OWASP ASVS in General
The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted.
The primary aim of the OWASP Application Security Verification Standard (ASVS) Project is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard.
The OWASP ASVS defines verification and documentation requirements that are grouped on the basis of related coverage and level of rigor, different verifications scopes are associated with diffferent security levels. The Standard defines four hierarchical levels. As you go from level 1 to level 4 more coverage and rigor is required to satisfy that level’s security requirements. Level 4 (“Internal Verification”) is typically appropriate for critical applications that protect life and safety, critical infrastructure, or defense functions.
- Security Control Behavior Requirements
- Security Control Use Requirements
- Security Control Implementation Requirements
- Security Control Verification Requirements
- Reporting Requirements
- Security Architecture
- Session Management
- Access Control
- Input Validation
- Output Encoding/Escaping
- Error Handling and Logging
- Data Protection
- Communication Security
- HTTP Security
- Security Configuration
- Malicious Code Search
- Internal Security
I will not be going too deep into the requirements themselves. For further information you can find the standard here: http://sourceforge.net/projects/owasp/files/Guide/
At the time I am writing this ver. 2.0.1 is the latest version.
Hope this helps someone.