OWASP Thick Client Application Security Verification Standard

Introduction

The primary aim of the OWASP Application Security Verification Standard (ASVS) Project is to provide an open application security standard for web apps and web services of all types.

The standard provides a basis for designing, building, and testing technical application security controls, including architectural concerns, secure development lifecycle, threat modelling, agile security including continuous integration / deployment, serverless, and configuration concerns.

This project aims to fill the gap between the web ASVS and the mobile ASVS (MASVS), whilst the MASVS can be used for thick client testing it’s not a perfect fit and so we hope to produce something more appropriate.

Roadmap to TASVS 1.0

The general idea would be to take the best and most applicable bits of the existing standards and then enhance it with specific items related to thick testing. I would call this our version 0.1 and produce it in spreadsheet form initially as (to my mind anyway) it’s easier to relate the checklist approach to practical testing. My team would use it to review our existing products in our company (we have plenty to go at) in real AppSec engagements and refine it over time with the aim of producing version 1.0. At this point a formal PDF document would be produced and hopefully a new standard created.