Application security has become more critical than ever in today's digital landscape, marking a significant milestone in the field. With cyber threats evolving rapidly, organizations need robust frameworks to secure their web applications and services. The Open Web Application Security Project (OWASP) has answered this call with the release of the Application Security Verification Standard (ASVS) version 5.0, officially launched at Global AppSec EU Barcelona 2025.
What is OWASP Application Security Verification Standard v5?
The OWASP Application Security Verification Standard (ASVS) v5.0 is a comprehensive framework that provides a comprehensive set of approximately 350 application security verification requirements across 17 categories for designing, developing, and testing modern web applications and web services. Originally launched in 2008, this latest stable version represents comprehensive restructuring with refined security requirements and enhanced usability for broader adoption.
The primary aim of ASVS v5 is to provide an open application security standard for web applications and services of all types, following a structured approach that helps development teams satisfy application security requirements systematically. The framework serves to provide guidance as security architecture guidance for building secure applications, development standards offering comprehensive secure coding checklists for developers, and a testing framework enabling consistent security verification across organizations.
Major Changes and Improvements in OWASP ASVS 5.0
Category | ASVS v4.0.3 | ASVS v5.0 |
|---|---|---|
Release Context | Last major update 2019; v4.0.3 minor revision in 2021. | First big revision in 6 years, released 2024. |
Number of Requirements | 286 requirements. | 350 requirements. |
Chapters | 14 chapters. | 17 reorganized chapters. |
Requirement Numbering | Static numbering since v4 release. | Completely renumbered and reordered; two-way migration mapping provided. |
Verification Levels (L1–L3) | L1 had 131 requirements, considered too heavy. L2 and L3 very close (20 more at L3). L1 implied black-box testing. | Levels simplified and rebalanced. L1 is lighter and achievable, L2 and L3 scaled more logically. Explicitly states black-box is not sufficient at any level. |
Control Organization | Some overlap and duplication; controls not always grouped by risk. | Deduplicated, rewritten, grouped more logically by risk and category. |
Mappings (CWE, NIST, etc.) | Direct mappings embedded in main document (hard to maintain). | Mappings moved to separate section; long-term handled by OWASP CRE (Common Requirement Enumeration). |
Explanatory Guidance | Inline rationale and explanations within requirements. | Requirement text streamlined; guidance moved to end of document for readability. |
New Topics Added | No coverage of AI, quantum, or modern crypto. | Post-quantum crypto planning (e.g., 11.1.4 at L3). - Organizational documentation of security decisions. |
Deprecated / Removed Controls | Some impractical or outdated requirements kept, such as: - 32-bit salt minimum. - Unicode in password complexity. - Zeroing memory after use. | Focus only on relevant, testable, high-impact controls. |
Verification Approach | Ambiguity — black-box implied at L1, though noted as weak. | Clear stance: meaningful verification requires internal access. Black-box alone = insufficient. |
Usability / Adoption Focus | High barrier at L1, guidance mixed, adoption difficult for small teams. | Lower barrier to entry. Easier adoption path: start at L1 and progress naturally. |
Examples of Requirement Updates | Password rules and Cryptography still mentioned older practices. | Updated password rules align with NIST SP 800-63. Outdated crypto (SHA-1, short salts) removed. |
Breakdown of the 17 Security Controls in ASVS v5
ASVS v5 organizes security requirements into 17 comprehensive categories addressing critical aspects of application security:
1. Architecture, Design and Threat Modeling
This foundational category ensures security is embedded from the architectural level, requiring secure design principles and comprehensive threat modeling for all application components.
2. Authentication
Digital identity verification forms the cornerstone of application security, requiring robust authentication mechanisms including multi-factor authentication and secure credential handling processes.
3. Session Management
Secure session handling prevents session hijacking and unauthorized manipulation through proper lifecycle management, including secure token generation and CSRF protection.
4. Access Control
Authorization ensures users access only entitled resources, preventing privilege escalation through role-based access control (RBAC) and principle of least privilege enforcement.
5. Validation, Sanitization and Encoding
Input validation and output encoding prevent injection attacks, encompassing SQL injection prevention, cross site scripting (XSS) protection, and parameterized query frameworks to verify that the application protects against common vulnerabilities.
6. Stored Cryptography
Cryptographic implementation protects data confidentiality through proper encryption, secure key management, and certificate handling following the latest advances in software security.
7. Error Handling and Logging
Secure error handling prevents information disclosure while ensuring that functionality includes comprehensive logging that enables incident response and security monitoring for secure applications.
8. Data Protection
Data protection ensures sensitive information handling meets privacy requirements and compliance standards through classification systems and retention policies.
9. Communication
Secure communication protects data in transit through proper TLS implementation, certificate validation, and secure protocol usage for web applications and services.
10. Malicious Code
Protection against malicious code prevents OS command injection and unsafe execution. Organizations must verify that operating system calls use parameterized OS queries or contextual encoding.
11. Business Logic
Implementing secure business logic helps prevent bypass attacks by enforcing workflow validation, ensuring transaction integrity, and applying strict business rules.
12. Files and Resources
Secure file handling prevents file-based attacks through proper upload mechanisms, validation, and resource consumption controls.
13. API and Web Service
API security addresses REST, GraphQL, and web service security requirements including authentication, rate limiting, and input validation for endpoints.
14. Configuration
Secure configuration eliminates vulnerabilities through proper application and infrastructure configuration management and security header implementation.
15. WebSockets
WebSocket security addresses real-time communication requirements including authentication mechanisms and message validation for persistent connections.
16. Mobile
Mobile application security addresses platform-specific threats and security requirements unique to mobile environments and mobile-specific authentication.
17. Business Objects
Business object security ensures integrity of critical business data through access controls, data verification, and object manipulation security.
ASVS v5.0 Control Updates and Additions
Category | ASVS v4.0.3 | What Changed / Why It Matters | ASVS v5.0 (New / Updated Control) |
|---|---|---|---|
1. Architecture, Design & Threat Modeling | Threat modeling mentioned briefly; no mandate to document decisions. | Now explicitly requires documenting security design rationale for transparency and auditability. | 1.4.3 – Document Security Design Decisions |
Threat modeling limited to core components. | Expanded to include AI models, third-party libraries, and external integrations. | 1.5.1 – Threat Modeling for All Components (AI, 3rd-Party) | |
2. Authentication | Focused on passwords and MFA; no modern protocol coverage. | Introduces modern passwordless authentication and federation standards. | 2.2.4 – Support for OIDC, FIDO2, and Passkeys |
3. Session Management | Token handling limited to creation and expiration. | Adds lifecycle management and reuse prevention for stolen tokens. | 3.2.2 – Token Revocation & Replay Prevention |
4. Access Control | Static RBAC validation; no dynamic re-evaluation. | Requires real-time authorization enforcement throughout user sessions. | 4.1.3 – Continuous Authorization Checks |
6. Stored Cryptography | Focused on key management and approved algorithms only. | New control for assessing readiness and documenting PQC migration strategy. | 6.1.4 – Post-Quantum Cryptography Planning (L3) |
7. Error Handling & Logging | Logging coverage generic and distributed. | Requires aggregation of security logs for SIEM and incident response integration. | 7.2.1 – Centralized Security Event Logging |
8. Data Protection | No explicit link to privacy regulations. | Adds privacy mapping and classification requirements for regulated data. | 8.3.2 – Data Classification for Privacy Compliance (GDPR/CCPA) |
10. Malicious Code | Only covered unsafe code execution and injection. | Introduces supply chain integrity verification using SBOM or equivalent. | 10.2.3 – Dependency Integrity Verification (SBOM) |
13. API & Web Services | Limited REST API validation guidance. | New control requiring schema-based validation of all API inputs/outputs. | 13.3.1 – API Schema Validation |
No rate-limiting guidance. | Adds explicit DoS and brute-force mitigation control for APIs. | 13.3.3 – Rate Limiting Enforcement | |
14. Configuration | Focused on runtime and environment configuration. | Extends configuration security to DevOps pipelines and IaC tools. | 14.2.3 – Infrastructure-as-Code (IaC) Security Controls |
15. WebSockets | Not covered in v4. | Entirely new category addressing persistent connection security. | 15.1.1 – WebSocket Authentication, 15.1.2 – Message Validation & Integrity |
16. Mobile | Light overlap with MASVS; minimal detail. | Strengthens mobile data protection and cert-pinning verification. | 16.3.1 – Secure Storage of App Secrets, 16.3.2 – Certificate Pinning Verification |
17. Business Objects | Not included in v4. | Introduces data-centric integrity and authorization checks for core business entities. | 17.2.1 – Object Integrity Validation, 17.3.1 – Data Manipulation Authorization |
Conclusion
OWASP ASVS v5 represents a major release and significant milestone in application security standards, addressing implementation challenges while maintaining comprehensive security coverage. The lowered entry barriers with Level 1 requirements make ASVS v5 accessible to organizations of all sizes.
This version introduces modern security practices that align with emerging technologies such as AI, cloud-native architectures, and API-first design. It emphasizes practical applicability, improved control clarity, and stronger alignment with industry frameworks like NIST and ISO. By refining its structure and expanding control coverage, ASVS v5 helps teams integrate security earlier in the development lifecycle and achieve greater consistency in verification and compliance efforts.
How? Cyber Chief helps you map your applications to ASVS v5, identify vulnerabilities, and implement best-practice controls in minutes, not days.
Watch the Cyber Chief on-demand demo to see how.
Cyber Chief is built to integrate seamlessly into development workflows and offers:
Automated ASVS v5 coverage scans your applications for vulnerabilities across authentication, access control, session management, cryptography, and more, including alignment with OWASP Top 10 risks.
Detailed control analysis highlights areas where security policies or configurations are weak, overly permissive, or non-compliant.
Risk-based prioritization helps you understand which security gaps pose the greatest threat to your users and data.
Actionable remediation guidance provides step-by-step recommendations, including code examples, for implementing ASVS v5 controls.
Expert support on demand gives you access to security coaching to implement robust security controls efficiently, reducing risk across your application stack.
Click the green button below to see how Cyber Chief works.