OWASP Application Security Verification Standard (ASVS)
|
|
| Regulator |
N/A |
| Jurisdiction |
Global |
| Status |
live |
| Applicability |
Platform |
The OWASP Application Security Verification Standard (ASVS) v4.0 provides a basis for testing web
application technical security controls and a list of requirements for secure development. It is a
voluntary standard, adopted by the platform as the minimum security baseline for all customer-facing
and payment systems. ASVS defines three verification levels: L1 (automated scanning, minimum),
L2 (standard, requires manual testing — applies to most financial applications), and L3 (advanced,
requires architectural review — applies to critical or high-value systems).
The platform targets ASVS L2 as the minimum for all systems. ASVS L3 applies to
systems handling card data and the payment processing core (MOD-020, MOD-021, MOD-022, MOD-045).
ASVS is adopted as part of the secure development practice. It provides the technical control
baseline referenced by PCI DSS v4.0 and is consistent with the technology
controls required under ISO 27001 Annex A. ASVS compliance is not
externally certified but is evidenced through penetration test reports and secure code review
outcomes maintained by the CISO.
ASVS v4.0 has 14 chapters (V1–V14). The obligations below map the chapters with direct platform
control attribution. Chapters with no dedicated platform module are institutional (Secure SDLC,
developer training, penetration testing programme).
Compliance register
This register maps every material ASVS chapter requirement to the platform control or institutional
process that satisfies it. It is the static traceability layer for the Totara compliance report.
Scope legend
| Symbol |
Meaning |
| 🤖 Automated |
Platform enforces or performs the obligation. Primary control mode is GATE, AUTO, CALC, or ALERT. Human action is not required in the normal case. |
| 📊 Evidenced |
Platform captures the evidence trail automatically. Human compliance decision sits on top. Primary control mode is LOG. |
| 🏛 Institutional |
Obligation is met by a process entirely outside the platform — Secure SDLC, developer training, penetration testing. Platform may generate evidence inputs but does not own the process. |
| N/A |
Obligation does not apply to this deployment configuration. |
Build legend
| Symbol |
Meaning |
| ✅ |
Module built and deployed |
| 🔨 |
Module planned — not yet built (build_status: Not started) |
| ❌ |
Uncontrolled gap — no module attributed |
V1 — Architecture, design, and threat modelling
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| V1 — Threat modelling |
Perform threat modelling for all security-sensitive components; document trust boundaries |
🏛 Institutional |
DT-001 |
Threat modelling is a secure SDLC obligation; ADRs document security architecture decisions |
— |
| V1 — Secure architecture |
All components follow defined security architecture patterns; no security-by-obscurity |
🤖 Automated |
DT-001 |
MOD-044 (GATE) — least-privilege enforced at API gateway; MOD-075 (GATE) — all service-to-service traffic TLS-terminated with mutual authentication |
🔨 |
V2 — Authentication
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| V2.1 — Password security |
Passwords minimum 12 characters; bcrypt or Argon2 storage; breach password checking |
🤖 Automated |
DT-001 |
MOD-068 (GATE) — MFA and device trust prerequisite for session establishment; credential storage via MOD-045 (secrets and key management) |
🔨 |
| V2.2 — MFA |
Multi-factor authentication required for all user-facing authentication flows |
🤖 Automated |
DT-001 |
MOD-068 (GATE) — enforces MFA and device trust checks as a prerequisite for session establishment; no session issued without passing cybersecurity controls |
🔨 |
| V2.3 — Authenticator lifecycle |
Secure lifecycle for authenticators (enrolment, revocation, step-up re-authentication) |
🤖 Automated |
DT-001 |
MOD-068 (GATE) — device trust levels assigned; step-up re-authentication triggers on high-value transactions; sessions revoked on logout or suspicious activity |
🔨 |
| V2.4 — Credential storage |
Credentials stored securely using approved algorithms; no plaintext storage |
🤖 Automated |
DT-001 |
MOD-045 (AUTO) — secrets cannot be extracted by developers; key rotation automated |
🔨 |
| V2.5 — Passkeys / FIDO2 |
Support phishing-resistant authenticators (FIDO2, passkeys) where L3 applies |
🤖 Automated |
DT-001 |
MOD-068 (GATE) — registers and authenticates FIDO2/passkey credentials against device-bound keys; phishing-resistant login |
🔨 |
V3 — Session management
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| V3 — Session tokens |
Short-lived access tokens; silent refresh; all sessions revoked on logout or suspicious activity |
🤖 Automated |
DT-001 |
MOD-068 (AUTO) — issues short-lived access tokens and silent refresh tokens; revokes all sessions on logout or suspicious activity detection |
🔨 |
| V3 — Session binding |
Sessions bound to device / IP; anomalous re-use detected and rejected |
🤖 Automated |
DT-001 |
MOD-068 (GATE) — device fingerprint registered; untrusted devices limited to read-only until full MFA ceremony completed |
🔨 |
V4 — Access control
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| V4 — RBAC |
Role-based access control enforced; no client-side access decisions; object-level authorisation |
🤖 Automated |
DT-001 |
MOD-044 (GATE) — RBAC enforced at API gateway; JWT role claims validated on every request; no data returned outside caller's permitted scope |
🔨 |
| V4 — Data access scoping |
Data access limited to the minimum scope necessary for the caller's role |
🤖 Automated |
DT-001 |
MOD-052 (GATE) — minimum necessary data access enforced at API; no role can access data outside their scope |
🔨 |
V6 — Cryptography
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| V6 — Algorithm selection |
Approved cryptographic algorithms only; no weak algorithms (MD5, SHA-1, DES, RC4) |
🤖 Automated |
DT-001 |
MOD-045 (AUTO) — key rotation automated; cryptographic algorithms enforced through the secrets and key management service |
🔨 |
| V6 — Key management |
Cryptographic keys managed through a key management service; no hardcoded keys; rotation enforced |
🤖 Automated |
DT-001 |
MOD-045 (AUTO) — secrets cannot be extracted by developers; key rotation automated; MOD-104 (GATE) — KMS CMKs provisioned per data classification level |
🔨 |
V7 — Error handling and logging
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| V7 — Error handling |
Application errors handled securely; no stack traces or sensitive data in error responses |
📊 Evidenced |
DT-001 |
MOD-076 (LOG) — platform-level system events, errors, and performance anomalies captured in observability store |
🔨 |
| V7 — Security event logging |
Authentication successes and failures, access control failures, and high-value transactions logged with sufficient detail |
📊 Evidenced |
DT-001 |
MOD-044 (LOG) — all authenticated API calls logged with user ID, role, endpoint, and timestamp; MOD-046 (LOG) — all production access sessions auditable |
🔨 |
V9 — Communication security
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| V9 — TLS |
All communications encrypted with TLS 1.2+ minimum; no mixed content; HSTS enforced |
🤖 Automated |
DT-001 |
MOD-075 (GATE) — all service-to-service traffic TLS-terminated with mutual authentication; no plaintext internal API calls permitted |
🔨 |
| V9 — Certificate management |
TLS certificates managed and rotated; certificate pinning for mobile apps |
🤖 Automated |
DT-001 |
MOD-045 (AUTO) — mTLS certificates and service credentials managed by the secrets module |
🔨 |
V13 — API and web service security
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| V13 — API authentication |
All API endpoints require authentication; no unauthenticated endpoints in production |
🤖 Automated |
DT-001 |
MOD-075 (GATE) — rate limiting and request signing enforce only registered, authenticated services can call platform APIs; unauthenticated requests rejected at gateway |
🔨 |
| V13 — Schema validation |
REST/SOAP requests validated against schema before processing; reject malformed requests |
🤖 Automated |
DT-001 |
MOD-075 (GATE) — API gateway enforces request validation before routing to backend services |
🔨 |
| V13 — Rate limiting |
API rate limiting implemented at gateway; protection against brute force and DoS |
🤖 Automated |
DT-001 |
MOD-075 (GATE) — per-service and per-consumer rate limits, returning 429 before upstream services are reached |
🔨 |
Secure SDLC and testing (institutional)
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| V1 / V14 — Secure SDLC |
Developer security training; threat modelling in design; secure code review; SAST/DAST in CI pipeline |
🏛 Institutional |
DT-001 |
Secure SDLC programme owned by CISO and CTO; platform code is subject to these controls but the programme itself is institutional |
— |
| V14 — Penetration testing |
Annual penetration test (L2 minimum); results remediated and evidenced |
🏛 Institutional |
DT-001 |
Annual penetration testing programme is institutional; MOD-076 and MOD-044 provide logging during tests |
— |
| Obligation |
Owner |
Platform evidence input |
| ASVS adoption decision and level selection (L2 / L3) |
CISO |
Platform controls implement the selected level |
| Developer ASVS training and secure coding programme |
CISO / CTO |
Institutional training programme |
| SAST / DAST tooling integration in CI/CD pipeline |
CISO / Engineering |
Platform CI pipelines are the subject; tooling is institutional |
| Annual penetration test commissioning and remediation |
CISO |
MOD-076 and MOD-044 provide evidence during testing |
| ASVS control evidence documentation for auditors |
CISO |
Platform module specifications provide control evidence |
Coverage summary
| Area |
Total obligations |
Platform automated 🤖 |
Platform evidenced 📊 |
Institutional 🏛 |
N/A |
| V1 — Architecture |
2 |
1 |
0 |
1 |
0 |
| V2 — Authentication |
5 |
5 |
0 |
0 |
0 |
| V3 — Session management |
2 |
2 |
0 |
0 |
0 |
| V4 — Access control |
2 |
2 |
0 |
0 |
0 |
| V6 — Cryptography |
2 |
2 |
0 |
0 |
0 |
| V7 — Error handling / logging |
2 |
0 |
2 |
0 |
0 |
| V9 — Communication security |
2 |
2 |
0 |
0 |
0 |
| V13 — API security |
3 |
3 |
0 |
0 |
0 |
| Secure SDLC and testing |
2 |
0 |
0 |
2 |
0 |
| Total |
22 |
17 (77%) |
2 (9%) |
3 (14%) |
0 |
All attributed modules are currently build_status: Not started — the compliance position will
update as modules are built and deployed.
| Policy |
Title |
| DT-001 |
Information Security Policy |
See D05 Data & Technology for the full risk domain.
Official documentation
Policies referencing this standard
(None yet)
Compiled 2026-05-22 from source/entities/regulations/industry-owasp-asvs.yaml