GUARDIAN SECUREAPP™ · STANDARDS REFERENCE
OWASP ASVS Explained — The Application Security Verification Standard
The OWASP Application Security Verification Standard is the international open standard that catalogues the security controls a web application must demonstrate to be considered trustworthy. ASVS organises requirements across 14 control families and 3 verification levels, and is maintained as a public good by the OWASP Foundation. Guardian SecureApp™ Modules A and B are anchored in ASVS — this page explains what it is, how it works, and how Guardian uses it in ISO/IEC 17065-accredited certification.
OWASP ASVS
A Catalogue of Application Security Controls
The OWASP Application Security Verification Standard (ASVS) is an open, internationally maintained catalogue of the security controls a web application must demonstrate to be considered trustworthy. It is published by the OWASP Foundation — a non-profit organisation that produces and maintains a wide range of application security resources as a public good — and is freely available for any developer, engineering organisation, auditor, or certification body to use.
ASVS is structured as a list of testable verification requirements, organised into 14 control families and three verification levels. Each requirement is written in a way that allows it to be verified through inspection, testing, or documentation review — meaning ASVS is not just a set of recommendations to read, but a working framework to evaluate against. A typical ASVS requirement looks something like ‘Verify that the application uses a single vetted authentication mechanism that is known to be secure’, or ‘Verify that all authentication decisions can be logged, without storing sensitive session tokens or passwords’ — testable, verifiable statements rather than aspirational guidance.
Within Guardian SecureApp™, ASVS is the technical backbone of Modules A (Web Application Security) and B (SaaS / Multi-Tenant Platforms). When Guardian evaluates a product under those modules, the evaluation is structured around the ASVS requirements applicable at the chosen verification level. The certificate that results — issued under ISO/IEC 17065 by Guardian Assessment Pvt. Ltd. (UAF accreditation 52605385601) — is anchored in this internationally recognised standard, which any technically informed reader can independently look up and verify Guardian’s evaluation against.
Maintained by OWASP
A Public Good Maintained by the Community
ASVS is maintained by the OWASP Foundation through an open, community-driven process. Contributors include application security practitioners, engineers from large technology organisations, independent security researchers, certification bodies and academic researchers — all working in public, with all material changes reviewed by the OWASP community before publication. The standard’s content is licensed for free use under a Creative Commons licence, the source is hosted in a public repository, and previous versions remain archived and accessible.
This open, community-maintained character is structurally important to the certification value of ASVS. A standard owned by a single vendor — even a well-regarded one — is subject to that vendor’s commercial interests, evolution priorities, and risk of discontinuation. A standard owned by a single regulator is subject to that regulator’s geographic scope and regulatory agenda. A standard maintained as a public good by an international community is subject to neither: it evolves through technical merit and community consensus, has no commercial interest in pricing access to its content, and cannot be unilaterally discontinued by any single party.
For a certification body, this matters because the credibility of the certificate depends on the credibility of the underlying standard. When Guardian issues a certificate referencing OWASP ASVS, the standard’s open availability means any reader of the certificate — your customer, your regulator, your auditor — can independently look up what was evaluated, what the requirements meant at the time of evaluation, and whether Guardian’s interpretation of the requirements is consistent with how the wider community interprets them. There is no proprietary translation layer between the standard and the certificate.
Where to find the canonical standard: The authoritative version of OWASP ASVS, including the current published version, change history, and source repository, is maintained by the OWASP Foundation at owasp.org/asvs. This page summarises and contextualises ASVS for use within Guardian SecureApp™ — but the canonical reference is OWASP’s own publication.
Verification Levels
ASVS Level 1, Level 2, and Level 3
ASVS organises its requirements into three verification levels, each more rigorous than the last, with the higher levels including the requirements of the lower levels. The level a product is evaluated at determines which subset of the full ASVS requirement set must be satisfied. The three levels — and how Guardian SecureApp™ maps to them — are summarised below.
| ASVS Level | What ASVS Defines | Guardian SecureApp™ Mapping |
|---|---|---|
ASVS Level 1 | Baseline level. Catalogues the controls every application should demonstrate as a minimum bar. ASVS L1 is intended for applications where the breach consequences are low and the threat profile is largely automated / untargeted. | Level 1 (Basic). Suitable for internal tools, low-risk public sites and content portals. Indicative starting fee USD 2,000 onwards. |
ASVS Level 2 | Advanced level. Adds requirements appropriate for applications handling sensitive data, transactions or business logic. ASVS L2 is the level at which most production B2B and B2C applications are expected to demonstrate compliance. | Level 2 (Advanced). The modal default for customer-facing products handling PII, transactions or sensitive workflows. Indicative starting fee USD 4,000 onwards. |
ASVS Level 3 | High-assurance level. Adds requirements appropriate for applications in regulated, financially-systemic, or critical-infrastructure contexts where comprehensive defence-in-depth is required. ASVS L3 is the deepest verification level. | Level 3 (High-Risk / Critical). Suitable for net-banking, payment platforms, EHR systems, identity providers and critical infrastructure. Indicative starting fee USD 7,000 onwards. |
Crucially, the three levels are nested, not alternatives. ASVS Level 2 includes all the requirements of Level 1 plus additional ones; ASVS Level 3 includes all the requirements of Level 2 plus additional ones. A product certified at Level 2 has, by definition, also met the Level 1 requirements; a product certified at Level 3 has met all three levels’ requirements. This is why upgrade paths between Guardian SecureApp™ levels (Section 3.9 of the Levels Hub at /levels) are scoped to the additional depth between levels rather than a full re-evaluation from zero.
Control Families
V1 Through V14 — How ASVS Organises Its Requirements
Within each verification level, ASVS organises its requirements into 14 control families, each addressing a distinct dimension of application security. The families are conventionally referenced by their version-prefixed identifier (V1 through V14). This taxonomy has been broadly stable across recent ASVS versions, though specific requirement numbers within each family evolve as the standard is updated.
The 14 control families are summarised below, with a brief description of what each family covers. The depth at which Guardian evaluates each family scales with the verification level chosen — the families are the same at all levels, but the specific requirements within each family that must be satisfied are progressively more rigorous from Level 1 to Level 3.
| ID | Family | What This Family Covers |
|---|---|---|
V1 | Architecture, Design and Threat Modelling | Requirements for documented architecture, identification of trust boundaries, threat-model coverage of authentication, authorisation, data flow, and trust assumptions. Foundational family that informs how all other families are evaluated. |
V2 | Authentication | Identity verification, password policy, multi-factor authentication, credential storage, account-recovery flows, brute-force resistance, federated authentication (SAML / OIDC), and authentication mechanism selection. |
V3 | Session Management | Session token generation, cookie attributes (Secure, HttpOnly, SameSite), session lifetime, idle and absolute timeout, concurrent session policy, session revocation on logout and credential change. |
V4 | Access Control | Authorisation enforcement at every gate; protection against IDOR (Insecure Direct Object Reference), privilege escalation, missing function-level access control. RBAC and ABAC implementation correctness. |
V5 | Validation, Sanitisation and Encoding | Input validation strategy, output encoding, SQL / NoSQL / OS / LDAP injection resistance, cross-site scripting (XSS) defences, content-type enforcement, file upload validation, deserialisation safety. |
V6 | Stored Cryptography | Use of approved cryptographic algorithms, secure key management, key rotation, randomness sources, cryptographic agility, deprecation handling. |
V7 | Error Handling and Logging | Safe error responses (no information disclosure), structured logging, audit log integrity, sensitive-data exclusion from logs, log centralisation and retention. |
V8 | Data Protection | Classification of sensitive data, encryption at rest, data minimisation, retention and deletion, secure caching headers, browser data-storage hygiene. |
V9 | Communications | TLS configuration, HSTS, certificate pinning where appropriate, weak-cipher avoidance, secure WebSocket and HTTP/2 / HTTP/3 configuration. |
V10 | Malicious Code | Third-party dependency hygiene, SBOM presence, supply chain controls, anti-tampering and integrity checks. |
V11 | Business Logic | Logic-flow integrity, anti-automation, sequencing controls, abuse-case resistance, transactional integrity, race-condition handling. |
V12 | Files and Resources | File upload validation, MIME and content sniffing, path traversal resistance, signed URL handling for object storage, executable-content prevention. |
V13 | API and Web Service Interfaces | Where the application calls or exposes APIs, requirements for authentication, authorisation, rate limiting, schema validation, error handling. (For API-only products, see OWASP API Security Top 10 referenced by Module C.) |
V14 | Configuration | Hardening of build, deployment and runtime configuration; secrets management; secure defaults; environment separation; container and orchestration security where applicable. |
Each requirement within a family is also assigned to one or more of the three verification levels — meaning that at Level 1, a family might have, say, 8 requirements to satisfy, while at Level 3 the same family might have 25. The full requirement breakdown is published by OWASP at owasp.org/asvs and is the authoritative reference for what specifically must be verified at each level. Guardian’s evaluation tracks the current ASVS version adopted in our scheme document GSA-PR-01.
Certification Use
From Standard to Certificate
OWASP ASVS provides the technical content of Modules A and B; ISO/IEC 17065 provides the procedural framework for certification. Together they define how Guardian translates ASVS from a standard to be read into a basis for accredited certification. The mechanics work as follows.
1
Adoption into the Scheme Document
Guardian SecureApp™ adopts a specific version of ASVS as the technical normative document for Modules A and B in the scheme document GSA-PR-01. When OWASP publishes a new ASVS version, Guardian’s Technical Review Panel reviews the changes — new requirements, removed requirements, restructured families, modified verification levels — and decides when and how to adopt the new version into the scheme. The adoption is documented through a formal scheme revision, and certified clients are notified with appropriate transition guidance. Existing certificates remain valid for their original cycle; recertification engagements use the version of ASVS current at the time of recertification.
2
Mapping to Guardian’s Three Levels
Guardian SecureApp™’s three Levels — Level 1 (Basic), Level 2 (Advanced), Level 3 (High-Risk / Critical) — map directly to ASVS Levels 1, 2 and 3. The mapping is one-to-one: a Guardian SecureApp™ Level 2 engagement evaluates against the ASVS Level 2 requirement set, no more and no less. There is no proprietary ‘Guardian Level 2’ interpretation that adds undocumented requirements or removes documented ones. The ASVS verification level identified on the certificate is the verification level the product was evaluated against.
3
Evaluation Activities Mapped to ASVS Requirements
Guardian’s evaluation methodology (described in detail on each Module page) is engineered to verify the ASVS requirements applicable at the chosen level. Activities include automated scanning (DAST, SAST, SCA), targeted or comprehensive manual testing depending on level, multi-role authenticated testing, source code review (sample-based at Level 2, comprehensive at Level 3), architecture review (high-level at Level 1, detailed at Level 2, threat-modelled at Level 3), business-logic and abuse-case testing, and configuration / hardening review. Each activity verifies a defined subset of the ASVS requirements, and the Evaluation Report cross-references findings against the specific ASVS requirement IDs they relate to.
4
Findings Referenced to ASVS
Findings issued during a Guardian SecureApp™ engagement are referenced to the ASVS requirements they relate to (typically by family and requirement ID). This means the Evaluation Report functions as a structured, ASVS-mapped record of where the product satisfied the standard, where it did not, what was remediated, and what the final state was at certification. Any technically informed reader — your engineers, your customers’ security teams, your regulators, your auditors — can interpret the report by looking up the referenced ASVS requirements.
5
Certificate Anchored to ASVS
The certificate that ultimately issues — when criteria are met — names the Guardian SecureApp™ Level (which corresponds to the ASVS verification level), the ASVS version evaluated against, and the modules in scope. The Public Scope Statement makes the boundary precise. This anchoring to ASVS means the certificate is interpretable globally: anyone familiar with ASVS — and that audience is large and growing — understands what the certificate signifies without needing to reverse-engineer Guardian’s methodology.
ASVS + Top 10
How ASVS and OWASP Top 10 Work Together
OWASP ASVS is one of two OWASP standards that anchor Modules A and B; the other is the OWASP Top 10. The two are complementary, not alternative — they answer different questions and are designed to be used together.
ASVS is a comprehensive control catalogue. It tells you, at three levels of rigour, what to verify across 14 dimensions of application security. Its purpose is completeness: any application that satisfies its applicable ASVS level has demonstrated coverage of the controls that, taken together, constitute trustworthy application security. ASVS by itself does not tell you which controls to verify first — it treats all of its requirements as worth verifying at the level they apply at.
OWASP Top 10 is a prioritised risk framework. It tells you, based on telemetry across many organisations and validated by community review, which classes of application security risk are the most consequential at any given time. Its purpose is prioritisation: when a product fails an ASVS control, the OWASP Top 10 helps you understand how seriously to take that failure and where to focus remediation effort first.
Within Guardian SecureApp™ evaluation, OWASP Top 10 functions as the prioritisation lens applied across the ASVS evaluation. A finding that maps to A01 (Broken Access Control) or A02 (Cryptographic Failures) — the categories at the top of the current OWASP Top 10 — is treated more seriously than a finding in a lower-prioritised category, even if both are technically failures of an ASVS requirement. Critical and High findings, regardless of category, must be addressed for certification to be granted. Detailed treatment of OWASP Top 10 is at /standards/owasp-top-10.
Evolution
A Standard That Tracks the Threat Environment
ASVS has evolved substantially since its first publication, reflecting changes in the application security threat environment, the maturation of defensive practices, and feedback from the community of users. Major version transitions have introduced new control families, restructured existing families, modified verification levels and refined the testability of individual requirements.
This evolution is structural — not just cosmetic. Earlier ASVS versions, for example, treated cryptography as part of a broader ‘sensitive data’ family; later versions split cryptography into a dedicated family (V6) reflecting the recognition that key management and algorithm selection are distinct enough concerns from data protection (V8) to warrant their own treatment. Earlier versions placed less emphasis on configuration as a security concern; later versions promoted configuration to a dedicated family (V14) reflecting the operational reality that misconfiguration is a leading source of breaches. Earlier versions had less coverage of API and microservice patterns; later versions added V13 (API and Web Service Interfaces) addressing these surfaces directly.
Guardian’s adoption of ASVS versions tracks this evolution with a deliberate cadence. We do not adopt every new ASVS version immediately on publication — that would create instability for certified clients in mid-cycle — but we do adopt material new versions on a defined schedule, with appropriate transition guidance for existing certified clients and with all new engagements scoped to the version current at engagement initiation. The current ASVS version Guardian evaluates against is documented in GSA-PR-01 and is communicated explicitly at scoping. Older versions of ASVS that have been superseded but were the basis of still-valid certificates are retained for reference and audit-trail purposes.
Misconceptions
What ASVS Is Not
Several persistent misconceptions about ASVS surface frequently in scoping conversations and procurement discussions. Clarifying them once explicitly is more efficient than addressing them repeatedly:
Misconception 1 — ‘ASVS is an OWASP certification programme.’
It is not. OWASP itself does not run a certification programme. ASVS is a standard that OWASP publishes; it is then used by certification bodies (such as Guardian Assessment Pvt. Ltd., accredited by UAF under ISO/IEC 17065) to provide accredited certification, and used by individual organisations for self-assessment. There is no ‘OWASP-certified’ product in the formal sense — there are products certified by accredited certification bodies against OWASP standards.
Misconception 2 — ‘Self-assessment against ASVS is equivalent to certification.’
It is not. Self-assessment against ASVS is excellent engineering practice and Guardian encourages it, but it is not an accredited third-party attestation. The procedural infrastructure that turns an evaluation into a certificate that customers, regulators and procurement teams treat as authoritative — independent decision-making, public directory listing, surveillance, complaints and appeals rights, accreditation oversight — is what self-assessment, by definition, cannot provide. The standard’s open availability means anyone can self-assess; the certificate’s value lies precisely in the independent, accredited issuance.
Misconception 3 — ‘Higher ASVS levels mean more bureaucracy, not more security.’
This conflates verification with the controls themselves. ASVS Level 3 is not a more bureaucratic version of Level 1; it is a verification of a more rigorous set of controls. The Level 3 requirements are technical (comprehensive logging integrity, formal threat modelling, key-rotation discipline, defence-in-depth at every layer) — they are appropriate when the threat profile and breach consequences are systemic. The ‘bureaucracy’ impression usually arises when products are over-applied to Level 3 (where Level 2 would have been proportionate); Section 3.8 of the Level 3 detail page at /levels/level-3-critical addresses this error pattern.
Misconception 4 — ‘ASVS is just a list of vulnerabilities to avoid.’
It is not a vulnerability list — it is a controls catalogue. A vulnerability list (such as CWE) catalogues known classes of weakness; ASVS catalogues the controls that, when present and effective, make those weaknesses unlikely to manifest. The two are related (each ASVS requirement implicitly addresses one or more CWE entries) but they answer different questions: ‘what could go wrong?’ versus ‘what should we verify is in place?’ Certification needs the second question; threat modelling and risk assessment make use of both.
Misconception 5 — ‘OWASP Top 10 covers everything ASVS covers.’
It does not. OWASP Top 10 is a prioritised list of ten risk categories; ASVS catalogues hundreds of specific verifiable controls organised across 14 families. An application that addresses the OWASP Top 10 but does not satisfy ASVS Level 1 is unlikely to pass Guardian SecureApp™ Module A evaluation at any level. ASVS is the comprehensive standard; OWASP Top 10 is the prioritisation lens. Both are useful. They are not substitutes.
Secure SDLC
ASVS in the Secure SDLC
Many organisations use ASVS extensively before they ever consider certification — and this is precisely how OWASP designed it to be used. The standard is a public good; its primary intended use is as a working framework for engineering teams building secure applications, not as input to certification specifically. The engineering uses of ASVS that compound into procurement readiness are summarised below.
As a Secure SDLC Reference
Engineering teams use ASVS as the spine of their secure SDLC processes — security requirements derived from ASVS are written into engineering tickets, security acceptance criteria for new features reference ASVS requirement IDs, and code review checklists track against ASVS. This makes the eventual certification engagement substantially smoother: by the time Guardian evaluates the product, the ASVS requirements have already been engineered for, not retrofitted to.
As a Vendor Procurement Baseline
Buyer organisations use ASVS as the baseline against which they evaluate third-party software. A vendor security questionnaire (VSQ) that asks ‘does this product meet ASVS Level 2?’ is a more interpretable question than vague asks about ‘overall security posture’. Vendors with ASVS-aligned engineering programmes can answer such questions with documented evidence; vendors without them cannot. This is one of the structural reasons ASVS-anchored certification has procurement value.
As a Threat-Modelling Anchor
Security teams use ASVS as the anchor for threat-modelling exercises — each control family becomes a category of defensive posture to evaluate against threats. STRIDE-based threat models, for example, naturally map STRIDE categories to the ASVS families that defend against them (Spoofing → V2 Authentication; Tampering → V5 Validation; Repudiation → V7 Logging; Information Disclosure → V8 Data Protection; Denial of Service → V11 Business Logic; Elevation of Privilege → V4 Access Control).
As a Compliance-Readiness Map
Compliance teams use ASVS as the technical layer of a broader compliance posture map. Where regulatory frameworks (PCI-DSS, HIPAA, sectoral data protection laws) name application security expectations, ASVS provides the testable verification language. A control in PCI-DSS that requires ‘protection against common application security vulnerabilities’ maps cleanly onto specific ASVS families and requirements; this mapping makes compliance evidence both more substantive and more reusable.
All four uses compound into procurement readiness. By the time an organisation decides to pursue Guardian SecureApp™ certification, the work to support that certification has often already been done — not as certification preparation, but as the engineering and operational discipline of building applications with ASVS as the reference standard.
Frequently Asked Questions
Common Questions About OWASP ASVS
Yes. OWASP ASVS is published by the OWASP Foundation as a public good and is freely available under a Creative Commons licence. Anyone — engineers, organisations, certification bodies, regulators — can use it without licensing fees. The canonical reference is at owasp.org/asvs. What you pay for, when you obtain Guardian SecureApp™ certification, is the accredited third-party evaluation against ASVS — not access to ASVS itself.
ASVS Level 2 includes all the requirements of Level 1 plus a substantially larger set of additional requirements appropriate for applications handling sensitive data, transactions, or business logic. Where Level 1 catalogues the controls every application should demonstrate as a minimum bar, Level 2 catalogues what most production B2B and B2C applications are expected to meet. In practice, Level 2 typically has roughly 2–3× the number of requirements Level 1 has, and the added requirements address scenarios — multi-role authorisation, sensitive data handling, transactional integrity, abuse-case resistance — that Level 1 does not require verification of.
The OWASP Foundation, through an open community-driven process. Contributors include application security practitioners, engineers from large technology organisations, independent security researchers, certification bodies and academic researchers — all working in public, with all material changes reviewed by the OWASP community before publication. Version control, change history, and source materials are publicly accessible. This community-maintained character is structurally important to ASVS’s certification value: the standard is not subject to any single vendor’s, regulator’s, or certification body’s proprietary interests.
Guardian evaluates against the version of ASVS adopted into the scheme document GSA-PR-01 at the time of engagement. New ASVS versions are reviewed by Guardian’s Technical Review Panel and adopted on a defined schedule; existing certificates remain valid for their original cycle, with recertification engagements using the version current at recertification. The specific version applicable to your engagement is documented on the Scope Statement and confirmed at scoping. We deliberately do not publish a hard-coded ASVS version number on this public page, because that would go stale faster than scheme adoption cycles can update it.
ASVS catalogues defensive controls — what should be in place. CWE (Common Weakness Enumeration) catalogues classes of weakness — what can go wrong. The two are complementary: each ASVS requirement implicitly addresses one or more CWE entries (a missing input-validation control is the absence of a defence against various injection-related CWEs, for example). ASVS is the framework certification builds on; CWE is the framework vulnerability classification builds on. Findings issued during a Guardian SecureApp™ engagement frequently reference both — the ASVS requirement that was unmet, and the CWE that classifies the resulting weakness.
Yes — and this is precisely how OWASP designed it. Most engineering organisations use ASVS as the spine of their secure SDLC processes long before (and sometimes without ever) pursuing certification. Self-assessment against ASVS is excellent practice; it is, however, not equivalent to accredited third-party certification. The procedural infrastructure that turns an evaluation into a certificate that customers, regulators and procurement teams treat as authoritative is what self-assessment cannot provide. Section 3.9 above describes the engineering uses of ASVS beyond certification.
ASVS V13 (API and Web Service Interfaces) addresses APIs that web applications expose or consume. Where the API surface is itself the product — a developer platform, a partner-integration API, an embedded service — Module C of Guardian SecureApp™ uses the OWASP API Security Top 10 as the principal technical normative document, alongside ASVS where applicable. Modules A and B are anchored in ASVS; Module C is anchored in OWASP API Security Top 10. The two standards are complementary and address overlapping but distinct concerns.
ASVS is the comprehensive controls catalogue (what to verify); OWASP Top 10 is the prioritised risk framework (which failures to take most seriously). They are complementary, not alternative — ASVS tells you what to verify, OWASP Top 10 tells you what to verify first. Guardian uses both: ASVS as the technical normative document, OWASP Top 10 as the prioritisation lens applied to findings. An application that addresses the OWASP Top 10 but does not satisfy ASVS Level 1 is unlikely to pass Module A evaluation at any level.
Partially. ASVS V8 (Data Protection) addresses encryption at rest, classification of sensitive data, retention and deletion, and secure data-handling practices — which overlap with privacy concerns. However, ASVS is an application security standard, not a privacy-law compliance framework. Privacy regulations (GDPR, India’s Digital Personal Data Protection Act, sectoral privacy laws) impose additional requirements — lawful basis for processing, data subject rights, breach notification timelines — that ASVS does not address directly. Guardian SecureApp™ certification is product security certification, complementary to privacy-compliance work but not a substitute for it.
No. Guardian SecureApp™ certifies a product (or a defined module within the scheme) at a single level. Different features within a single certified product are evaluated at the level chosen for the engagement. Where you operate distinct products with materially different risk profiles, you can certify them at different levels — that is per-product, not per-feature. This discipline keeps the certificate’s meaning unambiguous.
No. ASVS is technology-stack agnostic. It states verification requirements in terms of outcomes (e.g., ‘verify that authentication uses a strong, industry-vetted mechanism’) rather than implementation choices (e.g., ‘verify that OAuth 2.0 is used’). This is intentional: the standard must apply across React and Vue and Angular, across Spring and Django and Rails, across AWS and Azure and on-premises deployments. Technology-specific guidance — for example, OWASP cheat sheets for individual frameworks — exists separately for engineers needing it; ASVS sits above the framework layer.
A verification requirement is a testable statement that an application either does or does not satisfy, written in a way that allows a competent evaluator to verify it through inspection, testing, or documentation review. ASVS’s discipline of writing requirements in this verifiable form — rather than as aspirational guidance — is what makes it suitable as the technical basis for certification. A typical requirement reads as ‘Verify that…’ followed by a specific, testable claim. The whole standard, at all three levels, is constructed of such statements.
It depends on the starting state. Applications built on modern security-aware frameworks, with engineering teams familiar with secure SDLC practices, often find that 60–80% of ASVS Level 2 requirements are already met by default; the remaining gap is closed through targeted work over weeks to months. Applications without that foundation — older codebases, less security-mature engineering organisations, frameworks with permissive defaults — may require months to years of focused engineering work. Guardian does not provide guidance on this work (it would compromise our impartiality) but the scoping conversation gives a realistic picture of where you stand.
Yes. OWASP publishes new versions periodically — major versions every few years, minor revisions more frequently. Major version transitions can introduce new control families, restructure existing families, modify verification levels, and refine requirement testability. Guardian’s adoption of new ASVS versions is governed by GSA-PR-01 and is communicated to certified clients with appropriate transition guidance. Existing certificates remain valid for their original cycle; recertification engagements use the version current at recertification.
ASVS is referenced (formally or by analogy) by many regulatory frameworks that ask for evidence of application security — though it is rarely the sole basis of a regulatory mandate. Indian financial-sector regulators, healthcare data protection frameworks, government procurement specifications and equivalent frameworks worldwide commonly reference ASVS-aligned controls. Specific regulatory acceptability of ASVS-based certification depends on the regulator and is discussed during scoping. ASVS is not a regulator-issued standard — it is an open community standard that regulators have adopted as a useful reference.
Three structural ways. First, accredited issuance: Guardian operates under ISO/IEC 17065 with annual UAF surveillance — the procedural integrity is itself audited, which self-assessment cannot replicate. Second, public verifiability: every Guardian SecureApp™ certificate is publicly listed in our directory at /directory, searchable by certificate number, product name or applicant name — a self-assessment is a private document. Third, ongoing surveillance: Guardian SecureApp™ certificates are subject to annual or semi-annual surveillance (depending on level), maintaining the assurance signal over time — self-assessments are point-in-time. The standard is the same; the procedural infrastructure around it is what makes the certificate procurement-grade.
Ready to Get Started?
Apply for Certification
Submit a formal application. Initial response within 5 working days.
Apply NowRequest a Quote
Tell us about your product. Indicative quote within 3 to 5 working days.
Get a QuoteTalk to Our Team
Specific question or regulatory driver to discuss?
Contact Us