As I blogged about back in March, Pivot Point Security will soon be using the OWASP ASVS (Application Security Verification Standard) across its application security testing practice. We are proud to be among the first information security firms to make the shift to OWASP ASVS and think our clients should know why this is important and how it will benefit them.
Why OWASP ASVS Matters
Why is the ASVS a superior application testing framework compared to traditional frameworks or standards like the venerable OWASP Top 10?
It factors in the application’s risk profile.
Other testing frameworks tend to treat all applications the same. They offer the same testing guidance whether an application sends online greeting cards or controls a nuclear reactor. The OWASP ASVS factors in the criticality of the application and the classes of data that it stores and/or processes.
The result… Your security efforts are efficient and prioritized; you know you are working on the areas that need to be addressed and the optimal order to address them.
It’s far more comprehensive.
Traditional models like the OWASP Top 10 relate mostly to searching for flaws or verifying controls, versus holistically analyzing the application itself. The ASVS covers nineteen categories of detailed, application-level verification requirements—everything from application architecture and design to access control to data protection to web services to mobile. It even provides guidance on how to incorporate security testing into the software development lifecycle (SDLC).
The result… You can rest easy knowing your application has gone through a complete security assessment. Applications with the ASVS attestation have a clear competitive advantage over applications with traditional attestations.
It’s proactive rather than reactive.
Most application security efforts focus on testing to identify defects that already exist in the software. While extremely valuable in that regard, the ASVS also supports building security into the software in the first place. Another way to say it is the ASVS covers both what to do (patterns) rather than just what not to do (anti-patterns).
The result… Improved planning and visibility leads to staying ahead of security concerns and ultimately fewer security issues.
How to Use the ASVS
How can your business make use of the ASVS?
- As a yardstick for application developers and owners to assess how secure an application is and the risk it presents.
- As guidance for developers on what security controls to build into an application to meet agreed security requirements.
- For procurement/contracts, as a basis for specifying application security and/or security verification requirements to third parties, or to assess the security controls in a third-party application.
For example, independent security testing based on the ASVS is perfect for a project manager who needs to provide a security attestation for an application.
It works equally well for an application vendor, who can attain competitive advantage by providing prospects with a detailed, independent security attestation for a software product or service.
An independent evaluation against the ASVS is also ideal for assessing competing software offerings, or for verifying that third-party developers have met contractual obligations regarding application security.
As I mentioned, Pivot Point Security will soon be offering verification against the OWASP ASVS as part of its application security services. We look forward to leveraging the ASVS to help our clients reduce application security risk, achieve compliance and enhance secure coding practices.
For more information on these new OWASP ASVS based services and how they can help your business develop, test, verify and/or procure secure and compliant applications, contact our team.