Use OWASP Standards in Mobile App Development
Developers use OWASP standards to enhance security in mobile app creation.
Plain language
Using OWASP standards in mobile app development means following a set of guidelines created to keep mobile apps safe from hackers and other bad actors. This is important because mobile apps often contain sensitive information like personal data or financial details, and a security breach could lead to data theft, financial loss, or harm to your organisation's reputation.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for software developmentSection
Mobile application developmentOfficial control statement
The OWASP Mobile Application Security Verification Standard is used in the development of mobile applications.
Why it matters
Failure to apply the OWASP MASVS in mobile app development can leave common flaws exploitable, causing data breaches and loss of user trust.
Operational notes
Apply OWASP MASVS requirements in design, coding and testing; review each release against MASVS and update libraries to address new risks.
Implementation tips
- IT managers should ensure developers are familiar with OWASP standards. They can do this by organising training sessions or workshops where developers learn about these standards in detail. Encourage the use of OWASP's Mobile Security Testing Guide as a practical resource during these sessions.
- Developers should incorporate OWASP standards into their development process. They can do this by using checklists from the OWASP Mobile Application Security Verification Standard (MASVS) during app design and coding stages. This helps ensure security is built into the app from the start.
- Project managers should require regular security reviews. These can be conducted by setting up a timeline for periodic code evaluations against the OWASP Mobile Top Ten security risks. This helps catch potential security issues early.
- The quality assurance team should conduct regular security testing. They can use tools and techniques mentioned in OWASP's standards to test the app for vulnerabilities before each release. This helps ensure the app is secure before it reaches users.
- Management should support ongoing security education. This involves providing resources for developers to stay updated on the latest OWASP guidelines and other best practices in mobile security. Continuous learning prevents knowledge gaps that could lead to security oversights.
Audit / evidence tips
-
Asktraining records: Request documents showing that developers received training on the OWASP standards
Goodwould be a sign-in sheet and a training agenda or slides
-
Askthe OWASP checklist: Request the checklist used by developers during app development
Goodwould be a completed checklist for each mobile app developed
-
Asksecurity review schedules: Request a record of planned and past security reviews
Goodwould be a document with regular review entries that align with app updates
-
Asktest results: Request results of security tests based on OWASP standards
Goodwould be a report indicating tests were passed or that issues were fixed
-
Askevidence of ongoing learning: Request information on how developers keep up-to-date with security practices
Goodwould be certificates, email subscriptions, or conference flyers
Cross-framework mappings
How ISM-1922 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.25 | ISM-1922 requires the OWASP Mobile Application Security Verification Standard (MASVS) to be used when developing mobile applications | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 8.29 | ISM-1922 requires development teams to use OWASP MASVS as a security standard for mobile application development | |
| handshake Supports (1) expand_less | ||
| Annex A 8.28 | Annex A 8.28 requires secure coding principles to be applied in software development | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.