Last Updated on September 18, 2020
If your organization builds, buys or uses web applications, you’ve probably heard of the Open Web Application Security Project (OWASP) and its Application Security Verification Standard (ASVS). Now at Version 4, the ASVS is a big step up from the longstanding OWASP Top 10 in terms of usability and rigor for application security testing. But it is not yet as widely used as its popular predecessor.
How did its creators envision the ASVS being applied to maximize its business value? And what benefits can developers, business leaders and application owners expect from this industry-leading web application testing framework?
To get the most informed perspective possible, The Virtual CISO Podcast invited Daniel Cuthbert to join in from London for a recent episode. Daniel is an ASVS project leader and co-author. Hosting the episode as always is John Verry, Pivot Point’s CISO and Managing Partner, who has a wealth of experience using the ASVS to test clients’ web apps.
“Web applications are just too ingrained and important to our everyday lives.”
Daniel explains that the core problem the ASVS solves is a lack of process maturity in web application testing generally: “You have a web application or an architecture… and you need to get them tested. So you go out to the big, bad world and you say, ‘I need an application test.’ And you’ll be inundated by lots of people who say they have the best hackers in the world and they can break everything. And you’re like, ‘Okay, how do I know you’re going to test all the stuff?’ And they’ll say, ‘But we employ the best people and we know how to hack stuff.’”
“What we found was not many people knew how to properly test applications,” Daniel continues. “There was a lot of, ‘Have they looked at this? Do we know they’ve looked at this? Do they know they should look at it?’
That is where the ASVS comes into play. It’s a standard for testing applications. But, more importantly, it allows everybody in the circle [of web app testing] to align their requirements and offerings.”
To further support aligning requirements and offerings, and also to make the testing process easier to implement, the ASVS defines three testing levels. Level 1 is the ground floor that any web app should meet. Level 2 is for any app that processes sensitive data, and Level 3 is for the ‘1%’ of most critical applications.
“So I need an ASVS Level 2 application tested,” Daniel clarifies. “So the testing house knows exactly what you want, and you on the other hand know what you should be getting.”
As an experienced user of the ASVS on behalf of clients, John can relate: “What it does is it sets an expectation with the client on what they can expect, and it also sets an expectation on the organization that might be doing the assessment of what it is that they need to do to provide that level of assurance and meet that expectation.”
Daniel reiterates that the ASVS helps up the maturity level of the penetration testing process, which benefits the entire industry: “It can’t be just, ‘Pen test my app,’ and pray for the best.” Web applications are just too ingrained and important to our everyday lives.
John then shares Pivot Point Security’s best-practice approach to using the ASVS on behalf of clients: “We lay out our application security testing to align perfectly with one of the four things that OWASP does—Top 10, [ASVS] Level 1, Level 2, Level 3. We encourage people to move to Level 1 at least where they can, because we think that’s getting to a point where you’re really assessing enough of the security of the application to have a fairly high degree of assurance that the application is secure. And then really what we’re doing is we’re using the actual criteria within ASVS and/or any additional guidance that you provide in the [OWASP Web Security] Testing Guide to execute those to what you’re suggesting, and then provide that feedback directly to the customers and allow them to process that accordingly, and … make the appropriate changes to align with what you guys are doing.”
To find out more about the OWASP ASVS and how it can improve the security of your web applications, click here to listen to the podcast episode with Daniel Cuthbert in its entirety. If you don’t use Apple Podcasts, you can find all the episodes from The Virtual CISO Podcast here.