"Now there's an open industry standard for Web application and Web service security: The Open Web Application Security Project (OWASP) Foundation has released the Application Security Verification Standard (ASVS).
Mike Boberski, project lead and co-author of OWASP's ASVS Project, says the main goal of the standard is to provide a commercial and workable open standard for application security verification. The standard is aimed at helping Web application developers with a "yardstick" to assess the degree of security of their apps, and to help security folks determine what to build into their apps security-wise, according to Boberski. And the standard also can be used in procurements for specifying security verification requirements, he says. This is OWASP's first-ever standard.
ASVS includes four levels of security verification, each with specific security requirements it must address. "It starts with Level 1, prescribing the use of automated tools augmented with manual verification," Boberski says. "It then progresses to Level 4, which includes searching for malicious code manually.""