OWASP Top 10 Versus OWASP ASVS: Recommendations and Roadmap

Last Updated on January 14, 2024

The Open Web Application Security Project (OWASP) offers the cybersecurity community a tremendous amount of valuable guidance, like its Application Security Verification Standard (ASVS). Now at Version 4, the ASVS addresses many of the coverage and repeatability concerns inherent in web application testing based on the popular OWASP Top 10 Proactive Controls list.
So how are the ASVS and OWASP Top 10 intended to work together? If you’ve been using the OWASP Top 10 as application testing guidance, how best to transition to the much more comprehensive ASVS?
What better way to answer these key questions than to ask the people who create the guidance? That’s why The Virtual CISO Podcast featured Daniel Cuthbert, ASVS project leader and co-author. Hosting this episode, as always, is Pivot Point Security’s CISO and Managing Partner, John Verry, who brings considerable OWASP Top 10 and ASVS usage experience to the table himself.

Daniel continues: “For example, if you [as a client who needs testing] say, ‘I want an application test to OWASP Top 10,’ … we don’t know exactly what testing is being done or what I should be expecting.
“So we want to almost say, ‘Right, if you’re going to do a Top 10…’ Let’s say the top one, A-1 Injection, right? Injection is still a massive problem. How do you know or how do you test it, OK?
“Well, here’s what ASVS Level 2 says … an application should not do to be vulnerable to it. And then link to the OWASP Testing Guide to say, ‘Right, if you’re a tester, here’s how you test for this,’” concludes Daniel. “That’s where the product’s going.”
“That would be a perfect world,” John opines. “That map from Top 10 to input validation grouping within ASVS, back to the Testing Guide, to how do we test input validation…”
If your organization builds, buys or uses web applications, you won’t want to miss a word of this episode. To listen to it all the way through, click here. Don’t use Apple Podcasts? Click here.