OWASP Security Standards Adopted by Major Platforms - Learning from Google, Microsoft, Salesforce, and Slack

Tadashi Shigeoka ·  Wed, August 13, 2025

We introduce cases where major platforms have adopted OWASP as a security review standard for web application development.

What is OWASP?

OWASP (Open Web Application Security Project) is an international nonprofit organization aimed at improving software and web application security. Established in 2001, it is characterized by providing open knowledge and tools that anyone can freely use. Security experts and developers from around the world participate as volunteers, publishing guidelines, testing tools, educational materials, and more. OWASP maintains a neutral stance independent of specific products or vendors, compiling the latest threats and countermeasures, making it widely utilized as a standard guideline for companies and organizations strengthening their security posture.

OWASP Top 10

OWASP Top 10 is a list of the top 10 representative security risks in web applications, updated and published by OWASP every few years. This is one of the most widely referenced documents in the security industry, clearly indicating the vulnerabilities that developers and companies should address first. For example, it includes SQL injection, authentication flaws, and exposure of sensitive data, selected based on actual attack cases in order of importance. The Top 10 is not merely a checklist but should be used as a starting point for risk understanding and improvement activities, serving as an essential reference for advancing secure development and operations.

OWASP ASVS

OWASP ASVS (Application Security Verification Standard) is an international standard for systematically conducting security verification of web applications and services. While the Top 10 is a “classification list of vulnerabilities,” ASVS organizes more specific security requirements by level. For example, Level 1 requires basic security measures, while Levels 2 and 3 are applied to systems requiring higher security assurance. ASVS is often used as a standard for security requirement definition during development, code reviews, and penetration testing, providing a powerful framework for organizations to objectively demonstrate security quality.

OWASP Compliance Examples at Major Platforms

Google Cloud

Security Assessment - Google Cloud Platform Console Help explains as follows:

Security Assessment

To maintain the security of Google user’s data, apps that request access to restricted scopes need to undergo an annual security assessment. This assessment verifies that the app can securely handle data and delete user data upon request. Upon successfully passing the security assessment, the app will be awarded a “Letter of validation” (LOV) from the security assessor, indicating its ability to handle data securely.

To improve and standardize our security assessment process, we implemented the App Defense Alliance and the Cloud App Security Assessment framework (CASA).

Key features of the security assessment framework:

Microsoft 365

Microsoft 365 Certification framework overview - Microsoft 365 App Certification | Microsoft Learn explains as follows:

Penetration testing requirements Penetration testing reports will be reviewed to ensure there are no vulnerabilities that meet the following automatic failure criteria outlined in the controls below.

Criteria TypePenetration test controls
General criteriaWeb application penetration testing MUST include all vulnerability classes; for example, the most current OWASP Top 10 or SANS Top 25 CWE. The recommendation is that this is detailed within the penetration testing report otherwise it will be difficult to demonstrate.
Secure software development/deploymentProvide policies and procedures that support secure software development and include industry standards and/or best practices for secure coding. Such as Open Web Application Security Project (OWASP) Top 10 or SysAdmin, Audit, Network and Security (SANS) Top 25 Common Weakness Enumeration (CWE).

Salesforce

Security Review Resources | ISVforce Guide | Salesforce Developers mentions OWASP in the following article:

Security Review Resources

These resources can help you prepare for the AppExchange security review.

Slack

Slack App Security Review | Slack explains as follows:

Things to consider while building your application:

-Be mindful of the OWASP Top 10 Vulnerabilities when creating your web application

Why is OWASP Chosen?

Why do so many platforms adopt OWASP as their standard? There are three main reasons:

  1. Reliability as an Industry Standard: Developed and updated by security experts worldwide, it has been established as an objective and reliable standard.
  2. Comprehensiveness and Specificity: It reflects the latest threat trends and covers the major vulnerabilities faced by web applications. For developers, it serves as clear guidance for implementing specific countermeasures.
  3. Role as a Common Language: It functions as a common language for aligning understanding of security requirements between platform operators and application developers. This makes the review process smooth and efficient.

Actions Developers Should Take

As these examples clearly show, OWASP compliance is no longer someone else’s problem for modern application developers. Specifically, the following initiatives are required:

  • Understand OWASP Top 10: First, understand each item in OWASP Top 10 and grasp what risks may be lurking in your own code.
  • Practice Secure Coding: It’s important to be mindful of security-conscious coding (secure coding) from the early stages of design and development.
  • Utilize Vulnerability Assessment Tools: Introduce processes to use tools like SAST (Static Application Security Testing) and DAST (Dynamic Application Security Testing) to detect and fix vulnerabilities corresponding to OWASP Top 10 and ASVS at an early stage.

Summary

The fact that giant platforms like Google, Microsoft, Salesforce, and Slack have adopted OWASP as their security review standard demonstrates that OWASP serves as the security baseline for modern web application development.

We want to incorporate OWASP’s thinking into our daily development processes and deliver safe and reliable applications to users.

That’s all from the Gemba.