The OWASP Thick Client Application Security Verification Standard (TASVS) Project aims to establish an open standard for securing thick client applications. This project provides a comprehensive framework for designing, building, and testing technical application security controls.
The TASVS Project fills the gap between the OWASP Application Security Verification Standard (ASVS) for web applications and the Mobile Application Security Verification Standard (MASVS). While the MASVS can be applied to thick client testing, it is not an ideal fit. The TASVS Project seeks to create a more suitable standard for these scenarios.
The project is mainly maintained by a single project leader Dave Hanson. However he is heavily supported by his active AppSec team at Bentley Systems who include Samuel Aubert, Einaras Bartkus, Thomas Chauchefoin, and John Cotter.
The project is also supported by the OWASP community and the OWASP Foundation. Special, thanks to Starr Brown for her support in her capacity as Director of Projects.
The first public version that was suitable for use was released in September 2024. The project is in the process of refining the standard and adding more content.
As we mature, we will be looking to create a more structured approach to the roadmap. As with most activities we will allow ourselves to be steered by the work completed by the ASVS project to find that strucutre.
In the utils\Convert-TASVS-Excel
directory, there is a script that can be used to populate an Excel template with the TASVS checklist. This is a useful tool for applying the standard in a practical way. It is not fully release ready yet, but can be used in a pinch. I will endevour to update it over time, for now grab the Excel file that will be named something like TASVS_v1.6.xlsx
.
The project is looking for contributors to help with the following tasks:
If you are interested in contributing, please review the Contributing Guidelines and Code of Conduct documents.
The requirements were developed with the following objectives in mind and are taken from the web ASVS project: https://github.com/OWASP/ASVS/blob/master/README.md#standard-objectives
The OWASP Thick Client Application Security Verification Standard (TASVS) Project would like to thank the following contributors for their support and dedication to the project:
Bentley is the leading provider of infrastructure engineering software, advancing infrastructure for better quality of life and sustainability.
The entire project content is under the [Creative Commons Attribution-ShareAlike 4.0 International License][cc-by-sa].
Here are some related projects:
please open an issue if you would like to have your project listed here.