Compliance / OWASP
OWASP ASVS Cryptography Verification
The OWASP channel is the first live baseline source in Korthex: instead of a hand-curated snapshot, it pulls ASVS v5.x directly from the official OWASP repository on the 24-hour cycle and maps the cryptography chapters (V11 Cryptography, V12 Secure Communication) into 33 verification rules. When ASVS moves, the baseline moves with it.
What ASVS asks of your cryptography
- V11 Cryptography: approved algorithms only, no broken hashes in security contexts, sound key management and randomness
- V12 Secure Communication: current TLS versions and strong cipher suites on every connection
- The verification standard behind OWASP Top 10 A02 (Cryptographic Failures): ASVS is what you test against, the Top 10 is what goes wrong when you do not
The live-source model
Most authorities publish PDFs, so their channels are curated by hand. OWASP publishes ASVS as versioned files in the open, which lets Korthex consume it live: the 24-hour cron checks the official repository, short-circuits when nothing changed, and emits a signed update when it did. Your scans grade against the ASVS that exists today, not the copy someone pasted last year.
Because ASVS is the standard development teams actually adopt, the CI/CD gate doubles as automated ASVS cryptography verification: a pull request that introduces a non-approved algorithm fails the check with the ASVS-tagged finding attached.
Frequently asked questions
Which ASVS version does the channel track?
The live 5.x line from the official OWASP repository. The channel re-checks daily and updates itself when OWASP publishes changes.
Does this cover the OWASP Top 10?
The channel grades against ASVS, the verification standard behind Top 10 A02 (Cryptographic Failures). Findings map to concrete ASVS requirements rather than the Top 10's category level.
Who should activate the OWASP channel?
Development-led organizations and anyone whose security program is ASVS-based. It is part of the recommended global profile alongside NIST, BSI and IETF.