The Application Security Verification Standard (ASVS) Version 4 from the Open Web Application Security Project (OWASP) is among the most comprehensive and practical guidance available for organizations looking to build or buy secure web applications, or expose vulnerabilities within existing applications. The ASVS supports testing of web application security controls, and also gives developers a list of requirements for secure development. Indeed, developers are among the primary audiences for the ASVS.
But can developers leverage the ASVS without needing to be information security experts?
Absolutely yes, says Daniel Cuthbert, ASVS project leader and co-author. Daniel is the featured guest on an episode of The Virtual CISO Podcast that explores the ASVS from all angles. Episode host John Verry, Pivot Point’s CISO and Managing Partner, has substantial experience working with the ASVS to test clients’ web apps.
John asks Daniel specifically about how developers are meant to use the ASVS. From the viewpoint of assessing applications to give stakeholders assurance they’re aligned with a specific ASVS level, John observes: “I like to say to our clients, ‘Look, it’s an open book test. … Make sure your developers know what the target is so that way we can help you validate that they hit the target.’”
“Alright, I’ve got 14 things I need to make sure… cool. Each of these goes into Jira; let’s go ahead and do it.”
Daniel responds with this personal insight: “We always had that thing a while ago—and it’s not something I’m proud of—where we used to belittle the development team, saying, ‘You don’t know security.’ But as especially me matured, I realized they don’t need to; that’s not generally their job. Their job is to build functions and features and get code out.”
“Now sure, there are arguments where you can say, ‘Well, you should know how to do it in a secure way,’ Daniel continues. “And I agree. But, for example, I don’t go and buy a car and say, ‘Right, I need the most secure car.’ I assume and I expect a lot of cars have been built with standards in mind…”
“And I think that’s where the ASVS is going—where we’re saying to developers, ‘These are what we expect a function to do; go ahead and build it into your product,” Daniel emphasizes. “So that’s how you use the ASVS. You go through each of these sections to say, ‘Right, I’m building this login function. Dear developers, during this next sprint we need to build this to conform to our own internal coding practices, but also we want it to be ASVS Level 2 compliant.’”
Daniel summarizes: “So the developers can go away; they know exactly what we want because we’ve got the sprints, we’ve got the stories. And they now go, ‘Right, I’m building this. Okay, let’s look at Level 2. Alright, I’ve got 14 things I need to make sure… cool. Each of these goes into Jira; let’s go ahead and do it.’”