If you’re a web application developer or security professional, chances are you’ve heard at least a little about the OWASP Application Security Verification Standard. Currently at version 3.0.1 and reflecting a wealth of industry feedback, this community-led project aims to establish a framework of security requirements and controls to guide the design, development and testing of today’s web/mobile applications. It also gives developers a list of requirements for secure development.
Created by the Open Web Application Security Project (aka OWASP, “the free and open software security community”), the Application Security Verification Standard (or ASVS) is created by developers, for developers. It covers different ground compared to ISO 27034 and provides more detail for developers and security engineers.
The Three Levels of the OWASP Application Security Verification Standard
To make it easier for developers to apply it on real-world projects, the Application Security Verification Standard has three levels:
Level 1 is the minimum level of verification required for all web applications. Controls at this level are fully testable by automated methods along with manual dynamic methods.
Level 2 covers the verification of web applications that handle sensitive or compliance-related data like PII or PHI. Of the 139 Level 2 controls, about 75% are testable by automated methods, with the rest requiring manual code and architectural review.
Level 3 covers the verification of critical applications—like an app that arms and fires missiles or controls sensitive public infrastructure. Level 3 includes 154 controls, some of which are automatically testable. However, at this level a fair amount of manual verification is involved.
The ASVS lends itself to customization in order to fit specific organizational requirements, so you can “fork” the guidelines and use them to verify only your required controls. Likewise, it’s relatively easy to merge the ASVS guidelines into your software development lifecycle, as developers can select the specific controls they want to use.
ASVS version 3 focuses on “what” to verify, and leaves “how” to verify it to the developers. As such, the Application Security Verification Standard can simply be a yardstick for developers and application owners to determine what degree of confidence they have in the security of a particular web app. It can likewise guide developers around what to build into security controls to meet specific security requirements. Finally, organizations can use it during the procurement process as a basis for specifying web app security verification requirements in contracts.
OWASP ASVS Services
Pivot Point Security will soon be extending its application security services to encompass the verification of OWASP ASVS levels 1 through 3. To find out more about how this service works and how it can help your business develop, test, verify and/or procure secure and compliant web applications, contact Pivot Point Security.
For more information:
- The latest version of ASVS in PDF format
- OWASP’s ISO IEC 27034 Application Security Controls Project
- The Elevation of Privilege card game, an easy and fun way to get started with threat modeling
- OWASP Cornucopia, a card game that helps development teams identify security requirements in an Agile or traditional development context