# Application Security Verification Standard (ASVS)

What is ASVS and how does it apply to Psono.

# What is ASVS in general?

The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development.

The primary aim of the OWASP Application Security Verification Standard (ASVS) Project is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. The standard provides a basis for testing application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection. This standard can be used to establish a level of confidence in the security of Web applications. The requirements were developed with the following objectives in mind:

  • Use as a metric - Provide application developers and application owners with a yardstick with which to assess the degree of trust that can be placed in their Web applications,
  • Use as guidance - Provide guidance to security control developers as to what to build into security controls in order to satisfy application security requirements, and
  • Use during procurement - Provide a basis for specifying application security verification requirements in contracts.

# How is it applicable to Psono?

Psono as a password manager has to live up to the highest standards of internet security. We want to provide here a self audit of Psono (the application), our free hosted community edition (psono.pw) and Psono SaaS.

Our goals are:

  • to improve the general security awareness for contributers and developers
  • create a brief overview / base for auditors to evaluate security measures
  • demonstrate to interested parties how Psono is designed

All questions have been answered March 6th, 2018. The version of ASVS that is used for this self audit is ASVS 3.0.1.

# AVAST License (applicable to the whole ASVS section)

Copyright © 2008 – 2016 The OWASP Foundation.

This document is released under the Creative Commons Attribution ShareAlike 3.0 license. For any reuse or distribution, you must make clear to others the license terms of this work.

# Authors of AVAST

# Version 3.0, 2015

Project Leads Lead Authors Contributors and Reviewers
Andrew van der Stock
Daniel Cuthbert
Jim Manico Abhinav Sejpal
Ari Kesäniemi
Boy Baukema
Colin Watson
Cristinel Dumitru
David Ryan
François-Eric Guyomarc’h
Gary Robinson
Glenn Ten Cate
James Holland
Martin Knobloch
Raoul Endres
Ravishankar S
Riccardo Ten Cate
Roberto Martelloni
Ryan Dewhurst
Stephen de Vries
Steven van der Baan

# Version 2.0, 2014

Project Leads Lead Authors Contributors and Reviewers
Daniel Cuthbert
Sahba Kazerooni
Andrew van der Stock
Krishna Raja
Antonio Fontes
Archangel Cuison
Ari Kesäniemi
Boy Baukema
Colin Watson
Dr Emin Tatli
Etienne Stalmans
Evan Gaustad
Jeff Sergeant
Jerome Athias
Jim Manico
Mait Peekma
Pekka Sillanpää
Safuat Hamdy
Scott Luc
Sebastien Deleersnyder

# Version 1.0, 2009

Project Leads Lead Authors Contributors and Reviewers
Mike Boberski
Jeff Williams
Dave Wichers
Jim Manico Andrew van der Stock
Barry Boyd
Bedirhan Urgun
Colin Watson
Dan Cornell
Dave Hausladen
Dave van Stein
Dr. Sarbari Gupta
Dr. Thomas Braun
Eoin Keary
Gaurang Shah
George Lawless
Jeff LoSapio
Jeremiah Grossman
John Martin
John Steven
Ken Huang
Ketan Dilipkumar Vyas
Liz FongShouvik Bardhan
Mandeep Khera
Matt Presson
Nam Nguyen
Paul Douthit
Pierre Parrend
Richard Campbell
Scott Matsumoto
Stan Wisseman
Stephen de Vries
Steve Coyle
Terrie Diaz
Theodore Winograd

# Source

https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project (opens new window) https://www.owasp.org/images/3/33/OWASP_Application_Security_Verification_Standard_3.0.1.pdf (opens new window)