Call for action - review OAuth- and OIDC-related requirements for OWASP ASVS v5.0
02-26, 12:00–12:30 (UTC), Ríma

Soon to be released OWASP ASVS v5.0 contains a new chapter of requirements related to OAuth and OIDC. The talk is about - what is (not) ASVS, how it covers OAuth and OIDC, and most importantly - calling you to review the related chapter.


Today, the majority of web applications use OAuth and OIDC in some way. A web application must be security tested, and that’s where the OWASP Application Security Verification Standard (ASVS) gets involved. A new chapter of soon-to-be-released ASVS v5.0 addresses widespread OAuth and OIDC-related problems.

Extracting security requirements for ASVS from tens of published and not-published OAuth-related RFCs or OIDC documents has not been an easy walk in the park. There are many updates to previously published RFCs, and there are frequently new RFCs published on the topic that make it challenging to pick and fix the security requirements into the ASVS to stay valid for years.

It would have been easy to write into the ASVS document that "follow the latest RFCs and security updates". From a security tester's point of view, OAuth- and OIDC-related implementations on the web application side have been so often on the naive level "but it works", misconfigured, over-engineered or technology is in incorrect use. To have the ASVS version without addressing those problems did not feel right and there is motivation to send clear messages with security requirements to point those problems out.

And here we are now - (hopefully) only a few months away from releasing the ASVS v5.0 and it is important to review and validate, is the hard work we did valid and correct also for others, before we "force" everyone to use those requirements.

In the talk it is explained, what is (and what is not) ASVS, what are the rules and expectations for security requirements, what kind of journey has been to develop those requirements, and how you can contribute.

This is a call for action - for specialists in the OAuth and OIDC fields to review ASVS security requirements that will be in the must-have rules list for many web applications. Using your knowledge to make a review and give feedback is highly appreciated!

Elar Lang is a web application security specialist and enthusiast who has been working for more than 13 years in different aspects of web application security. A full-time security tester, training architect, and web application security developer educator (close to 3000 hours of training). Likes to research and write proof-of-concepts for attacks. More than 5 years actively developing and co-leading a security standard - OWASP Application Security Verification Standard (ASVS).

Out of business hours, to "escape" the screens and keyboards, takes a photo camera and stays or hikes in nature. Favorite places - Iceland and North Scandinavia.