OWASP Application Security Verification Standard 5.0
ASVS is a requirements checklist for application security verification — a concrete list of things to look for during review, with three assurance levels (L1 minimum, L2 standard, L3 advanced). Each chapter below links to the per-chapter requirements list.
345 verification requirements across 17 chapters · 70 at Level 1, 183 at Level 2, 92 at Level 3.
| Chapter | Title | L1 | L2 | L3 | Total |
|---|---|---|---|---|---|
| V1 | Encoding and Sanitization | 8 | 19 | 3 | 30 |
| V2 | Validation and Business Logic | 4 | 7 | 2 | 13 |
| V3 | Web Frontend Security | 8 | 11 | 12 | 31 |
| V4 | API and Web Service | 2 | 8 | 6 | 16 |
| V5 | File Handling | 4 | 5 | 4 | 13 |
| V6 | Authentication | 13 | 22 | 12 | 47 |
| V7 | Session Management | 6 | 12 | 1 | 19 |
| V8 | Authorization | 4 | 3 | 6 | 13 |
| V9 | Self-contained Tokens | 4 | 3 | 0 | 7 |
| V10 | OAuth and OIDC | 5 | 24 | 7 | 36 |
| V11 | Cryptography | 3 | 11 | 10 | 24 |
| V12 | Secure Communication | 3 | 6 | 3 | 12 |
| V13 | Configuration | 1 | 12 | 8 | 21 |
| V14 | Data Protection | 2 | 7 | 4 | 13 |
| V15 | Secure Coding and Architecture | 3 | 10 | 8 | 21 |
| V16 | Security Logging and Error Handling | 0 | 16 | 1 | 17 |
| V17 | WebRTC | 0 | 7 | 5 | 12 |
Source: OWASP ASVS 5.0.0 · Licensed under CC BY-SA 4.0 · CWE / NIST 800-53 cross-references are a separate (Phase B) LLM-authored mapping, not yet rendered here.