Skip to content

OWASP/TCASVS

Repository files navigation

OWASP Thick Client Application Security Verification Standard (TCASVS)

Downloads GitHub contributors GitHub issues GitHub pull requests CC BY-SA 4.0

Introduction

The OWASP Thick Client Application Security Verification Standard (TCASVS) provides a comprehensive set of security requirements for designing, building, and testing thick client applications — desktop software, native applications, and other locally-executed programs that operate outside a browser sandbox.

The TCASVS fills the gap between the OWASP Application Security Verification Standard (ASVS) for web applications and the Mobile Application Security Verification Standard (MASVS). While the MASVS can be applied to thick client testing, it is not an ideal fit. The TCASVS provides a standard purpose-built for thick client scenarios.

Latest Stable Version — 5.0.0

The standard source is available in the 5.0/en/ folder. It includes 6 chapters covering 130+ security requirements across three verification levels.

Chapter Title
V1 Architecture and Threat Modeling
V2 Build, Deployment, and Environment Hardening
V3 Data Storage and Protection
V4 Code Quality and Exploit Mitigation
V5 Cryptography
V6 Network Communication

Project Leaders and Working Group

The project is led by Dave Hanson and Samuel Aubert, supported by some former and other active AppSec team members at Bentley Systems: Einaras Bartkus, Thomas Chauchefoin, and John Cotter.

The project is also supported by the OWASP community and the OWASP Foundation. Special thanks to Starr Brown for her support in her capacity as Director of Projects.

Standard Objectives

  • Help organizations adopt or adapt a high quality secure coding standard for thick client applications.
  • Help architects and developers build secure thick client software by designing and building security in, and verifying that controls are in place and effective.
  • Help security reviewers use a comprehensive, consistent, high quality standard for thick client security assessments, code reviews, and penetration testing.
  • Provide a framework for procurement and vendor assessment of thick client application security.

Contributing

Please log issues if you find bugs or have ideas. We welcome pull requests based on discussion in issues.

See CONTRIBUTING.md for detailed contribution guidelines.

Contributors

Sponsors

Bentley Systems
Bentley is the leading provider of infrastructure engineering software, advancing infrastructure for better quality of life and sustainability.
Visit bentley.com to learn more.

Star History

Star History Chart

License

The entire project content is under the Creative Commons Attribution-ShareAlike 4.0 International License.

Related Projects