Clarification request regarding ASVS 5.0 control scope

[paulobiao]

Hello ASVS team,

I am reviewing ASVS 5.0 for research and practical alignment with other security frameworks.

I would appreciate clarification on how the ASVS requirements are intended to be interpreted when used as a baseline versus a target maturity level, especially in environments with mixed legacy and modern components.

Thank you for maintaining this important standard.

[paulobiao]

Adding a concrete suggestion from an assessor perspective.

In practice, one way to reduce ambiguity would be to explicitly state, per control (or per section), whether the requirement is intended to be:

• a mandatory baseline verification requirement (expected for all applications at the declared ASVS level), or
• a target maturity control, applicable when risk, regulatory exposure, or architectural complexity justify it.

Even a short note indicating “baseline” vs “maturity target” would significantly improve consistency across assessments, evidence collection, and audit outcomes, especially in mixed legacy / cloud-native environments.

[tghosth]

Apologies for the delay in response @paulobiao

I may not be fully understanding the concern here, so please feel free to clarify if I’ve missed something.

My current thinking is that in a mixed environment, an ASVS evaluation would likely need to be performed per application rather than across the entire environment as a single unit. If you attempt to assess the whole environment collectively, the overall result will effectively align with the lowest level of maturity present.

We have discussed preparing a testing guide to provide additional clarity, but that effort has not yet started.

If you have suggestions for specific wording or proposed text, please feel free to share it here and we can review and refine it together.