Detailed Verification Requirements

This section of the OWASP Application Security Verification Standard (ASVS) defines detailed verification requirements that were derived from the high-level requirements for each of the verification levels defined in this standard. Each section below defines a set of detailed verification requirements grouped into related areas. The ASVS defines the following security requirements areas:

• V1. Security Architecture
• V2. Authentication
• V3. Session Management
• V4. Access Control
• V5. Input Validation
• V6. Output Encoding/Escaping
• V7. Cryptography
• V8. Error Handling and Logging
• V9. Data Protection
• V10. Communication Security
• V11. HTTP Security
• V12. Security Configuration
• V13. Malicious Code Search
• V14. Internal Security

For each of these areas, the requirements that must be met at each of the verification levels listed below are specified:

• Level 1: Automated Verification
• Level 1A - Dynamic Scan (Partial Automated Verification)
• Level 1B - Source Code Scan (Partial Automated Verification)
• Level 2: Manual Verification
• Level 2A - Security Test (Partial Manual Verification)
• Level 2B - Code Review (Partial Manual Verification)
• Level 3: Design Verification
• Level 4: Internal Verification