OWASP ASVS
The OWASP ASVS policy is in Preview and not yet generally available in azuma nori. It is not currently selectable when creating a project. The page below describes the intended analysis scope; it will move into the active policy set once the framework ships. See Policy Stability.
The OWASP Application Security Verification Standard (ASVS) is an open, community-driven standard that defines a comprehensive catalogue of application-security requirements. It is organized into three verification levels of increasing rigor and spans 14 chapters covering, among others: architecture, authentication, session management, access control, input validation, cryptography, error handling and logging, data protection, communications, malicious-code defenses, business logic, files and resources, API and web service security, and configuration.
Focus Areas for Nori Analysis
When azuma nori evaluates a codebase against ASVS, the sub-agents concentrate on the code-visible verification requirements, for example:
- Authentication & Session Management: sound credential handling, session lifecycle, and protection against common authentication weaknesses.
- Access Control: enforcement of authorization checks and least-privilege defaults.
- Input Validation & Output Encoding: defenses against injection and unsafe deserialization.
- Cryptography: use of approved algorithms and correct handling of keys and secrets (complementing the BSI TR-02102 guidelines).
- Communications & Configuration: secure transport and safe default configuration.
Providing Manual Evidence
Some ASVS requirements — architecture reviews, threat models, or operational controls — are not fully visible in source code. For these, attach the relevant documentation via the Evidence tab in the Standalone Client so the evaluating sub-agents can consider it alongside your code.