
If you have only read the OWASP Top 10, ASVS should be your next read. Expect to see mappings from ASVS 2.0 to the OWASP Testing Guide.