| CARVIEW |
Select Language
HTTP/2 301
date: Thu, 25 Dec 2025 06:22:12 GMT
content-type: text/html
location: https://owasp.org/www-project-asvs-graph/
cf-ray: 9b363e1ccde31eef-BLR
cf-cache-status: DYNAMIC
accept-ranges: bytes
age: 0
server: cloudflare
strict-transport-security: max-age=31536000; includeSubDomains
vary: Accept-Encoding
via: 1.1 varnish
content-security-policy: default-src 'self' https://*.fontawesome.com https://api.github.com https://*.githubusercontent.com https://*.google-analytics.com https://owaspadmin.azurewebsites.net https://*.twimg.com https://platform.twitter.com https://www.youtube.com https://*.doubleclick.net; frame-ancestors 'self'; frame-src https://*.vuejs.org https://*.stripe.com https://*.wufoo.com https://*.sched.com https://*.google.com https://*.twitter.com https://www.youtube.com https://w.soundcloud.com https://buttons.github.io; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://viewer.diagrams.net https://fonts.googleapis.com https://*.fontawesome.com https://app.diagrams.net https://cdnjs.cloudflare.com https://cse.google.com https://*.vuejs.org https://*.stripe.com https://*.wufoo.com https://*.youtube.com https://*.meetup.com https://*.sched.com https://*.google-analytics.com https://unpkg.com https://buttons.github.io https://www.google.com https://*.gstatic.com https://*.twitter.com https://*.twimg.com https://www.googletagmanager.com; style-src 'self' 'unsafe-inline' https://*.gstatic.com https://cdnjs.cloudflare.com https://www.google.com https://fonts.googleapis.com https://platform.twitter.com https://*.twimg.com data:; font-src 'self' https://*.fontawesome.com fonts.gstatic.com; manifest-src 'self' https://pay.google.com; img-src 'self' https://*.globalappsec.org https://render.com https://*.render.com https://okteto.com https://*.okteto.com data: www.w3.org https://*.bestpractices.dev https://licensebuttons.net https://img.shields.io https://*.twitter.com https://github.githubassets.com https://*.twimg.com https://platform.twitter.com https://*.githubusercontent.com https://*.vercel.app https://*.cloudfront.net https://*.coreinfrastructure.org https://*.securityknowledgeframework.org https://badges.gitter.im https://travis-ci.org https://api.travis-ci.org https://s3.amazonaws.com https://snyk.io https://coveralls.io https://requires.io https://github.com https://*.googleapis.com https://*.google.com https://*.gstatic.com https://static.scarf.sh
permissions-policy: geolocation=(self)
referrer-policy: same-origin
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-cache: MISS
x-cache-hits: 0
x-fastly-request-id: aec7b7b00c4592e100475ec6530e82c5f2f80126
x-github-request-id: 416A:21D6A4:3DBA92:442E7F:694CD813
x-served-by: cache-bom-vanm7210077-BOM
x-timer: S1766643732.023199,VS0,VE197
HTTP/2 200
date: Thu, 25 Dec 2025 06:22:12 GMT
content-type: text/html; charset=utf-8
cf-ray: 9b363e1e48c91eef-BLR
cf-cache-status: DYNAMIC
access-control-allow-origin: *
age: 0
cache-control: max-age=600
expires: Thu, 25 Dec 2025 06:32:12 GMT
last-modified: Sat, 12 Nov 2022 14:30:02 GMT
server: cloudflare
strict-transport-security: max-age=31536000; includeSubDomains
vary: Accept-Encoding
via: 1.1 varnish
content-security-policy: default-src 'self' https://*.fontawesome.com https://api.github.com https://*.githubusercontent.com https://*.google-analytics.com https://owaspadmin.azurewebsites.net https://*.twimg.com https://platform.twitter.com https://www.youtube.com https://*.doubleclick.net; frame-ancestors 'self'; frame-src https://*.vuejs.org https://*.stripe.com https://*.wufoo.com https://*.sched.com https://*.google.com https://*.twitter.com https://www.youtube.com https://w.soundcloud.com https://buttons.github.io; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://viewer.diagrams.net https://fonts.googleapis.com https://*.fontawesome.com https://app.diagrams.net https://cdnjs.cloudflare.com https://cse.google.com https://*.vuejs.org https://*.stripe.com https://*.wufoo.com https://*.youtube.com https://*.meetup.com https://*.sched.com https://*.google-analytics.com https://unpkg.com https://buttons.github.io https://www.google.com https://*.gstatic.com https://*.twitter.com https://*.twimg.com https://www.googletagmanager.com; style-src 'self' 'unsafe-inline' https://*.gstatic.com https://cdnjs.cloudflare.com https://www.google.com https://fonts.googleapis.com https://platform.twitter.com https://*.twimg.com data:; font-src 'self' https://*.fontawesome.com fonts.gstatic.com; manifest-src 'self' https://pay.google.com; img-src 'self' https://*.globalappsec.org https://render.com https://*.render.com https://okteto.com https://*.okteto.com data: www.w3.org https://*.bestpractices.dev https://licensebuttons.net https://img.shields.io https://*.twitter.com https://github.githubassets.com https://*.twimg.com https://platform.twitter.com https://*.githubusercontent.com https://*.vercel.app https://*.cloudfront.net https://*.coreinfrastructure.org https://*.securityknowledgeframework.org https://badges.gitter.im https://travis-ci.org https://api.travis-ci.org https://s3.amazonaws.com https://snyk.io https://coveralls.io https://requires.io https://github.com https://*.googleapis.com https://*.google.com https://*.gstatic.com https://static.scarf.sh
permissions-policy: geolocation=(self)
referrer-policy: same-origin
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-cache: MISS
x-cache-hits: 0
x-fastly-request-id: ece682c8c0e3be7892de8319e376ae07e454901f
x-github-request-id: A57D:2D64E0:3C9B29:430DA5:694CD813
x-proxy-cache: MISS
x-served-by: cache-bom-vanm7210077-BOM
x-timer: S1766643732.252607,VS0,VE216
content-encoding: gzip
OWASP ASVS-Graph | OWASP Foundation
ASVS-Graph for
ASVS-Graph for
This website uses cookies to analyze our traffic and only share that information with our analytics partners.
Acceptx
OWASP ASVS-Graph
What is ASVS-Graph
ASVS-Graph converts ASVS to a Knowlege-Graph. ASVS already provides guidance, metrics for Application Security Practicioners.
With ASVS-Graph, Practicioners can
- Automate Verification Process
- Create Knowledge-Graphs - Similar to that of a search engine
- Convert ASVS into a Security Recommender Engine
- Make creation & managemnt of Application Security Metrics simple
ASVS-Graph v0.0.1 - Expected features
- Automated Graph Seeding process
- Knowledge Graphs - Create knowledge graphs
- Convert the Knowledge Graphs to Recommender Engine
- Click-to-deploy
self-serveinstructions
Related Projects
OWASP Resources:
Data Relationship - Architecture
- ASVS Requirements under Architecuture have a deeper relationships that are simply waiting to be explored.
- Below is a minified JSON view of ASVS Requirements with the following (Apologies for renaming columns in ASVS Graph - Consistency will be brought in soon).
serialrepresents columnitemfrom ASVS.descriptionrepresents coulumnDescriptionfrom ASVS.stagerepresents columnNamefrom ASVS.
- With ASVS-Graph, we make this view to be more fruitful by tying a strong relationship based on any attribute deemed fit.
- Helping us derive a relationship that
Architecture requirementsflow downwards to otherverification stages. - Paint us a broader picture that there is deeper relationship between different
verification stages. - Convert Hunches to more tangible requirements.
- Helping us derive a relationship that
ASVS-Graph for Architecture Stage
[
{
"a.serial": "1.6.1",
"a.description": "Verify that there is an explicit policy for management of cryptographic keys and that a cryptographic key lifecycle follows a key management standard such as NIST SP 800-57.",
"a.stage": "Architecture"
},
{
"a.serial": "1.6.2",
"a.description": "Verify that consumers of cryptographic services protect key material and other secrets by using key vaults or API based alternatives.",
"a.stage": "Architecture"
},
{
"a.serial": "1.6.3",
"a.description": "Verify that all keys and passwords are replaceable and are part of a well-defined process to re-encrypt sensitive data.",
"a.stage": "Architecture"
},
{
"a.serial": "1.6.4",
"a.description": "Verify that symmetric keys, passwords, or API secrets generated by or shared with clients are used only in protecting low risk secrets, such as encrypting local storage, or temporary ephemeral uses such as parameter obfuscation. Sharing secrets with clients is clear-text equivalent and architecturally should be treated as such.",
"a.stage": "Architecture"
},
{
"a.serial": "2.8.2",
"a.description": "Verify that symmetric keys used to verify submitted OTPs are highly protected, such as by using a hardware security module or secure operating system based key storage.",
"a.stage": "Authentication"
},
{
"a.serial": "2.9.1",
"a.description": "Verify that cryptographic keys used in verification are stored securely and protected against disclosure, such as using a TPM or HSM, or an OS service that can use this secure storage.",
"a.stage": "Authentication"
},
{
"a.serial": "6.4.2",
"a.description": "Verify that key material is not exposed to the application but instead uses an isolated security module like a vault for cryptographic operations. ([C8](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))",
"a.stage": "Cryptography"
}
]
Data Relationship - Architecture
- ASVS Requirements under Architecuture have a deeper relationships that are simply waiting to be explored.
- Below is a minified JSON view of ASVS Requirements with the following (Apologies for renaming columns in ASVS Graph - Consistency will be brought in soon).
serialrepresents columnitemfrom ASVS.descriptionrepresents coulumnDescriptionfrom ASVS.stagerepresents columnNamefrom ASVS.
- With ASVS-Graph, we make this view to be more fruitful by tying a strong relationship based on any attribute deemed fit.
- Helping us derive a relationship that
Architecture requirementsflow downwards to otherverification stages. - Paint us a broader picture that there is deeper relationship between different
verification stages. - Convert Hunches to more tangible requirements.
- Helping us derive a relationship that
ASVS-Graph for Architecture Stage
[
{
"a.serial": "1.6.1",
"a.description": "Verify that there is an explicit policy for management of cryptographic keys and that a cryptographic key lifecycle follows a key management standard such as NIST SP 800-57.",
"a.stage": "Architecture"
},
{
"a.serial": "1.6.2",
"a.description": "Verify that consumers of cryptographic services protect key material and other secrets by using key vaults or API based alternatives.",
"a.stage": "Architecture"
},
{
"a.serial": "1.6.3",
"a.description": "Verify that all keys and passwords are replaceable and are part of a well-defined process to re-encrypt sensitive data.",
"a.stage": "Architecture"
},
{
"a.serial": "1.6.4",
"a.description": "Verify that symmetric keys, passwords, or API secrets generated by or shared with clients are used only in protecting low risk secrets, such as encrypting local storage, or temporary ephemeral uses such as parameter obfuscation. Sharing secrets with clients is clear-text equivalent and architecturally should be treated as such.",
"a.stage": "Architecture"
},
{
"a.serial": "2.8.2",
"a.description": "Verify that symmetric keys used to verify submitted OTPs are highly protected, such as by using a hardware security module or secure operating system based key storage.",
"a.stage": "Authentication"
},
{
"a.serial": "2.9.1",
"a.description": "Verify that cryptographic keys used in verification are stored securely and protected against disclosure, such as using a TPM or HSM, or an OS service that can use this secure storage.",
"a.stage": "Authentication"
},
{
"a.serial": "6.4.2",
"a.description": "Verify that key material is not exposed to the application but instead uses an isolated security module like a vault for cryptographic operations. ([C8](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))",
"a.stage": "Cryptography"
}
]
The OWASP® Foundation works to improve the security of software through its community-led open source software projects,
hundreds of chapters worldwide, tens of thousands of members, and by hosting local and global conferences.