Josh Grossman, co-leader of the OWASP ASVS project, shares how version 5 makes secure application development more accessible, actionable, and aligned with real-world engineering workflows. If you’re building or managing software security programs, this episode offers practical insight into how ASVS can become your foundational tool.
In this On Location episode during OWASP AppSec Global 2025 in Barcelona, Josh Grossman, co-leader of the OWASP Application Security Verification Standard (ASVS) project, shares key updates and strategic thinking behind the release of ASVS version 5. This release, years in the making, reflects a renewed focus on making the standard more approachable, practical, and actionable for development teams and security leaders alike.
ASVS is designed to provide a comprehensive and verifiable set of security requirements for building and maintaining secure applications. More than just a checklist, it offers a clear blueprint for what a secure application should look like—making it easier to benchmark progress, develop secure design requirements, and implement effective controls. Version 5 emphasizes accessibility, particularly by lowering the barrier to entry for organizations adopting Level 1 of the standard, reducing the threshold of required controls from nearly 50% to under 30%.
One of the major shifts in this new version is the tighter focus on the application itself, moving away from system-level topics like backup policies that tend to fall outside the scope of app development teams. This makes the standard more relevant to software architects, developers, and QA engineers—providing requirements that fall within their sphere of influence, while still covering the full software lifecycle from design to deployment.
Grossman explains how organizations can customize ASVS to include their internal controls and build out secure coding checklists, implementation guides, and requirements documents tailored to their environments. He also highlights how ASVS aligns with other OWASP projects, like the Cheat Sheet Series and SAMM, for both control-level guidance and organizational process development.
For security leaders looking to improve their application security programs, ASVS v5 offers a foundation to build on—clear, community-driven, and extensible. And true to OWASP’s spirit, the project is backed by a passionate community, from project co-leads like Grossman and Elar Lang to contributors around the world. As Grossman puts it, OWASP is about connection—people tackling similar challenges, working together to make software safer.
If you’re looking for a way to bring practical, standards-based security into your software lifecycle, this conversation is your starting point.
GUEST: Josh Grossman | CTO of Bounce Security and co-leader of the OWASP Application Security Verification Standard (ASVS) project | https://www.linkedin.com/in/joshcgrossman/
HOST: Sean Martin, Co-Founder at ITSPmagazine and Host of Redefining CyberSecurity Podcast | https://www.seanmartin.com
SPONSORS
Manicode Security: https://itspm.ag/manicode-security-7q8i
RESOURCES
OWASP Application Security Verification Standard (ASVS): https://owasp.org/www-project-application-security-verification-standard/
Learn more and catch more stories from OWASP AppSec Global 2025 Barcelona coverage: https://www.itspmagazine.com/owasp-global-appsec-barcelona-2025-application-security-event-coverage-in-catalunya-spain
Catch all of our event coverage: https://www.itspmagazine.com/technology-and-cybersecurity-conference-coverage
Want to tell your Brand Story Briefing as part of our event coverage? Learn More 👉 https://itspm.ag/evtcovbrf
Want Sean and Marco to be part of your event or conference? Let Us Know 👉 https://www.itspmagazine.com/contact-us
Sean Martin: [00:00:00] Yeah. Josh, here we are. Where's great to be here? We're with Oasp today. Yeah, we we're in Baran. I'm being a little silly. It's been a long few days already.
A lot of interviews, a lot of conversations. Good community, of course. Fantastic. Um. What do you think so far?
Josh Grossman: Um, I really love these events. I have have great fun at these events. I think that it's a really great community of people. It's great to see people that I've either met before and get to see again.
It's great to see people that I've only ever spoken to over the internet and finally get to see them in person. Um, so yeah, I really enjoy the awesome events.
Sean Martin: Yeah, yeah. Great, great group of folks. And, uh, big announcement. Yeah. Well, you did some 12. Before we get to that, you did some training last couple days.
A few days, yes. How did that go?
Josh Grossman: Um, training went really well, a really great class of people. Very engaged, very interested. Uh, the course is about application security tools. Everyone's got, you know, DAF SaaS, SEA, every sort of acronym under the sun. They don't know what to do with them. They've got loads of findings, and the tool is all about, the course is [00:01:00] all about, okay, what do I do with these findings?
How do I build this into my organization? My organization? How do I actually, how do I actually make that process work? And, uh, yeah, I've done it for a few years now. It's, uh, gets good results. Lots of interactivity, people engaging and uh, working on the group exercises. So, and
Sean Martin: taking the tools and the, and the models and the frameworks and the documents and the guides and putting 'em all in action.
Josh Grossman: Yeah. Just say, okay, how do we make this work in the real world? You know, never mind, you know, we press the button, a lot of findings come out. And now what?
Sean Martin: Exactly. So, alright, so now to the, to the announcement, I think, was it Rodrigo mentioned, uh,
Josh Grossman: uh, yeah, I think Ricardo mentioned in the RIC keynote. Sorry, yes.
Ricard mentioned in the keynote. Yeah. So Ricardo was quite enough to mention in the keynote that, uh. Yeah, tomorrow morning, uh, my, uh, co-leader on the A SVS, the application security project, he's, uh, watching us over here. Yes, he's gonna be, uh, releasing the version five of the project. So, uh, we're super excited about that.
It's been arguably six years in the making. Great. Certainly from the, the last ma major versions. So, [00:02:00] uh, yeah, we're really excited to get this release out.
Sean Martin: That's very good. And, uh, we, we won't make fun of alar for not being on camera. He's, he's very shy, but he'll, uh,
Josh Grossman: he's gonna step up tomorrow. He is gonna do the talk and it's gonna be great.
Sean Martin: Alright, so for those who may not be familiar with the A SVS mm-hmm. Um, maybe a quick overview of what it is and what it's designed to do. Mm-hmm.
Josh Grossman: So the as SVS is the application security verification standard, and the idea is to bring sort of a comprehensive standard to say, look, this is how you build an application in a secure way.
These are the positive requirements to help you build an application in a secure way. And the requirements are written in a way they can also be easily verified, you know, verify this particular security mechanism is in place, verify that this check is in place. Um, the idea is to bring to developers, or to testers or qa a, you know, comprehensive tool they can use to assess a security of an application, compare it to other applications, and just get, generally, get a feel for you.
How, how are we doing from a security perspective.
Sean Martin: Okay. [00:03:00] So the last version, four or six years ago you said.
Josh Grossman: Yeah. Version 4 0 1 I think was, yeah, 2019 I wanna say. Okay.
Sean Martin: So what, what was kind of the journey from the zero point something to four? What did that world look like?
Josh Grossman: So, it's a good question. So I can't remember exactly when the first version came out.
The, uh, the leaders have changed around over the years, right? So, uh, you know, many, many years ago they started off with version one with a small number of requirements and gradually, so each version, they gathered more requirements and sort of made it more. Sort of to try and cover some of the more modern issues and updated challenges that we see in the industry.
And, you know, finally version four was quite a, a major update. And I got involved around just before the release of version four, doing some of the, uh, uh, review and the qa. I know, and I was also involved in that process as well, sort of as, as a individual contributors. And, uh, for the version four release, that's when we got really got more involved and, uh, thinking about, okay, well what's next?
Now that we've got this, this major version,
Sean Martin: right? So. So what [00:04:00] are some of the highlights for V five over V four? What can people expect of it?
Josh Grossman: So our big focus overall is trying to make it easier to use and make it more accessible. Um, on the one hand, we want it to be sort of a comprehensive resource. We want it to try and cover as much as possible.
You know, we don't want it just to be sort of a top 10 or a fragment of, you know, here are a few things you need to do. We want it to be a comprehensive resource, but that, that comes with a size that comes with a lot of requirements and we wanted to make that, um. Easier to approach. We wants to make it easier for organizations, teams to start using the standard to get onto the first level of the standard.
You know, the standards organized the three levels. Level one, which is sort of the initial stage. You wanna get to level two, which is sort of the normal, sort of more standard level of security. And then level three for the higher risk applications. You know, the most risky applications, you know, com. Very sensitive medical data, very high value financial transactions.
So we want to make it easier to get onto level one to. Comply with level one of the standard and then see, okay, well, well what's next? Right? [00:05:00] Um, so back in, uh, back in level four, I think get to level one, you had to already be doing something like 40% of the requirements or something, nearly 50% of the requirements.
And we've now got that down to, um, below 30%. It makes it just an easier, easier start. It makes it lower barrier to entry and help organizations get started and think about, okay, well how do we move on from that?
Sean Martin: Got it. And so you've mentioned developers and qa, um. The clearly two teams that work together to deliver something security is part of that as well.
Yes. How's, how's the guide speak to those constituents and does it address any other stakeholders like, like line of business and I don't know, the delivery, the delivery teams and the IT folks, and does it cover that breadth or what, what is it? What does it cover? So, yeah.
Josh Grossman: One of the other things we've done in version five is to try and focus on, on the application itself.
Okay. Previous versions of sort of focus on processes to a certain extent and to sort of other activities such as backups, which are sort of less [00:06:00] specific to the application itself. You know, backups would usually be like a different team, sort of different set of considerations. We've tried to focus it on, on the application itself and to try and make sure that whenever we bring it to software architects, we bring it to developers, we bring it to qa there, we, we bring them requirements, we bring them considerations that are within their purview or within what they're thinking about and Got it.
Uh, so, you know. We restricted the application, but at the same time, we want it to be valid all the way through the application life cycle. So from the original, uh, requirement stage, I've done talks in the past about using the SVS to actually develop secure requirements before you've even started writing any codes, all the way through to using it as a resource for design review, using it for developers to refer to as, uh, an implementation guide of, okay, well what, you know, when I'm writing this feature, what considerations might, might need to put into place.
We, we also make it so that organizations can. Add their own guidance. We very much encourage organizations to take the SPS and customize it and extend it for their own organization, their own inbuilt me their own in-house mechanisms and you, their own, uh, security, um, [00:07:00] requirements and security plans they have in place already.
Say, okay, well apply these to the SPS as well. And you've got everything in this single points
Sean Martin: now is it, is it a guide or, 'cause I'm picturing requirements mm-hmm. That are a list of things that you would consider when you're building. That might go into like A PRD product requirements stock. Mm-hmm. Is that, is that what it is?
Or does, how does that look from a, see Yeah.
Josh Grossman: The requirements tend to be, you know, we try and make them relatively clear, but we're also not going into endless detail. You know, the idea is it should be a requirement, and that's one of the things we've worked on with version five is to sort of make the requirements state, you know, what is the security goal here?
What is the, what is the thing we're trying to achieve? How exactly you gonna implement that? Well, we leave that to other OS projects. For example, the cheat sheet project. There some, you know, great. Great guides for, okay, here's how you do security controls in Java. Here's how you do security controls in.net.
And I think that by linking from A SVS and then using those additional resources for your specific case, therefore it [00:08:00] means we can keep the As SVSA at a manageable level of detail, but also provide resources onwards. Okay. Let's expand on that. Let's provide wider guidance as well. Okay.
Sean Martin: Very cool. Very cool.
Well, um, I guess let, let's speak to, so a lot of my audience are. Security leaders that, that decent, uh, practitioner base as well. Um, what would you say to, let's, let's speak to security leaders. How, how can they take what you've done with V five and bring it into their program? What, what's the some of the first steps they would do?
Josh Grossman: Yeah, so I think, you know, I think the key thing is to say, look, everyone wants to know how to do application security. Everyone say, okay, well, we've got this problem. How we, how are we gonna solve it? I think that the SVS brings a. A fantastic, a fantastic sort of standard to say, well, here's what's actually expected in an, in an application.
Now you're not gonna take it all at once, and you may want to take a slowly, slowly approach where maybe you start with level one or you start with certain sections where you know you've got particular concerns, but take those requirements and use them as a basis [00:09:00] for your other security activity. So, okay, if we wanna develop security requirements, here are the as VS requirements you can use to base those off.
If we wanna develop a secure coding checklist, then we're gonna maybe gonna start with. The relevant as s for clients. So we're gonna expand on that to, uh, say, well here's how we're gonna do it within this organization. So I think it gives a fantastic blueprint for, um, you know, what the security and application looks like, what it should look like, what should be in place for the application.
Now it doesn't give you the process around that, the process around that. You probably want a different project like the, uh, O Os Sam project, for example. Right? Which talks more about application security processes and you know, what you want security team to be doing what you want developers to be doing, but.
The SVS is there to give you a blueprint for the application itself. Got it. So what mechanisms do we want in the application?
Sean Martin: Nice. Great clarification. Appreciate that. The, um, what else was I gonna ask you? The, so I guess the teams will adopt this. I guess what I'm, what I'm trying to figure out is [00:10:00] the, the community is a big part of, of the conference.
Mm-hmm. Um, does that carry over? Into, uh, an organization taking on the A SVS? Is there, are there, are there people behind it they can actually reach out to or, obviously at events like this, they can get together, teams can get together and talk about projects and, and challenges and overcoming them best practices and, and using a SVS, but mm-hmm.
Is there a team behind the project that people can reach out to? I guess is really good question.
Josh Grossman: So yeah, so we're lucky to have a great team of co-leaders, uh, myself and uh, Ella as well. It's, uh, two, the key co-leaders are here. Jim Manco is also co-leader on the project. We had a lot of input into both previous versions and also this version as well.
Uh, and also Daniel Bert, who's, uh, been a leader on the SBS for a long time. He's also provided a lot of input, especially around, uh, cryptography, which is sort of his, uh, one of his specialist interest at the moment. Okay. And then beyond that, we've got the working group, a group of people we got together to try and sort of.
More formally [00:11:00] encourage other people to be involved in A SVS and, uh, some other major contributors. And, you know, when I pulled off a report recently of how many people have sort of commented or contributed information or ideas or suggestions to SVS, it was a, a list of about 200, probably more people who've had some inputs over the last few years to, to bring five oh to where it is.
So very cool. Yeah, there's definitely a community around A SVS. We're trying to grow that community. Uh, last year at the conference at Lisbon, we had the first sort of a SVS community morning, which was fantastic to. Have to get, get a group of people together to specifically talk about a SVS. Right. Uh, we didn't do that this time around 'cause we got the release, so we wanted to focus on getting the release out and having the release talk.
But, uh, we're definitely trying to increase the community around A-A-S-V-S and we're certainly interested in hearing from people who wanna be more involved and, or have questions or have ideas of what they can build on top of it as well. Yeah.
Sean Martin: Nice one, nice one. Well, Josh, I appreciate you. Uh. Doing all the work for stuff, and I, uh, definitely do not do all the work doing all that you do, do the work that I do.
Not all of the work that
Josh Grossman: Ella does, the work
Sean Martin: the community do, but, uh, of course, [00:12:00] but, but certainly co-leading and, and bringing it to life. And, um, so I appreciate that. I want people to recognize it. It's, you do that outta the goodness of your heart, along with all the other volunteers. So it's, it's an important thing to note.
Um, you've been involved though, so I'm asking folks this question. Hmm. Um, when I say oasp, um, and I want address the, uh, address the audience here. When I say oasp, what, what does it conjure up? What does it mean to you? So, yeah, for
Josh Grossman: me, OASP is community. I think it's the group people. It's a network of people who are sort, seeing similar challenges and trying to solve similar problems.
Sort of getting together, share resources, share ideas, give back to the community, and generally improve the state of software security. Yeah. Um, so I think the community aspect is really important. I think, you know, we have these fantastic events. We have chapter events, we have all sorts of opportunities to get people together.
I know they start up a virtual chapter now for people who don't live near a local chapter. So they can also be involved [00:13:00] in, uh, in our activities. Activities. And, uh, yeah, I think it's fantastic community and I'm looking forward to see it, uh, continue to grow, not just in security, but also in developer, developer spaces as well.
Sean Martin: Yeah. Fantastic. Josh Grossman. Thanks very much. Amazing. Thank you. Great chatting to you. Thanks everybody for listening. Watching, uh, become an OAS member. Contribute to the projects, use them to actually build safer sig more secure apps. And, uh, stay tuned. More coming from OAS apps that GU Global here in Barcelona.