Latest version of the #OWASP
Application Security Verification Standard draft (well, beta1). Please read over and give comments - the more the merrier. When reviewing, please review each item against TESTABLE (access to source assumed), CLEAR and precise requirements, and only including NECESSARY items.
Please remember when reviewing - the ASVS has always
been about the 20% of the things required to get 80% of the way there with application security. If you need 100% coverage, that's the OWASP Developer Guide I'm working on in the background.
The ASVS will never likely have extensive coverage of distributed / race conditions, memory issues, or <insert your favorite hobby horse> - it's trying to be what the Top 10 should be - a list of things you MUST look for to be secure, and the minimal set of issues not to be considered negligent. It's a security engineering checklist in many ways, not a penetration testing document.