Back in 2021, we were doing desktop application assessments at AFINE. All clients asked the same question after the assessment: “What desktop application security standard did you follow for this test?”
Good question. The problem was, there wasn’t one.
For web apps, we had OWASP ASVS. For mobile, MASVS worked great. But desktop applications? Nothing. We’d gather requirements from both standards, add some custom checks, and hope we didn’t overlook anything obvious.
That’s a terrible way to do security work, and we knew it.
So we built what we needed. Today, I’m sharing what we made: the Desktop Application Security Verification Standard. It’s a framework made for the complex world of desktop application security on Windows, macOS, and Linux.
Why Desktop Application Security Needs Its Own Standard
Look, desktop applications aren’t just web apps that happen to run locally. And they’re definitely not mobile apps on bigger screens. The security model is fundamentally different.
Web applications execute mostly on servers. The browser’s just a dumb client that can’t touch much on your system. Critical application logic runs behind firewalls with proper security controls. Mobile apps run entirely on the device, sure, but mobile platforms lock everything down with strict sandboxing. This means developers get security boundaries whether they want them or not.
Desktop applications? They run locally with access to pretty much everything. File system? Go ahead. Registry? Sure. System services? Why not. Native libraries? Help yourself. And they often do this with elevated privileges.
That’s not a slightly larger attack surface. That’s a completely different threat model.
Data storage tells the same story. Web apps have cookies and local storage – both size-restricted and relatively contained. Mobile apps use structured storage with platform-provided encryption, but many developers still get it wrong… Desktop applications can create, modify, and delete files anywhere in the filesystem, frequently with admin privileges. The potential for data exposure is dramatically higher.
Even updates work differently. Web apps update when you visit them – transparent, immediate. Mobile apps update through curated app stores that at least pretend to do security screening. Desktop apps use different update methods. Many need admin access. If you’re not careful, they can turn into channels for malware.
These aren’t minor differences. They’re why desktop applications need their own desktop application security standard.
What is DASVS?
DASVS (Desktop Application Security Verification Standard) is a desktop application security standard inspired by and modeled after the OWASP ASVS and OWASP MASVS.
If you’ve used either, you’ll recognize the structure immediately. But the requirements themselves are built around desktop application realities. They are not retrofitted from web or mobile contexts.
The framework gives you:
- Structured verification requirements organized into twelve security domains
- Clear, testable controls you can actually verify
- Three verification levels matching different risk profiles
- Guidance that works across Windows, macOS, and Linux
You can use it as an assessment framework, implementation guidance, a testing checklist, or procurement criteria. We designed it to be practical, not aspirational.
Three Desktop Security Verification Levels
DASVS defines three verification levels with increasing security rigor. Think of these as security postures matched to different risk profiles.
- Level 1: Baseline Security – Every desktop application should meet Level 1. These are the basics—input validation, simple authentication, and essential data protection. Stuff that protects against common, well-documented attacks. If you’re already doing basic secure coding, Level 1 shouldn’t require massive changes.
Most Level 1 requirements can be verified through black-box testing, which is useful when you don’t have source code access. - Level 2: Enhanced Security – This is for applications handling sensitive data or business-critical operations. You’re implementing stronger authentication, granular access controls, comprehensive logging, and thorough validation throughout the app.
Meeting Level 2 means security is integrated into your development process—threat modeling during design, security-focused code reviews, and actual meaningful testing instead of just running a scanner and calling it done. - Level 3: High-Risk Security – Level 3 assumes skilled attackers are specifically targeting your application. Think financial systems, healthcare apps, defense software, and critical infrastructure. Anywhere a breach would be catastrophic.
You’re implementing stringent crypto requirements, minimizing attack surface wherever possible, building layered defenses, and maintaining thorough security monitoring. You’ll need detailed documentation and security experts directly involved in development. These controls assume someone competent is actively trying to break in.
Pick your level based on what you’re protecting and what happens if someone breaks in. When in doubt, go higher.
Desktop Application Security Domains
We organized requirements into twelve domains based on actual desktop application security work:
- Architecture and Design – Get the foundation right from the start
- Authentication and Authentication Lifecycle – Secure authentication for desktop environments
- Access Control – Control what authenticated users can actually do
- Data Protection – Keep sensitive information safe
- Communication – Secure network and inter-process communication
- Input Validation and Output Encoding – Handle untrusted input without getting burned
- File Operations – Manage file system access securely
- Hardware Integration – Deal with USB devices and other peripherals
- Logging and Monitoring – Know when something’s going wrong
- Installation and Updates – Secure the distribution process
- Self-Protection and Integrity – Make your application harder to tamper with
- UI Security and User Privacy – Protect the interface layer
These aren’t theoretical categories. They’re organized around the security issues that actually come up when you’re building or testing desktop software.
What’s Coming Next for Desktop Security
DASVS is the foundation, but we’re building more on top of it.
Desktop Application Security Testing Guide (DASTG) launches in 2025. It’ll provide detailed testing methodologies for each requirement. You’ll find platform-specific approaches and practical examples using real tools and techniques. The goal is bridging the gap between “here’s what you should verify” and “here’s exactly how to verify it.”
We’re also planning an automatic security assessment tool for desktop apps. It will work like MobSF does for mobile. Automated static and dynamic analysis, findings mapped directly to DASVS requirements, and support for all three major platforms. That’s targeted for 2026.
Get DASVS v1.0 First
DASVS is an open standard. After positive feedback from security experts, we’re releasing it here.
Click the button below to get DASVS v1.0 now for free. You’ll see the complete standard right away – start implementing it and see how it works for your desktop application security assessments.
We published it on GitHub where anyone can open issues, suggest improvements, and collaborate on future versions.
Help Improve the Desktop Application Security Standard
DASVS gets better through real-world use and community feedback. If you implement it and find gaps, tell us. If you discover better ways to verify requirements, share them. Platform-specific issues? Let us know.
And if you’re a developer, security professional, or just someone who cares about desktop security – review DASVS, tell us what’s broken, and help us fix it.
Desktop applications aren’t going anywhere – let’s make them harder to break into.
