March 14, 2017

Last Updated on January 14, 2024

If you’re a web application developer or security professional, chances are you’ve heard at least a little about the OWASP Application Security Verification Standard. Currently at version 4.0.1 and reflecting a wealth of industry feedback, this community-led project aims to establish a framework of security requirements and controls to guide the design, development and testing of today’s web/mobile applications. It also gives developers a list of requirements for secure development.
Created by the Open Web Application Security Project (aka OWASP, “the free and open software security community”), the Application Security Verification Standard (or ASVS) is created by developers, for developers. It covers different ground compared to ISO 27034 and provides more detail for developers and security engineers.

The Three Levels of the OWASP Application Security Verification Standard

To make it easier for developers to apply it on real-world projects, the Application Security Verification Standard has three levels:

View our free cybersecurity resources »

Level 1 is the minimum level of verification required for all web applications. Controls at this level are fully testable by automated methods along with (some) manual dynamic methods.

Level 2 covers the verification of web applications that handle sensitive or compliance-related data like PII or PHI. Of the 255 Level 2 controls, about 60% are testable by automated methods, with the rest requiring manual code and architectural review.

Level 3 covers the verification of critical applications—like an app that arms and fires missiles or controls sensitive public infrastructure. Level 3 includes 274 controls, some of which are automatically testable. However, at this level a fair amount of manual verification is involved.

The ASVS lends itself to customization in order to fit specific organizational requirements, so you can “fork” the guidelines and use them to verify only your required controls. Likewise, it’s relatively easy to merge the ASVS guidelines into your software development lifecycle, as developers can select the specific controls they want to use.
ASVS version 4.0.1 focuses on “what” to verify, and leaves “how” to verify it to the developers. As such, the Application Security Verification Standard can simply be a yardstick for developers and application owners to determine what degree of confidence they have in the security of a particular web app. It can likewise guide developers around what to build into security controls to meet specific security requirements. Finally, organizations can use it during the procurement process as a basis for specifying web app security verification requirements in contracts.


Pivot Point Security offers its application security services to encompass the verification of OWASP ASVS levels 1 through 3. To find out more about how this service works and how it can help your business develop, test, verify and/or procure secure and compliant web applications, contact Pivot Point Security.
For more information:

Free OWASP ASVS Testing Guide

If you are just learning about OWASP’s testing standard or are considering the best way to prove the security of an application, this guide is meant for you!