OWASP
Clarify that the scope is web applications in "Scope of the ASVS"
In "What is the ASVS?" we have (emphasis mine):
The Application Security Verification Standard (ASVS) defines security requirements for web appli‑ cations and services, and it is a valuable resource for anyone aiming to design, develop, and maintain secure applications or evaluate their security.
The scope if web applications (i.e. not mobile, not CLI, not desktop).
This is not maybe (?) the only place in the document where this is states and it is quite easy to miss this single word.
For example, the "Scope of the ASVS" section (and the "Application" subsection) never mentions this:
ASVS defines an “application” as the software product being developed, into which security controls must be integrated. ASVS does not prescribe development lifecycle activities or dictate how the ap‑ plication should be built via a CI/CD pipeline; instead, it specifies the security outcomes that must be achieved within the product itself.
I think it would be worthwhile to start the "Application" subsection" with a paragraph stating:
- which types of applications are in scope;
- which type of application are not;
- maybe clarify in what extent the document is applicable/useful for applications outside of the scope;
- maybe reference other documents (such as the MAST) in here.
Yes, in practice, the focus for ASVS is basically WASVS, but we have not limited it as there is quite a big overlap for a web application and "non-web application".
My first idea is to clarify this via #1797 - based on sections, when it applies or not.
as there is quite a big overlap for a web application and "non-web application".
Note: some of the requirements (i.e. in the crypto, OAuth/OIDC) were formulated with the web scope in mind and might need to be generalized if other types of applications are considered in scope.