Record of Processing Activities
Transfer Impact Assessment
Privacy Impact Assessment
Cybersecurity Controls
Cybersecurity Risk Management
Interactive Awareness Program
OWASP Application Security Verification Standard (ASVS)
A globally recognised framework for defining and verifying secure application requirements — covering 14 security chapters across 3 verification levels. Embed security into your SDLC and DevSecOps pipeline. Available on the Premium plan.
The standard for
application security verification
The OWASP Application Security Verification Standard (ASVS) provides a basis for testing web application technical security controls. It defines three levels of verification — from basic (L1) to advanced (L3) — with hundreds of specific, testable security requirements across 14 chapters.
Unlike OWASP Top 10, which lists common vulnerabilities, ASVS defines what a secure application must do — making it suitable for security requirements in procurement contracts, penetration testing scopes, and SDLC security gates.
ASVS is widely used in DevSecOps pipelines, penetration testing engagements, and vendor security assessments. It maps closely to PCI DSS Requirement 6, ISO 27001 Clause A.14, and NIST SP 800-53 SA controls.
Choose the verification depth
that matches your application risk
Start at L1 for all applications. Move to L2 for anything handling sensitive data. Reserve L3 for critical systems where a breach would have severe consequences.
Opportunistic
~100 requirementsBasic security for all web applications. Verified through black-box testing (no source code access). Covers the most critical vulnerabilities including OWASP Top 10. Minimum acceptable baseline.
Standard
~200 requirementsStandard verification for applications that handle sensitive business data. Requires source code access and deeper security testing. Appropriate for most enterprise applications handling personal data.
Advanced
~300 requirementsMaximum verification for critical applications — military, healthcare, finance, critical infrastructure. Requires architecture review, threat modelling, and code analysis in addition to penetration testing.
14 chapters covering the full application security surface
From authentication and access control to cryptography, APIs, and configuration — ASVS covers every layer of a modern web application or API.
Architecture, Design and Threat Modelling
Security architecture requirements, documentation, threat modelling, and secure design principles across the SDLC.
Authentication
Authentication strength, credential management, multi-factor authentication, and session lifecycle requirements.
Session Management
Secure session token generation, binding, expiry, logout, and anti-CSRF protection for web and API sessions.
Access Control
Enforce least privilege, deny-by-default, and separation of privilege across all application functionality and data access.
Validation, Sanitisation and Encoding
Input validation, output encoding, and protection against injection attacks — SQL, LDAP, OS command, SSRF, and more.
Stored Cryptography
Strong, approved cryptographic algorithms for data at rest, key management, password hashing, and random number generation.
Error Handling and Logging
Security event logging, audit trail requirements, error handling that avoids information leakage, and log protection.
Data Protection
Client-side data protection, server-side data classification, sensitive data exposure prevention, and PII handling.
Communication
TLS configuration, certificate validation, secure connection requirements for all data in transit between components.
Malicious Code
Protection against malicious code introduction — anti-virus controls, integrity verification, and software composition analysis.
Business Logic
Business logic security requirements — anti-automation, workflow integrity, and protection against business logic bypass.
Files and Resources
Secure file upload handling, file type validation, path traversal prevention, and resource management.
API and Web Service
REST and SOAP API security, GraphQL, JSON/XML parsing safety, authentication, and rate limiting requirements.
Configuration
Secure build and deployment configuration, dependency management, HTTP security headers, and infrastructure hardening.
ASVS coverage across other standards
Implementing OWASP ASVS earns partial credit across multiple compliance frameworks. Unicis maps ASVS requirements to ISO 27001, PCI DSS, NIS2, and SOC 2 automatically.
| Standard | ASVS Coverage | Note |
|---|---|---|
| OWASP Top 10 | Full coverage | ASVS was designed to go beyond Top 10 |
| ISO 27001 | Partial — A.14 (Secure Dev) | Complements ISO 27001 application security clause |
| NIST SP 800-53 | Moderate overlap | Maps to SA (System Acquisition) controls |
| PCI DSS | Strong — Req 6 (Secure Software) | ASVS L2 exceeds PCI DSS Req 6 requirements |
| NIS2 Art. 21 | Partial | Contributes to secure software supply chain requirement |
| SOC 2 CC6 | Partial | Supports Logical Access Controls criterion |
Shift ASVS left into your CI/CD pipeline
ASVS requirements can be mapped directly to automated security tests, SAST/DAST tools, and security acceptance criteria in Jira tickets. Unicis integrates with your existing Atlassian tooling to track ASVS control status per sprint, release, or service.
How Unicis supports OWASP ASVS
Unicis Atlassian Apps
Unicis Platform Modules
Who should implement OWASP ASVS?
OWASP ASVS is essential for any organisation building or procuring web applications — from early-stage startups to enterprises. It is especially relevant for development teams, application security engineers, and organisations seeking to demonstrate secure-by-design software to customers and auditors.
Multi-Framework Support
11 Compliance Frameworks Supported
From the minimum viable security baseline to enterprise-grade standards — coverage for every compliance requirement.
Start implementing OWASP ASVS with Unicis
Track all ASVS requirements across L1/L2/L3 with DevSecOps integration, automated GAP analysis, and cross-framework mapping to ISO 27001, PCI DSS, and NIS2. Available on the Premium plan.