OWASP Application Security Verification Standard (ASVS) Template

Documentation / Get Started

The OWASP Application Security Verification Standard (ASVS) is a list of SW security requirements and tests that you can use as the main guideline for developing secure HW/SW products as follows:

  1. Add the ASVS document to your requirements project.
  2. Choose ASVS requirements applicable for your product.
  3. Assign applicable ASVS requirements to responsible owners.
  4. Derive SW requirements and tests, see OWASP Cheet Sheet for more technical guidance.
  5. Implement SW requirements and automatic tests.
  6. Verify requirements, collect compliance evidence and set the compliance status.

Document Template

To create a new document using this template, click Project and select Add Document. In the Add Document dialog, choose Document Template radio button, select “OWASP Application Security Verification Standard 4.0.3 (ASVS)” from the dropdown and optionally edit the document ID and name.

ReqView document created from the OWASP ASVS template

Alternatively, you can download the ReqView document template file for the latest stable OWASP ASVS version:

Note: The contents of this document template are generated directly from source files in the OWASP ASVS Github repository released by the OWASP Foundation under the Creative Commons Attribution ShareAlike 3.0 license.

Template Instructions

If you create a new document from this template then the application displays detailed guidance in the Instructions pane:

Instructions from the ASVS document template

Attributes

Common Attributes

NameIdentifierTypeDescription
IDidstringUnique identifier within the project
ASVS IDasvsIdstringASVS Requirement #
TypetypeenumOne of “Information”, “Chapter”, “Section”, “Requirement”

Requirement Attributes

NameIdentifierTypeDescription
TypetypeenumSet to “Requirement”
L1 Textl1textxhtmlLevel 1 Requirement text
L2 Textl2textxhtmlLevel 2 Requirement text
L3 Textl3textxhtmlLevel 3 Requirement text
CWEcwexhtmlMapping to Mitre Common Weakness Enumeration
NIST §nistxhtmlLinks to relevant sections of NIST Special Publication 800-63B Digital Identity Guidelines
L1l1enumOne of “Not required”, “Recommended, but not required”, “Required”
L2l2enumOne of “Not required”, “Recommended, but not required”, “Required”
L3l3enumOne of “Not required”, “Recommended, but not required”, “Required”

Compliance Attributes

NameIdentifierTypeDescription
ApplicableapplicableboolFlag determining whether a requirement applies to your product at all
OwnerownerstringPerson responsible for this requirement
Compliance StatuscomplianceenumOne of “Non-compliant”, “Partially compliant”, “Fully compliant”
EvidenceevidencexhtmlEvidence of compliance – company policies, audit reports, test results, logs etc.

Table Views

The document template includes the following table views:

  • Primary – view ASVS using the same layout as PDFs from OWASP.
  • Manage – set the Applicable flag, assign requirements to the Owner and display the Compliance Status.
  • Level 1 Compliance – set the Compliance Status, capture the Evidence, and display Links for requirements to achieve compliance with level 1.
  • Level 2 Compliance – set the Compliance Status, capture the Evidence, and display Links for requirements to achieve compliance with level 2.
  • Level 3 Compliance – set the Compliance Status, capture the Evidence, and display Links for requirements to achieve compliance with level 3.
  • Traceability – display the requirements traceability matrix.
OWASP ASVS documents displayed with the Assignment view in ReqView

Note: The Compliance table views are displayed with a predefined filter that includes only the requirements of the corresponding ASVS level and that also have the Applicable flag set. You can unset the Applicable flag using the Manage view if a requirement doesn’t apply to your product.

Example

  1. Assess ASVS security requirements for the chosen compliance level.

  2. Derive SW requirements in the Software Requirements Specification (SRS) from the ASVS requirements.

  3. Link SRS requirements to the corresponding ASVS requirements using the satisfaction link type.

  4. Analyze coverage of applicable ASVS requirements using the traceability matrix:

    Example of using ASVS document with traceability to SRS in ReqView

For more information, see the ASVS document in the Example Project.

References

 Try ReqView
Updated for version 2.19.0