The OWASP Application Security Verification Standard (ASVS) is a list of application security requirements or tests that architects, developers, testers, security professionals, and even consumers can use to define what constitutes a secure application. In this post, I’ll explain how the security requirements and tests in the ASVS map to ISO 27001; or more specifically how they map to ISO 27002, which provides details and prescriptive guidance on how to implement the controls listed in ISO 27001’s Annex A.
V1: Architecture, Design, and Threat Modelling
The architecture, design, and threat modeling section of the ASVS covers how to verify an application’s architecture and also its threat model across all applicable risks. This parallels section A.8 in ISO 27001, which covers asset management (e.g., asset inventory, classification, etc.) This is because, to verify the application’s architecture and threat model, you need to inventory all the information assets associated with the application.
The authentication verification requirements section of the ASVS explains how to verify the digital identity of the sender of a communication to the application, how to ensure only authorized entities are able to authenticate, and credentials are transported securely. This maps to controls in section A.9 in ISO 27001, which deals with access control requirements. Any application meeting the detailed and stringent ASVS requirements around authentication would almost surely be in compliance with ISO 27001 in this respect. Further, ASVS guidance on logging access control decisions (whether access requests succeeded or failed) covers section A.12.4 of ISO 27001.
V7: Cryptography at Rest
Section V7 of the ASVS covers encryption. This matches up with section A.10 of ISO 27001, which covers cryptographic controls, including key management.
If your application passes all the tests in ASVS V7, this will help you significantly in complying with ISO 27001’s section A.18. For example, ASVS Level 2 and 3 mandates at-rest encryption of all sensitive data, which directly addresses compliance requirement in the ISO 27001 control A.18.
V8: Error Handling and Logging
The ASVS error handling and logging verification requirements are a perfect match for the controls in A.12.4 in ISO 27001, which covers logging and monitoring. The ASVS specifies events should be logged and made available for investigation in the future, and also the log be protected from unauthorized access. Logs also should be stored on a different partition from the running application. ASVS further states applications should not log sensitive data as defined by applicable privacy regulations (and/or the ISO 27001 risk assessment).
These and other requirements in the ASVS map very closely to A.12.4. So, if an application complies with ASVS in this regard, it should meet the requirements for ISO 27001 certification also.
V9: Data Protection
The ASVS V9 covers data protection requirements, and references “three key elements to sound data protection: Confidentiality, Integrity and Availability (CIA).” The closest match to these requirement in ISO 27001 is A.18.1.3, which concerns protection of sensitive records from unauthorized access, modification, etc.
V10: Communications Security
The requirements specified in ASVS V10 for verifying communications security relate to compliance with ISO 27001 section A.14.1. This section addresses communication security over public networks; e.g., does an application encrypt transactions or otherwise ensure they’re secure and protected?
Other ASVS and ISO Parallels
In addition to the above, there are various parallels between the secure engineering principles in ISO 27001 A.14.2 and A.14.3 and the ASVS requirements for HTTP security configuration, malicious controls verification, business logic, files and resources verification, mobile app testing, web services verification, configuration requirements, and more.
The OWASP ASVS is a great framework for any development organization to adopt, in order to ensure applications and their architectures are secure. As an added bonus, verifying an application meets ASVS guidelines can help get you closer to ISO 27001 compliance, provided the application is within the scope of your ISO 27001 compliance effort.
Indeed, it’s surprising there are so many correspondences between the two frameworks, given ISO 27001 addresses information security holistically, while ASVS is focused strictly on application security.
To start a discussion on how to align your application development efforts with the ISO 27001 framework, contact Pivot Point Security.