July 17, 2020

Last Updated on January 14, 2024

The Application Security Verification Standard (ASVS) from the Open Web Application Security Project (OWASP) is intended to elevate the maturity, rigor and repeatability of an organization’s web application security testing. The ASVS offers a choice of three levels, with increasing degrees of cybersecurity assurance (and more controls) at each level.

How were the levels created to be used, and which level is right for your application?

To get the best guidance possible, The Virtual CISO Podcast went straight to the source—Daniel Cuthbert, ASVS project leader and co-author. Host John Verry, Pivot Point Security’s CISO and Managing Partner, has significant real-world experience with the ASVS to share as well.
Daniel relates that offering three ASVS levels is about ease of use: “We try to keep everything in the standard quite easy to understand. And I think that’s the biggest problem with a lot of standards that we found, was that they’re often hard to implement, they’re hard to use, we don’t understand, there’s a lot of ambiguity. We wanted to get rid of all of that, and when you look at how we broke the various sections down, we broke them down into how most applications are built.”
Daniel continues: “So Level 1 is for low assurance. What we mean by that is it’s fully automatable. And myself and Andrew and Josh and Jim have been putting a lot of pressure on friends who own scanning companies to say, ‘Guys, build this into your tool, please. It’s easy. We’ve picked it so it can be automated.’ But effectively that’s the absolute minimum of what we expect an application to be on the web today.”
Level 2 is the standard for most applications, especially those that process any kind of sensitive data, such as PII, financial data or other regulated data. “Because the internet’s a bad place and criminals love breaching stuff. We feel like Level 2 is where everybody should strive for,” Daniel asserts.
Level 3 is for the “the 1%… the most critical applications—sensitive medical data, stuff that helps countries run… and if it drops there’s a lot of people suffering. So we’d expect a lot of effort and insight going into that application or that application architecture, and that’s where Level 3 comes in,” explains Daniel.
To get all the insight from Daniel and John on this vitally important cybersecurity topic, click here to listen to this podcast episode from start to finish. If you don’t fancy using Apple Podcasts, click here to access any and all the episodes from The Virtual CISO Podcast.

Free OWASP ASVS Testing Guide

If you are just learning about OWASP’s testing standard or are considering the best way to prove the security of an application, this guide is meant for you!