OWASP ASVS
What it is — The OWASP Application Security Verification Standard (ASVS) is a framework of security requirements and tests for designing, developing, and testing web applications. Published by OWASP , it defines three verification levels (L1, L2, L3) with increasingly rigorous requirements. ASVS is often used as a basis for application security testing programs and procurement requirements.
Appsec relevance — ASVS is entirely focused on application security. It provides specific, testable requirements organized into 14 chapters covering authentication, session management, access control, input validation, cryptography, error handling, and more.
How Detectify Supports OWASP ASVS
Detectify’s DAST capabilities map to ASVS requirements that can be verified through external testing. Requirements that need source code review, architecture analysis, or process verification are outside DAST scope.
| ASVS Chapter | What it requires | Detectify Coverage | Coverage |
|---|---|---|---|
| V2 : Authentication | Verify that authentication mechanisms resist credential stuffing, brute force, and bypass attacks | Login mechanism testing, credential validation, authentication bypass detection (CWE-287 , CWE-306 , CWE-288 ) | Partial |
| V3 : Session Management | Verify that sessions are unique, invalidated on logout, and resistant to fixation and hijacking | Session fixation, cookie security attributes, session timeout testing (CWE-613 ) | Partial |
| V4 : Access Control | Verify that users can only access functions and data they are authorized for | Path traversal (CWE-22 , CWE-23 ), privilege escalation, IDOR detection (CWE-284 , CWE-285 , CWE-639 ) | Full |
| V5 : Validation, Sanitization and Encoding | Verify that all input is validated, output is encoded, and parameterized queries are used | Injection testing across all categories — SQL injection (CWE-89 ), XSS (CWE-79 ), command injection (CWE-78 ), template injection (CWE-1336 ), SSRF (CWE-918 ) | Full |
| V6 : Cryptography | Verify that cryptographic modules use approved algorithms and that keys are managed securely | Detects weak cryptographic indicators but cannot verify implementation details | Limited |
| V7 : Error Handling and Logging | Verify that error messages do not leak sensitive information and that security events are logged | Error message disclosure detection (CWE-209 , CWE-200 ) | Partial |
| V8 : Data Protection | Verify that sensitive data is protected in transit and at rest with appropriate controls | Cleartext storage and transmission detection (CWE-312 , CWE-319 ), information exposure testing | Partial |
| V9 : Communication | Verify that TLS is used for all connections and that certificate validation is enforced | TLS/SSL configuration testing, certificate validation (CWE-326 , CWE-295 ) | Partial |
| V11 : Business Logic | Verify that business logic flows are sequential, processed in realistic time, and have abuse detection | Limited detection of business logic flaws through fuzzing and behavioral testing | Limited |
| V12 : Files and Resources | Verify that user-uploaded files are validated and stored securely | File upload testing, path traversal, unrestricted file types (CWE-434 ) | Full |
| V13 : API and Web Service | Verify that APIs validate input, enforce authentication, and are protected against injection | API scanning with OpenAPI specs, authentication testing, injection testing for API endpoints | Full |
| V14 : Configuration | Verify that application components are securely configured, hardened, and kept up to date | Security misconfiguration (CWE-16 ), default credentials, HTTP security headers, directory listings | Full |
What Detectify Covers
Detectify provides full coverage for ASVS chapters focused on input validation (V5), access control (V4), file handling (V12), API security (V13), and configuration (V14) — areas where DAST excels. Partial coverage exists for authentication (V2), session management (V3), data protection (V8), and communications (V9), where Detectify tests externally observable behaviors but cannot verify all implementation-level requirements.
Chapters requiring source code review (V1, V6, V10) or business logic analysis (V11) are outside DAST scope.
Complementary Tools You May Need
- SAST — For V1 (architecture), V6 (cryptography implementation), V10 (malicious code)
- Manual penetration testing — For V11 (business logic) and deep V2/V3 testing
- Code review — For verifying implementation-level requirements across all chapters
- Configuration management — For V14 requirements beyond runtime detection