Today, the majority of web applications use OAuth and OIDC in some way. A web application must be security tested, and that’s where the OWASP Application Security Verification Standard (ASVS) gets involved. A new chapter of soon-to-be-released ASVS v5.0 addresses widespread OAuth and OIDC-related problems.

Extracting security requirements for ASVS from tens of published and not-published OAuth-related RFCs or OIDC documents has not been an easy walk in the park. There are many updates to previously published RFCs, and there are frequently new RFCs published on the topic that make it challenging to pick and fix the security requirements into the ASVS to stay valid for years.

It would have been easy to write into the ASVS document that "follow the latest RFCs and security updates". From a security tester's point of view, OAuth- and OIDC-related implementations on the web application side have been so often on the naive level "but it works", misconfigured, over-engineered or technology is in incorrect use. To have the ASVS version without addressing those problems did not feel right and there is motivation to send clear messages with security requirements to point those problems out.

And here we are now - (hopefully) only a few months away from releasing the ASVS v5.0 and it is important to review and validate, is the hard work we did valid and correct also for others, before we "force" everyone to use those requirements.

In the talk it is explained, what is (and what is not) ASVS, what are the rules and expectations for security requirements, what kind of journey has been to develop those requirements, and how you can contribute.

This is a call for action - for specialists in the OAuth and OIDC fields to review ASVS security requirements that will be in the must-have rules list for many web applications. Using your knowledge to make a review and give feedback is highly appreciated!