OWASP Application Security Verification Standard (ASVS)

Each requirement has an identifier in the format .., where each element is a number. For example, 1.11.3. > Verify that the application protects against OS command injection and that operating system calls use parameterized OS queries or use contextual command line output encoding. Since the identifiers may change between versions of the standard, it is preferable for other documents, reports, or tools to use the following format: v-.., where: ‘version’ is the ASVS version tag. For example: v5.0.0-1.2.5 would be understood to mean specifically the 5th requirement in the ‘Injection Prevention’ section of the ‘Encoding and Sanitization’ chapter from version 5.0.0. (This could be summarized as v-.) Note: The v preceding the version number in the format should always be lowercase. If identifiers are used without including the v element then they should be assumed to refer to the latest Application Security Verification Standard content. As the standard grows and changes this becomes problematic, which is why writers or developers should include the version element. ASVS requirement lists are made available in CSV, JSON, and other formats which may be useful for reference or programmatic use.