The OWASP Application Security Verification Standard (ASVS) is a list of SW security requirements and tests that you can use as the main guideline for developing secure HW/SW products as follows:
- Add the ASVS document to your requirements project.
- Choose ASVS requirements applicable for your product.
- Assign applicable ASVS requirements to responsible owners.
- Derive SW requirements and tests, see OWASP Cheet Sheet for more technical guidance.
- Implement SW requirements and automatic tests.
- Verify requirements, collect compliance evidence and set the compliance status.
Document Template
To create a new document using this template, click Project and select Add Document. In the Add Document dialog, choose Document Template radio button, select “OWASP Application Security Verification Standard 4.0.3 (ASVS)” from the dropdown and optionally edit the document ID and name.
Alternatively, you can download the ReqView document template file for the latest stable OWASP ASVS version in your language:
- OWASP-ASVS-4.0.3-Template.reqw (English)
- OWASP-ASVS-4.0.3-Template-ar.reqw (العربية – Arabic)
- OWASP-ASVS-4.0.3-Template-de.reqw (Deutsch – German)
- OWASP-ASVS-4.0.3-Template-es.reqw (Español – Spanish)
- OWASP-ASVS-4.0.3-Template-fr.reqw (Français – French)
- OWASP-ASVS-4.0.3-Template-pt.reqw (Português – Portuguese)
- OWASP-ASVS-4.0.3-Template-zh-cn.reqw (中文 – Chinese)
Note: The contents of this document template are generated directly from source files in the OWASP ASVS Github repository released by the OWASP Foundation under the Creative Commons Attribution ShareAlike 3.0 license.
Template Instructions
If you create a new document from this template then the application displays detailed guidance in the Instructions pane:
Attributes
Common Attributes
| Name | Identifier | Type | Description |
|---|---|---|---|
| ID | id | string | Unique identifier within the project |
| ASVS ID | asvsId | string | ASVS Requirement # |
| Type | type | enum | One of “Information”, “Chapter”, “Section”, “Requirement” |
Requirement Attributes
| Name | Identifier | Type | Description |
|---|---|---|---|
| Type | type | enum | Set to “Requirement” |
| L1 Text | l1text | xhtml | Level 1 Requirement text |
| L2 Text | l2text | xhtml | Level 2 Requirement text |
| L3 Text | l3text | xhtml | Level 3 Requirement text |
| CWE | cwe | xhtml | Mapping to Mitre Common Weakness Enumeration |
| NIST § | nist | xhtml | Links to relevant sections of NIST Special Publication 800-63B Digital Identity Guidelines |
| L1 | l1 | enum | One of “Not required”, “Recommended, but not required”, “Required” |
| L2 | l2 | enum | One of “Not required”, “Recommended, but not required”, “Required” |
| L3 | l3 | enum | One of “Not required”, “Recommended, but not required”, “Required” |
Compliance Attributes
| Name | Identifier | Type | Description |
|---|---|---|---|
| Applicable | applicable | bool | Flag determining whether a requirement applies to your product at all |
| Owner | owner | string | Person responsible for this requirement |
| Compliance Status | compliance | enum | One of “Non-compliant”, “Partially compliant”, “Fully compliant” |
| Evidence | evidence | xhtml | Evidence of compliance – company policies, audit reports, test results, logs etc. |
Table Views
The document template includes the following table views:
- Primary – view ASVS using the same layout as PDFs from OWASP.
- Manage – set the Applicable flag, assign requirements to the Owner and display the Compliance Status.
- Level 1 Compliance – set the Compliance Status, capture the Evidence, and display Links for requirements to achieve compliance with level 1.
- Level 2 Compliance – set the Compliance Status, capture the Evidence, and display Links for requirements to achieve compliance with level 2.
- Level 3 Compliance – set the Compliance Status, capture the Evidence, and display Links for requirements to achieve compliance with level 3.
- Traceability – display the requirements traceability matrix.
Note: The Compliance table views are displayed with a predefined filter that includes only the requirements of the corresponding ASVS level and that also have the Applicable flag set. You can unset the Applicable flag using the Manage view if a requirement doesn’t apply to your product.
Example
-
Assess ASVS security requirements for the chosen compliance level.
-
Derive SW requirements in the Software Requirements Specification (SRS) from the ASVS requirements.
-
Link SRS requirements to the corresponding ASVS requirements using the satisfaction link type.
-
Analyze coverage of applicable ASVS requirements using the traceability matrix:
![Example of using ASVS document with traceability to SRS in ReqView]( "Example of using ASVS document with traceability to SRS in ReqView")
For more information, see the ASVS document in the Example Project.
References
- OWASP Application Security Verification Standard (ASVS) Project
- OWASP ASVS Github repository
- OWASP Cheat Sheet Series
- OWASP Developer Guide