InfoSec Strategies

A Quick Intro to the OWASP Application Security Verification Standard (ASVS)

Reading Time: 2 minutes

Last Updated on March 14, 2017

If you’re a web application developer or security professional, chances are you’ve heard at least a little about the OWASP Application Security Verification Standard. Currently at version 4.0.1 and reflecting a wealth of industry feedback, this community-led project aims to establish a framework of security requirements and controls to guide the design, development and testing of today’s web/mobile applications. It also gives developers a list of requirements for secure development.
Created by the Open Web Application Security Project (aka OWASP, “the free and open software security community”), the Application Security Verification Standard (or ASVS) is created by developers, for developers. It covers different ground compared to ISO 27034 and provides more detail for developers and security engineers.

The Three Levels of the OWASP Application Security Verification Standard

To make it easier for developers to apply it on real-world projects, the Application Security Verification Standard has three levels:

Level 1 is the minimum level of verification required for all web applications. Controls at this level are fully testable by automated methods along with (some) manual dynamic methods.

Level 2 covers the verification of web applications that handle sensitive or compliance-related data like PII or PHI. Of the 255 Level 2 controls, about 60% are testable by automated methods, with the rest requiring manual code and architectural review.

Level 3 covers the verification of critical applications—like an app that arms and fires missiles or controls sensitive public infrastructure. Level 3 includes 274 controls, some of which are automatically testable. However, at this level a fair amount of manual verification is involved.

The ASVS lends itself to customization in order to fit specific organizational requirements, so you can “fork” the guidelines and use them to verify only your required controls. Likewise, it’s relatively easy to merge the ASVS guidelines into your software development lifecycle, as developers can select the specific controls they want to use.
ASVS version 4.0.1 focuses on “what” to verify, and leaves “how” to verify it to the developers. As such, the Application Security Verification Standard can simply be a yardstick for developers and application owners to determine what degree of confidence they have in the security of a particular web app. It can likewise guide developers around what to build into security controls to meet specific security requirements. Finally, organizations can use it during the procurement process as a basis for specifying web app security verification requirements in contracts.


Pivot Point Security offers its application security services to encompass the verification of OWASP ASVS levels 1 through 3. To find out more about how this service works and how it can help your business develop, test, verify and/or procure secure and compliant web applications, contact Pivot Point Security.
For more information:

OWASP ASVS Testing Guide ThumbnailFree OWASP ASVS Testing Guide

If you are just learning about OWASP’s testing standard or are considering the best way to prove the security of an application, this guide is meant for you!

Get your download here!

Back to list

Related Posts

3 thoughts on “A Quick Intro to the OWASP Application Security Verification Standard (ASVS)

  1. L. Bangham says:

    The ISO IEC 27034 appears as an inactive project on the OWASP site. Is this incorrect? Thanks.

    1. Jeremy Sporn says:

      That is correct, however OWASP did not design or drive the ISO IEC 27034 standard. The inactive OWASP ISO IEC 27034 Application Security Controls project was originally designed to make OWASP content available in a formal and logically compatible format with ISO 27034.
      The ISO standard is a high-level framework, while OWASP gets much more specific. For example, where 27034 may say, you should do X, OWASP goes further by also describing how to do X. Hope that helps answer your question, if you have any specific questions about mapping from ISO standards to OWASP standards (like ASVS or Top 10), let us know ([email protected]).

Leave a Reply

Your email address will not be published.