Skip to main content
QuantLab Logo

OWASP ASVS Checklist App

The OWASP Application Security Verification Standard, Level 1 and 2, as a free interactive web app. 117 controls across 13 categories. Check items off as you verify them in your app — progress and notes persist in your browser. Print or save as PDF for audits.

117 ASVS L1/L2 controls
Progress + notes auto-saved locally
Print / Save PDF for audits

Progress saved in this browser only

0 / 117

0% — 99 L1 items, 18 L2 items

Filter

V2

Authentication

Identity proofing, password handling, lockouts, MFA.

0/14

complete

V3

Session Management

Token lifecycle, cookie flags, idle / absolute timeouts.

0/11

complete

V4

Access Control

Authorization checks, least privilege, multi-tenancy isolation.

0/8

complete

V5

Validation, Sanitization & Encoding

Input validation, output encoding, injection defenses.

0/16

complete

V6

Stored Cryptography

Approved algorithms, key management, secret storage.

0/7

complete

V7

Error Handling & Logging

Useful logs, no info leakage, audit trail for security events.

0/8

complete

V8

Data Protection

PII handling, data classification, client-side storage.

0/7

complete

V9

Communications

TLS configuration, HSTS, certificate validation.

0/6

complete

V10

Malicious Code

Supply chain integrity, code reviews, dependency scanning.

0/4

complete

V11

Business Logic

Workflow integrity, anti-automation, sequential checks.

0/4

complete

V12

Files & Resources

Upload validation, MIME sniffing, path traversal.

0/7

complete

V13

API & Web Service

Authentication, authorization, REST/GraphQL defenses.

0/9

complete

V14

Configuration

Server hardening, secrets, CSP, dependency policies.

0/16

complete

How to actually use this checklist

The single biggest mistake teams make with ASVS is treating it as a document to read. ASVS is a workflow. You walk it row by row with the person who owns the corresponding code, and for every line you decide one of three states: verified, gap with owner and date, or not applicable with rationale. A line ignored is a line that will surface in your next penetration test.

We use this exact tool internally when scoping our penetration testing engagements — it tells the client what we're going to verify before we start. About 60% of teams that walk this checklist before their first pentest find at least a dozen gaps they can fix internally — which means the pentest finds harder, more interesting issues and they walk away with a better report.

Level 1 covers the bare minimum every public- facing application should meet — no SQL injection, no XSS, no missing authentication. If you fail L1 you are below the bar set by reasonable industry practice, and that's a problem in a negligence context. L1 controls are mostly verifiable by automated scanners and a careful code review.

Level 2 is what most production apps handling personal data, payments, or contracts should target. It assumes a determined attacker with limited resources — the kind of threat model a SOC 2 Type II audit, ISO 27001 certification, or HIPAA covered-entity contract implies. L2 adds requirements like MFA on admin interfaces, structured logging for all access decisions, and proper secrets management.

Level 3 (not in this tool) is for high- assurance applications — defense, critical infrastructure, primary healthcare records. If your app needs L3, you're past the point where a self-service checklist suffices and into the territory of formal threat modeling and code review.

For organizations doing this for the first time, we recommend splitting the work along the natural seams. Authentication and session belong to whoever owns identity. Validation, output encoding, and crypto belong to whoever owns the API and shared libraries. Communications and configuration belong to whoever owns infrastructure. Business logic and access control should be walked jointly because that's where most real-world breaches live.

The Notes field is more valuable than the checkbox. When you tick an item, the note should answer two questions: where is the evidence? (file path, ADR link, framework version) and who confirmed it? (person and date). An auditor reading your printed checklist a year from now needs to be able to verify any claim without re-talking to your engineers.

When you're done, hit Print / Save PDF. The output is print-optimized — clean black-and-white, no UI chrome, with notes inline. Drop it into your compliance binder, attach it to your annual penetration test scope, or send it to the prospect asking for a security questionnaire.

Want help interpreting the gaps? Our cybersecurity services and pentest team walk customers through this exact workflow. Or estimate scope with the pentest cost calculator.

FAQs

What is OWASP ASVS?

ASVS stands for Application Security Verification Standard. It is OWASP's canonical list of security requirements for web applications — what a developer should build and what a tester should verify. Level 1 is the bare minimum every public-facing app should meet. Level 2 is what apps handling personal data, payments, or B2B contracts should target. Level 3 is reserved for high-assurance systems like government, finance, or healthcare.

How do I use this checklist for a real audit?

Walk it top to bottom with the engineer who owns each area. For every item, decide: implemented, partially implemented, not applicable, or gap. The notes field is where you record the evidence — link to the code, the config, the architecture decision record. At the end you have a defensible artifact for SOC 2, ISO 27001, or a board security review.

Is my progress sent anywhere?

No. Every checkbox, every note, every state change is written to your browser's local storage only. We never send your checklist data anywhere. Clearing your browser data will wipe it — so before doing that, print or save it to PDF.

Why aren't all 200+ ASVS items listed?

We selected 117 of the highest-impact L1 and L2 requirements — the ones that show up in real-world penetration tests and compliance audits. The full ASVS document has more granular requirements, including L3 controls for high-assurance systems. For a complete audit, run this checklist first to clean up the obvious gaps, then engage a tester for the residual edge cases.

How is this different from the OWASP Top 10?

The Top 10 is a risk awareness document — it tells you what categories of vulnerabilities to worry about. ASVS is a verification standard — it tells you the specific controls to implement and verify. Think of Top 10 as the syllabus and ASVS as the homework. Both are by OWASP; ASVS is what auditors and pentesters actually work from.

Keep going

Penetration testing services Cybersecurity services Pentest cost calculator All free tools Stripe webhook tester Glossary Security certifications Talk to QuantLab

Companion reading for the OWASP checklist

All posts

Need a pentest scoped from this checklist?

Send us the printed checklist with your gaps highlighted. We'll turn it into a focused testing scope, an estimate, and a remediation plan you can take to the board.

Or reach us directly: (770) 652-1282 · beltz@quantlabusa.dev