CONTRIBUTING.md

Contributing

This document has been updated for the version 5.0 release candidate stage in 2025 and may change at a future date.

Introduction

What is OWASP?

The Open Worldwide Application Security Project (OWASP) is a nonprofit organization that works to improve the security of software. It has many programs to work towards this goal. One of those programs is the ASVS.

What is the ASVS?

The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development.

The primary aim of the OWASP Application Security Verification Standard (ASVS) Project is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard.

What is the Current Status of ASVS development?

🎉🎉🎉 We are now at the RC1 stage of ASVS version 5.0! 🎉🎉🎉

The ASVS project will release a 5.0 version during May 2025 which is a complete revamp compared to the previous version 4.0.3.

We are waiting for your feedback on a release candidate version of 5.0! You can see this version on the master branch within the 5.0 folder. This branch will continue to be updated during the review process so we recommend always working from the latest version

We will no longer be accepting changes to the 4.0 folder which is now fixed at the 4.0.3 release.

How can I help?

Reading through the release candidate version of ASVS is a great place to start.

A few questions to ask yourself as you review the document:

• If I was a developer or a security tester, would this requirement understandable to me?
• Can I think of a way of improving front / chapter / section text to add clarity without adding unnecessary content.

Please first log ideas, issues or questions here: https://github.com/OWASP/ASVS/issues. It’s helpful to share if you have any ideas or if you find any bugs or typos (but see the extra guidance below).

We may subsequently ask you to open a pull request, https://github.com/OWASP/ASVS/pulls, based on the discussion in the issue.

After familiarizing yourself with the current version and if you don't have additional questions or feedback, the next area to focus on is the "Issues" section.

The issues to focus on for RC1 are listed here:

• 

Additional Details for Helping

Before you open a Pull Request

Please do not open a pull request without first opening an associated issue. Please do not open an issue until you have used the search functionality to ensure that the issue has not previously been discussed and that there are no currently open issues relating to it. For example, this link searches for issues (open and closed) related to bcrypt.

Note that since there was a major renumbering recently, a lot of the requirement numbers in the issues may be different. You should also therefore search in the issues for the requirements based on two other sources of requirment numbers:

1. Each requirement has a column at the end called "#v5.0.be". This contains the number before the numbering.
2. If you are looking for how a requirement was numbered in v4.0.3 (which may also be used in the issues), there is a mapping page which maps between the current number and the number from v4.0.3.
   • There are also other mappings in the 5.0/mappings/ folder but these may not be kept up to date.

If you are comfortable that your query has has not been previously discussed, you can open an issue. Please try and include the ASVS text you are talking about in the issue (or at least the value of the "#v5.0.be" column) to save having to jump back and forth and please carry out all discussion in the associated issue and not in a PR discussion.

How to suggest changes to the release candidate during this period

Note that review and changes should always be made based on the raw .md files. The other output formats have not yet been updated.

To help those who are using the "bleeding edge" version for their tests and in order to be able to track changes made during this period, we have prepared a set of labels to be used when making changes to the "bleeding edge" version during this time. The current bleeding edge working directory can be found here https://github.com/OWASP/ASVS/tree/master/5.0/en.

Mapping between v4.0.3 and v5.0.0

For a smooth transfer from ASVS v4.0.3 to v5.0.0, it is good to know:

• What happened with a particular requirement since v4.0.3?
• Does a requirement in v5.0.0 originate from requirement/s from v4.0.3, or is it completely new?

Through the 3.5 years since the last release (v4.0.3), changes have been tracked and tagged to make it possible to provide a 2-way mapping now.

(Note that requirement numbers for v5.0.0 may change until it is released. Although we are continuing to update the mapping as we go. It is therefore too early to make "a final copy" of the mapping.)

Mappings are presented in separate yml files. However, a formatted output is also provided on <asvs.dev>:

• Mapping from v4.0.3 to v5.0.0:
  • https://github.com/OWASP/ASVS/blob/master/5.0/mappings/mapping_v4.0.3_to_v5.0.0.yml - mapping file
  • https://asvs.dev/mapping_v4.0.3_to_v5.0.0.html - formatted output
• Mapping from v5.0.0 to v4.0.3:
  • https://github.com/OWASP/ASVS/blob/master/5.0/mappings/mapping_v5.0.0_to_v4.0.3.yml - mapping file
  • https://asvs.dev/mapping_v5.0.0_to_v4.0.3.html - formatted output

Tags in new (v5.0.0) mapping file:

• ADDED - new requirement
• MOVED FROM x.y.z - reference to the requirement number from v4.0.3. Must have a matching MOVE TO tag in the old mapping file.
  • GRAMMAR - indicates that there are grammar or language corrections in the moved requirement, which don't change the requirement's meaning.
  • MODIFIED - indicates that the meaning of the moved requirement was changed (more than just a language or grammar change).
• SPLIT FROM x.y.z - the v4.0.3 requirement was split to multiple requirements in v5.0.0. Must have a matching SPLIT TO in the old mapping file.
• MERGED FROM x.y.z - the v4.0.3 requirement has been merged with another requirement for v5.0.0. Must have a matching MERGED TO tag in the old mapping file.
• COVERS x.y.z - the v5.0.0 requirement covers the content of this v4.0.3 requirement. Must have a matching COVERED BY x.y.z tag in the old mapping file.

Tags in old (v4.0.3) mapping file:

• DELETED - the v4.0.3 requirement is deleted in the new version, with a reason.
  • DELETED, NOT IN SCOPE - requirement has been decided to be out of the redefined scope of ASVS.
  • DELETED, INCORRECT - requirement was invalid or provided inadvisable advice.
  • DELETED, NOT PRACTICAL - the requirement was not practical (enough) to implement in reality.
  • DELETED, INSUFFICIENT IMPACT - the requirement provided insufficient benefit to be worthwhile.
  • DELETED, MERGED TO x.y.z - the requirement was merged to another requirement for v5.0.0. Must have a matching MERGED FROM tag in the new mapping file.
  • DELETED, COVERED BY x.y.z - the requirement was a duplicate of or is covered by another requirement in v5.0.0. Must have a matching COVERS tag in the new mapping file.
• MOVED TO x.y.z - reference to the requirement number from v5.0.0. Must have a matching MOVED FROM tag in the new version
• SPLIT TO x.y.z, i.j.k - the v4.0.3 requirement is divided into multiple requirements in v5.0.0. Must have matching SPLIT FROM tags in the new mapping file.

Translations

We are no longer also actively looking for translations of the 4.n branch but get ready for the final version of 5.0 which can then be translated!