OWASP Logo
HomeProjectsChaptersEventsAbout
OWASP
ASVS
APPLICATION SECURITY
VERIFICATION STANDARD
Flag
Flagship Project
OWASP Application Security Verification Standard (ASVS)
The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development.
Read More Details
Arrow
About ASVS

The primary aim of the OWASP Application Security Verification Standard (ASVS) Project is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard.

The standard provides a basis for testing application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection. This standard can be used to establish a level of confidence in the security of Web applications.

Developed to achieve these objectives:
Latest version
ASVS 5.0.0
Download
Download
01
Use as a metric
Provide application developers and application owners with a yardstick with which to assess the degree of trust that can be placed in their Web applications
02
Use as guidance
Provide guidance to security control developers as to what to build into security controls in order to satisfy application security requirements
03
Use during procurement
Provide a basis for specifying application security verification requirements in contracts.
How to Reference ASVS Requirements

Each requirement has an identifier in the format <chapter>.<section>.<requirement>, where each element is a number. For example, 1.11.3.

  • The <chapter> value corresponds to the chapter from which the requirement comes; for example, all 1.#.# requirements are from the 'Encoding and Sanitization' chapter.
  • The <section> value corresponds to the section within that chapter where the requirement appears, for example: all 1.2.# requirements are in the 'Injection Prevention' section of the 'Encoding and Sanitization' chapter.
  • The <requirement> value identifies the specific requirement within the chapter and section, for example, 1.2.5 which as of version 5.0.0 of this standard is:

Verify that the application protects against OS command injection and that operating system calls use parameterized OS queries or use contextual command line output encoding.

Since the identifiers may change between versions of the standard, it is preferable for other documents, reports, or tools to use the following format: v<version>-<chapter>.<section>.<requirement>, where: 'version' is the ASVS version tag. For example: v5.0.0-1.2.5 would be understood to mean specifically the 5th requirement in the 'Injection Prevention' section of the 'Encoding and Sanitization' chapter from version 5.0.0.

Note: The v preceding the version number in the format should always be lowercase.

If identifiers are used without including the v<version> element then they should be assumed to refer to the latest Application Security Verification Standard content. As the standard grows and changes this becomes problematic, which is why writers or developers should include the version element.

ASVS requirement lists are made available in CSV, JSON, and other formats which may be useful for reference or programmatic use.

Meet the ASVS
View Full Agenda
Matthew Aderhold
Engage with the Community
Meet our new Community Manager, Matthew Aderhold, throughout the conference. Chat about ASVS, get stickers, and learn how to get involved — special stickers available for contributors!
Applying ASVS in Practice
Aram Hovsepyan will explore how ASVS can guide security test case design across the software lifecycle.
Aram Hovsepyan
Matthew Aderhold
Engage with the Community
Meet our new Community Manager, Matthew Aderhold, throughout the conference. Chat about ASVS, get stickers, and learn how to get involved — special stickers available for contributors!
ASVS Supporters

We gratefully acknowledge the organizations supporting the OWASP ASVS Project — either through financial contributions or by allowing their staff to dedicate significant time to the standard.

Supporters are recognized based on their level of contribution and commitment.

Maintaining Supporters
through time provisions
Organizations who have allowed contributors to spend significant time working on the standard as part of their working day with the organization.

This will be evaluated at the sole discretion of the project leaders. Supporter will be listed 2 years from the end of the time provision.
Become a Supporter
Arrow
Primary Supporter(s)
Organizations who have donated $7,000 or more to the project via OWASP. Supporter will be listed for 3 years from the date of the donation.
Silver Supporters
Organizations who have donated $3,000 or more to the project via OWASP. Supporter will be listed for 2 years from the date of the donation.
Tertiary Supporter(s)
Organizations who have donated $500 or more to the project via OWASP. Supporter will be listed for 1 year from the date of the donation.
Associate Supporter(s)
Organizations who have donated another amount to the project via OWASP. Supporter will be listed for 1 year from the date of the donation.
Recent News
See More
Starr Brown, May 6
ASVS Version 5.0.0 is released LIVE at Global AppSec EU Barcelona 2025!
Starr Brown, May 6
Release Candidate 1 of the ASVS version 5.0 is announced!
Starr Brown, May 6
Some of the ASVS team got together at the OWASP Project Summit to make major progress on getting towards version 5.0!
Upcoming Events
See More
3-7
NOV
2025
OWASP Global AppSec USA
2025
More Info
2-6
NOV
2026
OWASP Global AppSec USA
2026
More Info
Volunteer for the ASVS
Build
Build the Standard
Help shape the OWASP Application Security Verification Standard. We're always looking for volunteers to contribute to its ongoing development and help define its future.
Public ASVS Job Board
Code
Get Involved
We have many ways you can help, from writing and editing to coding, building scripts, and creating GitHub Actions. Most roles require a few hours a week, and more intensive tasks arise periodically.
Find Contribution Guide
Handshake
All Are Welcome
You don't have to be an expert. Students and newcomers are encouraged to apply! Getting involved is a great way to gain experience and make connections in the security community.
Volunteer for ASVS
Corporate Supporters
Adobe
United Airlines
Salesforce
BDO
Backslash
Rakuten
Check Point
Atlassian
OWASP Logo
OWASP is a nonprofit foundation improving software security through open-source projects, global communities, and education. All resources are free and open to everyone.
Quick Links
ProjectsChaptersEventsAboutVisit Store
Legal
PrivacySitemapContact
Socials
LinkedInGitHubX (Twitter)FacebookYouTube
OWASP, the OWASP logo, and Global AppSec are registered trademarks and AppSec Days, AppSec California, AppSec Cali, SnowFROC, OWASP Boston Application Security Conference, and LASCON are trademarks of the OWASP Foundation, Inc.
© 2025, OWASP Foundation Inc. All rights reserved.