Skip to main content

OWASP ASVS

Coming soon — Preview

The OWASP ASVS policy is in Preview and not yet generally available in azuma nori. It is not currently selectable when creating a project. The page below describes the intended analysis scope; it will move into the active policy set once the framework ships. See Policy Stability.

The OWASP Application Security Verification Standard (ASVS) is an open, community-driven standard that defines a comprehensive catalogue of application-security requirements. It is organized into three verification levels of increasing rigor and spans 14 chapters covering, among others: architecture, authentication, session management, access control, input validation, cryptography, error handling and logging, data protection, communications, malicious-code defenses, business logic, files and resources, API and web service security, and configuration.

Focus Areas for Nori Analysis

When azuma nori evaluates a codebase against ASVS, the sub-agents concentrate on the code-visible verification requirements, for example:

  1. Authentication & Session Management: sound credential handling, session lifecycle, and protection against common authentication weaknesses.
  2. Access Control: enforcement of authorization checks and least-privilege defaults.
  3. Input Validation & Output Encoding: defenses against injection and unsafe deserialization.
  4. Cryptography: use of approved algorithms and correct handling of keys and secrets (complementing the BSI TR-02102 guidelines).
  5. Communications & Configuration: secure transport and safe default configuration.

Providing Manual Evidence

Some ASVS requirements — architecture reviews, threat models, or operational controls — are not fully visible in source code. For these, attach the relevant documentation via the Evidence tab in the Standalone Client so the evaluating sub-agents can consider it alongside your code.