Last Updated on November 20, 2020
If you’re involved in web application security, you’ve probably heard of the Open Web Application Security Project (OWASP) and its popular Top 10 list of vulnerabilities. But you may not be as familiar with a parallel effort that in many ways is even more useful to web application developers, architects, project managers and other stakeholders—the OWASP Application Security Verification Standard (OWASP ASVS).Reflecting over a decade of community feedback and refinement, the OWASP ASVS 4.0 offers a comprehensive list of web application security requirements, controls and tests that you can use to scope, build and verify secure web applications. It enables organizations to develop and maintain more secure applications; and also gives security service providers, tool vendors and others a well-documented set of controls that they can align their requirements and offerings with. The latest version, OWASP ASVS 4.0.1, was released in March 2019.
Why should you take a good look at the OWASP ASVS 4.0 checklist of controls?
- It offers greater flexibility than similar guidelines. The OWASP ASVS defines three increasing comprehensive security verification levels. This makes it easier to define and implement only the requirements that pertain to your needs.
- It aligns with and subsumes several other influential security standards, including the NIST 800-63-3 Digital Identity Guidelines, PCI DSS 3.2.1 Sections 6.5, the OWASP Proactive Controls 2018 and the OWASP Top 10 2017. This reduces the number of unique requirements you need to deal with when complying with multiple standards.
- OWASP ASVS 4.0 covers not only server-side controls, but also controls for modern application architectures and APIs (think serverless, cloud, containers, CI/CD, etc.). If you’re using or contemplating these approaches, comprehensive awareness of security requirements is essential.
- OWASP ASVS 4.0 is comprehensively mapped to the Common Weakness Enumeration (CWE). This allows tool vendors and teams using vulnerability management software to make “apples to apples” comparisons across diverse test results.
- It’s risk-based application security assessment methodology. By design, the OWASP ASVS focuses testing and remediation on the most critical parts of your application. This helps you address the key security gaps more efficiently.
Based on the above, we hope you’re ready to scope out the OWASP ASVS controls checklist in a handy spreadsheet format. We didn’t find any OWASP ASVS Excel files online, so we made our own.
To talk with an expert about the OWASP ASVS 4.0 methodology and how to apply it in your organization, contact Pivot Point Security.