Skip content

Our guide on OWASP ASVS

Secure application development previously required several fragmented approaches patchworked together, often in an inconsistent manner. Secure deployment of applications was previously poorly defined, and people or process assessments were not considered.

Then, the Open Web Application Security Project (OWASP) decided to do something about it. They created a single easy to follow standard called the Application Security Verification Standard (ASVS). This has been through multiple iterations, with version 4.0.3 being the most recent.

What is the OWASP Application Security Verification Standard?

The ASVS is a set of requirements designed to ensure the security posture of an application, either existing or planned.

One of the most useful characteristics of the ASVS is its potential to span all stages of the software development lifecycle in a well-integrated and easy to consume manner. It also allows three different levels of assurance to be obtained.

ASVS Level 1 provides a baseline level of assurance and can be assessed with less interaction between the assessor and the application team. ASVS Level 2 steps the rigour up a notch, while ASVS Level 3 is reserved for the most critical applications and requires significant integration between the assessing entity and the application team.

What is the value of the OWASP ASVS and how is it used?

Typically, the initial stages of application development include capturing requirements. This should also cover capturing non-functional security elements and ensuring that security is a consideration baked into the application from the very beginning. This is where ASVS provides initial value.

Its well-structured checklist approach enables the identification of relevant controls and subsequent tracking of them, throughout development and deployment.

Furthermore, whenever a penetration test is needed for assurance, the ASVS can be used to evaluate whether each of those security requirements has been achieved. This provides a great way of tracking security requirements right the way through a project’s development, right through to release and maintenance.

It allows for ownership of not only specific requirements but also processes that, in the past, would often go unassessed during a review, or unchecked after release.

The ASVS allows penetration testers to review many elements of an application's security posture, such as processes and deployment technology, which would otherwise be difficult to assess.

When an ASVS aligned test is conducted, it will often involve a level of collaboration and the temporary placement of a consultant within the development team, offering a greater level of assurance as a result.

Final Thoughts

In conclusion, we are an advocate for ASVS being used for both software development and third-party assurance activities, such as a penetration test.

Here at LRQA, we recommend adopting at least ASVS Level 1 for application tests, with higher levels being used to assure critical applications because we have found ASVS to be one of the most efficient and thorough means of ensuring security in applications.

Find out more about our ASVS assessment here.