From the OWASP top 10(s) to the OWASP ASVS

This page contains the resources for the talk titled "From the OWASP top 10(s) to the OWASP ASVS".


Some people are under the misconception that if they follow the OWASP top 10 that they will have secure applications. But in reality the OWASP Top Ten (and other top ten lists) are just the bare minimum for the sake of entry-level awareness. A more comprehensive understanding of Application Security is needed. This talk will review the OWASP Top Ten 2017 and the OWASP Top Ten Proactive Controls 2018 and compare them to a more comprehensive standard: the OWASP Application Security Verification Standard (ASVS) v3.1. OWASP's ASVS contains over 150 requirements that can provide a basis for testing web application technical security controls and also provide developers with a list of requirements for secure development in a fashion with much more nuance and detail than a top ten list! You cannot base a security program off a Top Ten list. You can base an AppSec program off of the ASVS.

About Philippe De Ryck

Philippe De Ryck is the founder of Pragmatic Web Security, where he travels the world to train developers on web security and security engineering. He holds a Ph.D. in web security from KU Leuven. Google recognizes Philippe as a Google Developer Expert for his knowledge of web security and security in Angular applications.