Why I'm Translating OWASP's Security Standard Into Panjabi — And Why It Matters
What happens when 130 million speakers can finally read the security requirements their applications need to meet?
Executive Summary: The OWASP Application Security Verification Standard (ASVS) 5.0 — the global benchmark for application security requirements — now has its first-ever Panjabi translation underway, and the first translation into any South Asian language. Using a bilingual English/Gurmukhi format with a 70-term security glossary, this open-source project (PR #3254) makes 350 security requirements accessible to Panjabi-speaking developers and security professionals worldwide. Eight chapters are complete and bilingual; two more are in progress. Reviewers needed — no GitHub experience required.
There are over 130 million Panjabi speakers worldwide. Until now, none of them could read the OWASP Application Security Verification Standard in their own language.
That changes with PR #3254.
The Gap Nobody Talks About
OWASP ASVS 5.0 is the gold standard for application security requirements — 350 requirements across 17 chapters that architects, developers, and security teams use to build and verify secure software. It's been translated into Turkish, Russian, French, Korean, Spanish, and Chinese.
But not into Panjabi. As of this writing, no completed ASVS translation exists in any South Asian language — not Hindi, Urdu, Bengali, Tamil, or Panjabi.
This isn't just a language gap. It's a security gap. Panjabi-speaking developers across India, Pakistan, Canada, the UK, and the US are building applications that serve millions. They deserve security guidance they can read without a language barrier sitting between them and the requirements they need to implement.
What Makes This Translation Different
Most translations replace English with the target language entirely. I took a different approach: every section is bilingual. English first, Panjabi immediately below.
Here's why. Security terminology is precise. "Authentication" and "authorization" are not interchangeable, and neither are their Panjabi equivalents. A bilingual format lets a developer read the Panjabi for comprehension and cross-reference the English for technical precision. No ambiguity. No guessing.
## Copyright and License
## ਕਾਪੀਰਾਈਟ ਅਤੇ ਲਾਇਸੈਂਸ
This document is released under the Creative Commons
Attribution-ShareAlike 4.0 International License.
ਇਹ ਦਸਤਾਵੇਜ਼ ਕਰੀਏਟਿਵ ਕਾਮਨਜ਼ ਐਟਰੀਬਿਊਸ਼ਨ-ਸ਼ੇਅਰਅਲਾਈਕ ੪.੦
ਅੰਤਰਰਾਸ਼ਟਰੀ ਲਾਇਸੈਂਸ ਅਧੀਨ ਜਾਰੀ ਕੀਤਾ ਗਿਆ ਹੈ.
Notice the Gurmukhi numerals — ੪.੦ instead of 4.0. These details matter. They signal that this isn't a machine-translated afterthought. It's a deliberate effort to honor the script and the community it serves.
The Terminology Problem (And How We Solved It)
How do you translate "SQL Injection" into Panjabi? You don't — at least not entirely. Security has its own lingua franca, and forcing every term into translation creates more confusion than clarity.
We built a glossary of 100+ security terms, each classified into one of four categories:
| Category | When to Use | Example |
|---|---|---|
| Translated (T) | Concept has a natural Panjabi equivalent | Authentication → ਪ੍ਰਮਾਣੀਕਰਨ |
| Loan Word (L) | Term is universally used in English | API → ਏ.ਪੀ.ਆਈ. |
| Retained (R) | Acronym or proper noun | OWASP, SQL, XSS |
| Hybrid (H) | Part translates, part stays | SQL Injection → SQL ਇੰਜੈਕਸ਼ਨ |
This T/L/R/H system came from spending real time with the source material and asking a practical question: if a Panjabi-speaking developer reads this term in a code review, which version will they actually recognize?
The answer varies by term, and that's the point. "Verification" becomes ਤਸਦੀਕ (tasdīq) because Panjabi has a rich word for it. "CSRF" stays as CSRF because no translation improves on the acronym every developer already knows.
Complete Security Terminology Glossary
Below is the working glossary for the OWASP ASVS 5.0 Panjabi translation. Each term includes the Gurmukhi translation, romanization, and its T/L/R/H classification. I'm actively seeking feedback on these choices — scroll down to the feedback section to suggest changes.
Core ASVS Terms
| English | Panjabi (ਪੰਜਾਬੀ) | Romanization | Type | Context |
|---|---|---|---|---|
| Application | ਐਪਲੀਕੇਸ਼ਨ | aiplicaishan | L | Software application |
| Security | ਸੁਰੱਖਿਆ | surakkhiā | T | Protection, safety |
| Verification | ਤਸਦੀਕ | tasdīq | T | Validation, confirmation |
| Standard | ਮਿਆਰ | miyār | T | Benchmark, criterion |
| Requirement | ਲੋੜ | loṛ | T | Need, specification |
| Architecture | ਆਰਕੀਟੈਕਚਰ | ārkīṭaikchar | L | System design |
| Framework | ਫਰੇਮਵਰਕ | pharaimvarak | L | Structural foundation |
| Compliance | ਪਾਲਣਾ | pālṇā | T | Adherence to rules |
| Assessment | ਮੁਲਾਂਕਣ | mulāṅkaṇ | T | Evaluation |
| Implementation | ਲਾਗੂਕਰਨ / ਅਮਲ | lāgūkaraṇ / amal | T | Putting into practice (under review) |
Authentication & Authorization
| English | Panjabi (ਪੰਜਾਬੀ) | Romanization | Type | Context |
|---|---|---|---|---|
| Authentication | ਪ੍ਰਮਾਣੀਕਰਨ | pramāṇīkaraṇ | T | Identity verification |
| Authorization | ਅਧਿਕਾਰੀਕਰਨ | adhikārīkaraṇ | T | Permission granting |
| Session Management | ਸੈਸ਼ਨ ਪ੍ਰਬੰਧਨ | saishan prabandhan | H | Session handling |
| Access Control | ਪਹੁੰਚ ਨਿਯੰਤਰਣ | pahuṅch niyaṅtraṇ | T | Permission management |
| Credential | ਕ੍ਰੈਡੈਂਸ਼ੀਅਲ | kraiḍainsheeal | L | Login information |
| Password | ਪਾਸਵਰਡ | pāsvaraḍ | L | Secret passphrase |
| Multi-Factor Authentication | ਬਹੁ-ਕਾਰਕ ਪ੍ਰਮਾਣੀਕਰਨ | bahu-kārak pramāṇīkaraṇ | H | MFA |
| Token | ਟੋਕਨ | ṭokan | L | Authentication token |
| OAuth | OAuth | — | R | Authorization protocol |
| Single Sign-On | ਸਿੰਗਲ ਸਾਈਨ-ਆਨ | siṅgal sāīn-ān | L | SSO |
Vulnerabilities & Threats
| English | Panjabi (ਪੰਜਾਬੀ) | Romanization | Type | Context |
|---|---|---|---|---|
| Vulnerability | ਕਮਜ਼ੋਰੀ | kamzorī | T | Security weakness |
| Threat | ਖ਼ਤਰਾ | khatrā | T | Potential danger |
| Risk | ਖ਼ਤਰਾ/ਜੋਖ਼ਮ | khatrā/jokham | T | Probability of harm |
| Exploit | ਐਕਸਪਲੋਇਟ | aiksploiṭ | L | Attack technique |
| Attack Surface | ਹਮਲੇ ਦੀ ਸਤ੍ਹਾ | hamlai dī sathā | T | Exposure area |
| Threat Modeling | ਖ਼ਤਰਾ ਮਾਡਲਿੰਗ | khatrā māḍliṅg | H | Threat analysis |
| Injection | ਇੰਜੈਕਸ਼ਨ | iṅjaikshan | L | Code injection class |
| SQL Injection | SQL ਇੰਜੈਕਸ਼ਨ | SQL iṅjaikshan | H | Database attack |
| Cross-Site Scripting (XSS) | XSS | — | R | Client-side injection |
| Cross-Site Request Forgery (CSRF) | CSRF | — | R | Request forgery |
| Path Traversal | ਪਾਥ ਟਰੈਵਰਸਲ | pāth ṭraivarsaḷ | L | Directory traversal |
| Command Injection | ਕਮਾਂਡ ਇੰਜੈਕਸ਼ਨ | kamāṅḍ iṅjaikshan | H | OS command attack |
| XML External Entity (XXE) | XML ਬਾਹਰੀ ਇਕਾਈ | XML bāhrī ikāī | H | XML parser attack |
| Server-Side Request Forgery (SSRF) | SSRF | — | R | Server request attack |
| Template Injection | ਟੈਂਪਲੇਟ ਇੰਜੈਕਸ਼ਨ | ṭaimpḷaiṭ iṅjaikshan | H | Template engine attack |
Cryptography & Data Protection
| English | Panjabi (ਪੰਜਾਬੀ) | Romanization | Type | Context |
|---|---|---|---|---|
| Encryption | ਇਨਕ੍ਰਿਪਸ਼ਨ | inkripashan | L | Data encoding |
| Decryption | ਡੀਕ੍ਰਿਪਸ਼ਨ | ḍīkripashan | L | Data decoding |
| Hashing | ਹੈਸ਼ਿੰਗ | haishiṅg | L | One-way function |
| Certificate | ਸਰਟੀਫਿਕੇਟ | sarṭīphikaiṭ | L | Digital certificate |
| Key Management | ਕੁੰਜੀ ਪ੍ਰਬੰਧਨ | kuṅjī prabandhhan | H | Crypto key handling |
| Data Protection | ਡੇਟਾ ਸੁਰੱਖਿਆ | ḍaiṭā surakkhiā | H | Information security |
| Sensitive Data | ਸੰਵੇਦਨਸ਼ੀਲ ਡੇਟਾ | saṅvaidanshaīl ḍaiṭā | H | Protected information |
Development & Testing
| English | Panjabi (ਪੰਜਾਬੀ) | Romanization | Type | Context |
|---|---|---|---|---|
| Secure Development | ਸੁਰੱਖਿਅਤ ਵਿਕਾਸ | surakhiat vikās | T | Secure SDLC |
| Code Review | ਕੋਡ ਸਮੀਖਿਆ | koḍ samīkhiā | H | Code inspection |
| Penetration Testing | ਪੈਨੀਟ੍ਰੇਸ਼ਨ ਟੈਸਟਿੰਗ | painīṭraishan ṭaisṭiṅg | L | Security testing |
| Static Analysis | ਸਥਿਰ ਵਿਸ਼ਲੇਸ਼ਣ | sthir vishlaishaṇ | T | SAST |
| Dynamic Analysis | ਗਤੀਸ਼ੀਲ ਵਿਸ਼ਲੇਸ਼ਣ | gatīshīl vishlaishaṇ | T | DAST |
| Input Validation | ਇਨਪੁੱਟ ਪ੍ਰਮਾਣਿਕਤਾ | inpuṭṭ pramāṇiktā | H | Data validation |
| Output Encoding | ਆਊਟਪੁੱਟ ਇੰਕੋਡਿੰਗ | āūṭpuṭṭ iṅkoḍiṅg | H | Data encoding |
| Sanitization | ਸੈਨੀਟਾਈਜ਼ੇਸ਼ਨ | sainīṭāīzaishan | L | Data cleaning |
| Error Handling | ਗਲਤੀ ਸੰਭਾਲ | galtī saṅbhāl | T | Exception management |
| Logging | ਲਾਗਿੰਗ | lāgiṅg | L | Event recording |
Infrastructure & Configuration
| English | Panjabi (ਪੰਜਾਬੀ) | Romanization | Type | Context |
|---|---|---|---|---|
| Configuration | ਸੰਰਚਨਾ | saṅrachnā | T | System settings |
| API | ਏ.ਪੀ.ਆਈ. | ai.pī.āī. | L | Application interface |
| Web Service | ਵੈੱਬ ਸੇਵਾ | vaib saivā | H | Network service |
| Firewall | ਫਾਇਰਵਾਲ | phāiarvāl | L | Network barrier |
| Malicious Code | ਖ਼ਤਰਨਾਕ ਕੋਡ | khatarnāk koḍ | H | Malware |
| File Upload | ਫਾਈਲ ਅੱਪਲੋਡ | phāīl apploḍ | L | File handling |
| Business Logic | ਕਾਰੋਬਾਰੀ ਤਰਕ | kārobārī tarak | T | Application logic |
Governance & Process
| English | Panjabi (ਪੰਜਾਬੀ) | Romanization | Type | Context |
|---|---|---|---|---|
| Policy | ਨੀਤੀ | nītī | T | Governance rule |
| Audit | ਆਡਿਟ | āḍiṭ | L | Formal examination |
| Incident Response | ਘਟਨਾ ਜਵਾਬ | ghaṭnā javāb | T | Security response |
| Documentation | ਦਸਤਾਵੇਜ਼ੀਕਰਨ | dastavaikzīkaraṇ | T | Written records |
| Traceability | ਟਰੇਸੇਬਿਲਟੀ | ṭraisaibilṭī | L | Audit trail |
| Remediation | ਸੁਧਾਰ | sudhār | T | Fixing issues |
ASVS Levels
| English | Panjabi (ਪੰਜਾਬੀ) | Romanization | Context |
|---|---|---|---|
| Level 1 | ਪੱਧਰ ੧ | paddhar 1 | Initial defense layer |
| Level 2 | ਪੱਧਰ ੨ | paddhar 2 | Standard security practices |
| Level 3 | ਪੱਧਰ ੩ | paddhar 3 | High-assurance requirements |
Why "Panjabi" and Not "Punjabi"
A deliberate choice. "Panjabi" follows the romanization used by Sikhri.org, the Panjab Digital Library, and academic institutions that work with Gurmukhi text. "Punjab" is an anglicization; "Panjab" and "Panjabi" are closer to the original ਪੰਜਾਬੀ pronunciation. Since this project is fundamentally about linguistic authenticity, the spelling should reflect that.
For terminology validation, we cross-reference against the Punjabi University English-Punjabi Dictionary (ਪੰਜਾਬੀ ਯੂਨੀਵਰਸਿਟੀ ਅੰਗਰੇਜ਼ੀ-ਪੰਜਾਬੀ ਕੋਸ਼), published by Punjabi University Patiala — first edition 1968, with subsequent editions through 2002 (ISBN 81-7380-095-2). This is the authoritative English-to-Panjabi reference work, and its entries for terms like "authentication" (ਪ੍ਰਮਾਣੀਕਰਨ, ਤਸਦੀਕ), "authorization" (ਅਧਿਕਾਰ ਸੌਂਪਣ ਦਾ ਕਾਰਜ), "access" (ਪਹੁੰਚ, ਰਸਾਈ, ਪਰਵੇਸ਼), and "implement" (ਅਮਲ ਵਿਚ ਲਿਆਉਣਾ, ਪੂਰਾ ਕਰਨਾ) directly informed our glossary choices.
A major inspiration for this glossary work is Sikhri's Guru Granth Sahib Dictionary. The Guru Granth Sahib is the eternal Guru and the supreme guiding authority for Sikhs — containing the divine utterances of six Gurus, three Sikhs, fifteen saints representing various religious traditions, and eleven poets from the Gurus' courts, all written in Gurmukhi, a script institutionalized by Guru Angad Sahib. Sikhri's dictionary project makes this sacred Gurmukhi text searchable, accessible, and precise for a global audience. Their approach to preserving linguistic authenticity while building for digital usability directly influenced how we structured our security terminology glossary. If the Guru Granth Sahib can be made digitally accessible with this level of care and reverence, a modern security standard certainly deserves the same intentionality.
What's Done, What's Next
As of this update, eight chapters are bilingual and complete, two more are actively in progress, and the work is live in PR #3254:
Complete (8):
- Frontispiece — bilingual title page with full project credits
- Preface — ASVS 5.0 principles, levels, and scope
- Assessment & Certification
- For Users of 4.0 (changes from v4.x)
- V5 File Handling
- V8 Authorization
- V9 Self-contained Tokens
- V12 Secure Communication
In progress (2): What-is-the-ASVS (0x03) and V6 Authentication (0x15) — headings and structure are bilingual; bodies are being completed now.
Supporting material: a 70-term security glossary with Gurmukhi translations and IAST romanization, a translation-rules file encoding the Gurmat language constraints and dictionary-lookup order, a reviewer-notes briefing, and an open-questions log tracking every deferred terminology decision.
Still to come: the remaining security-requirement chapters (Encoding, Validation, Web Frontend, API, Session Management, OAuth/OIDC, Cryptography, Configuration, Data Protection, Secure Coding, Logging, WebRTC) plus appendices, final QA, and a community review window. Cadence is two to three chapters a week, smallest-first.
Built for review, in the open
Every chapter ships under a review-in-public model. An adversarial QA pass (run with the latest Claude Opus model) checks each chapter for script purity, terminology consistency, sentence-end orthography, and the Gurmat language constraints before it lands. The corpus is currently clean on all mechanical checks — the open items are genuine translation-judgment calls that need human eyes, which is exactly where you come in.
The single biggest open decision right now is structural: should every chapter use a full dual-block layout (English first, complete Panjabi mirror below), or a more compact code-switched style for the introductory chapters? That choice shapes the whole standard, and it's deliberately left open for the community to weigh in on. The full comparison, plus eleven terminology questions, lives in the open-questions log on the PR.
The Bigger Picture: Digital Seva
In Sikh philosophy, seva means selfless service. Digital Seva is the same principle applied to technology — the idea that technical knowledge shouldn't be gatekept behind language barriers, institutional access, or cultural assumptions about who "belongs" in security.
This translation is one piece of a larger effort to make security knowledge genuinely accessible. Not "accessible" in the way a 40-page English PDF is technically available to download anywhere in the world. Accessible in the way that a Panjabi-speaking developer anywhere in the world can read a security requirement in their own script and immediately understand what their code needs to do.
Help Review This Translation
I need reviewers, and I've made it as easy as possible — no GitHub account or PR experience required.
Option 1: Email Me Directly (Easiest)
See a term that should be translated differently? Spot a Gurmukhi error? Just email gurvinder@securityleader.ai with the subject line "ASVS Panjabi Review". Even a one-line note like "I think ਕਮਜ਼ੋਰੀ works better as ਖ਼ਾਮੀ for Vulnerability" is valuable.
Option 2: GitHub PR Review (For the Git-comfortable)
Open PR #3254, click "Files changed," and leave inline comments on any file in 5.0/pa-IN/. Start with the reviewer-notes briefing — it tells you which chapters are ready, what to look for, and where the open decisions are.
What Reviewers Should Focus On
You don't need to be both a Panjabi speaker AND a security expert — either qualification helps:
- Panjabi speakers: Does the translation read naturally, or does it feel like a forced word-for-word conversion? Are there better Gurmukhi equivalents for any term?
- Security researchers: Is the English source meaning preserved? Do any translations introduce ambiguity that could affect a developer's implementation?
- Gurmukhi linguists: Any Devanagari script contamination? Proper vowel signs (ਮਾਤਰਾ)? Clean Unicode?
Open Terminology Questions
These specific terms need community input:
| English | Current Choice | Alternative | Your Preference? |
|---|---|---|---|
| Verification | ਤਸਦੀਕ (tasdīq) | ਪੜਤਾਲ (paṛtāl) | ? |
| Requirement | ਲੋੜ (loṛ) | ਸ਼ਰਤ (shart) | ? |
| Vulnerability | ਕਮਜ਼ੋਰੀ (kamzorī) | ਖ਼ਾਮੀ (khāmī) | ? |
| Threat Modeling | ਖ਼ਤਰਾ ਮਾਡਲਿੰਗ | ਖ਼ਤਰਾ ਨਮੂਨਾਕਰਨ | ? |
| Compliance | ਪਾਲਣਾ (pālṇā) | ਅਨੁਪਾਲਣ (anupālaṇ) | ? |
| Implementation | ਲਾਗੂਕਰਨ (lāgūkaraṇ) | ਅਮਲ (amal) / ਕਾਰਜ ਰੂਪ ਦੇਣਾ | ? |
What This Means for Security
Every language a security standard is translated into expands the pool of people who can build secure software. That's not a nice-to-have — it's a force multiplier. The next critical vulnerability might be found by a Panjabi-speaking developer who could finally read the ASVS requirement that told them what to look for.
Security knowledge should be accessible to all.
ਸੁਰੱਖਿਆ ਗਿਆਨ ਸਭ ਲਈ ਹੋਣਾ ਚਾਹੀਦਾ ਹੈ.
Your Next Move
- Security leaders: Share this with Panjabi-speaking team members or forward the glossary to your localization team as a model for multilingual security documentation.
- Panjabi-speaking professionals: Email gurvinder@securityleader.ai with "ASVS Panjabi Review" in the subject — even one term correction makes a difference.
- OWASP community members: Review PR #3254 and leave inline comments. Phase B chapters (V6 Authentication, V8 Authorization) are actively translating now and ready for in-progress review.
Board Talking Points
- OWASP ASVS 5.0 is the industry standard for application security verification — used by enterprises globally for compliance and secure development.
- This is the first translation into any South Asian language, reaching 130M+ Panjabi speakers across India, Pakistan, Canada, the UK, the US, and diaspora tech communities worldwide.
- Bilingual format preserves technical precision while removing the language barrier — a model for expanding security literacy beyond English-dominant markets.
- Translation follows a structured QA process with terminology validation, peer review plans, and bilingual consistency checks — demonstrating that localization itself can follow security best practices.
Gurvinder Singh, CISSP, CISA, GWAPT, is a Principal Security Researcher at SecurityLeader.ai and Information Security Manager with 20+ years of cybersecurity experience. He leads the first Panjabi translation of OWASP ASVS 5.0 as part of his Digital Seva commitment to making security knowledge accessible across language barriers.
Links:
- PR #3254 — OWASP/ASVS
- GeeksikhSecurity Fork
- OWASP ASVS 5.0
- Guru Granth Sahib Dictionary (Sikhri) — inspiration for Gurmukhi digital accessibility
Read and review the translated content (no GitHub account needed):
- Review Hub — Start Here
- Title Page (ਮੁੱਖ ਪੰਨਾ)
- Introduction (ਮੁਖਬੰਧ)
- Assessment & Certification (ਮੁਲਾਂਕਣ ਅਤੇ ਪ੍ਰਮਾਣੀਕਰਨ)
- Changes from v4.x (v4.x ਤੋਂ ਤਬਦੀਲੀਆਂ)
- V5 File Handling (V5 ਫ਼ਾਈਲ ਪ੍ਰਬੰਧਨ)
- V8 Authorization (V8 ਅਧਿਕਾਰੀਕਰਨ)
- V9 Self-contained Tokens (V9 ਸਵੈ-ਨਿਰਭਰ ਟੋਕਨ)
- V12 Secure Communication (V12 ਸੁਰੱਖਿਅਤ ਸੰਚਾਰ)
- Glossary (ਸ਼ਬਦਾਵਲੀ)
- Translation Notes
- Review Plan
Review Feedback: gurvinder@securityleader.ai · Subject: "ASVS Panjabi Review"