Last Updated on August 4, 2020
The Open Web Application Security Project (OWASP) offers the cybersecurity community a tremendous amount of valuable guidance, like its Application Security Verification Standard (ASVS). Now at Version 4, the ASVS addresses many of the coverage and repeatability concerns inherent in web application testing based on the popular OWASP Top 10 Proactive Controls list.
So how are the ASVS and OWASP Top 10 intended to work together? If you’ve been using the OWASP Top 10 as application testing guidance, how best to transition to the much more comprehensive ASVS?
What better way to answer these key questions than to ask the people who create the guidance? That’s why The Virtual CISO Podcast featured Daniel Cuthbert, ASVS project leader and co-author. Hosting this episode, as always, is Pivot Point Security’s CISO and Managing Partner, John Verry, who brings considerable OWASP Top 10 and ASVS usage experience to the table himself.
Daniel acknowledges that, “I might get controversial. The Top 10 had a purpose, and it was to try and raise the bar a little. The problem is a lot of people use the Top 10 as gospel and they said, ‘Well, we do OWASP Top 10 testing.’ I’m like, ‘I don’t know what that means,’ right? Because it’s vague; it’s generic.”
Daniel continues: “For example, if you [as a client who needs testing] say, ‘I want an application test to OWASP Top 10,’ … we don’t know exactly what testing is being done or what I should be expecting.
“So we want to almost say, ‘Right, if you’re going to do a Top 10…’ Let’s say the top one, A-1 Injection, right? Injection is still a massive problem. How do you know or how do you test it, OK?
“Well, here’s what ASVS Level 2 says … an application should not do to be vulnerable to it. And then link to the OWASP Testing Guide to say, ‘Right, if you’re a tester, here’s how you test for this,’” concludes Daniel. “That’s where the product’s going.”
“That would be a perfect world,” John opines. “That map from Top 10 to input validation grouping within ASVS, back to the Testing Guide, to how do we test input validation…”