In depth
The OWASP Application Security Verification Standard (ASVS) is the most comprehensive open standard for specifying and verifying the security controls a web application should implement. Where the OWASP Top 10 is the awareness document, ASVS is the engineering specification: roughly 280 individual controls organised into 14 chapters covering architecture, authentication, session management, access control, validation and encoding, stored cryptography, error handling, data protection, communications, malicious code, business logic, files and resources, web services, configuration, and a small API-specific chapter. The current major version is ASVS 5.0 (released early 2025); 4.0.3 is still cited in many active engagements as the transition is rolled out.
ASVS organises controls into three verification levels. Level 1 is the entry tier, intended as a baseline for low-assurance applications and is the only level fully verifiable through automated scanning. Level 2 is the recommended bar for most applications that handle business-to-business data, personally identifiable information, or anything that needs to survive a real penetration test. Level 3 is reserved for the highest-value targets — payment processing, healthcare records, military systems — and requires controls that go well beyond what a typical SaaS team needs.
The standard is engineered to be machine-readable. Each control has a stable identifier (e.g. V2.1.1 for "Verify that user-set passwords are at least 12 characters"), maps to a CWE entry for taxonomy and to a NIST SP 800-63 control for federal applicability. Mature programmes ingest the ASVS JSON, generate per-control evidence pages in the security wiki, and link each control to the test, the threat model section, and the responsible team. AxVeil VAPT reports every finding against the ASVS control it violates, so the engineering team can patch the underlying gap rather than just the specific bug.
ASVS is the right reference when the question is "what does secure look like for this application." See OWASP Top 10 2026 checklist for the awareness-layer companion and the related entry on VAPT services for downstream verification.
ASVS organises controls into three verification levels. Level 1 is the entry tier, intended as a baseline for low-assurance applications and is the only level fully verifiable through automated scanning. Level 2 is the recommended bar for most applications that handle business-to-business data, personally identifiable information, or anything that needs to survive a real penetration test. Level 3 is reserved for the highest-value targets — payment processing, healthcare records, military systems — and requires controls that go well beyond what a typical SaaS team needs.
The standard is engineered to be machine-readable. Each control has a stable identifier (e.g. V2.1.1 for "Verify that user-set passwords are at least 12 characters"), maps to a CWE entry for taxonomy and to a NIST SP 800-63 control for federal applicability. Mature programmes ingest the ASVS JSON, generate per-control evidence pages in the security wiki, and link each control to the test, the threat model section, and the responsible team. AxVeil VAPT reports every finding against the ASVS control it violates, so the engineering team can patch the underlying gap rather than just the specific bug.
ASVS is the right reference when the question is "what does secure look like for this application." See OWASP Top 10 2026 checklist for the awareness-layer companion and the related entry on VAPT services for downstream verification.