Last Updated on December 2, 2020
Many security professionals and software developers around the world have heard of the Open Web Application Security Project (OWASP) through its widely used “Top Ten Web Application Security Risks” document. OWASP intends its famous Top 10 to be used for basic awareness about common vulnerabilities, and as a checklist for teams just starting out with web application security.
The Top 10 is not meant to be used as a security standard—as both the document and OWASP website explicitly state.
For teams that have moved past the first steps of their security journey and need a security standard to guide development and testing, OWASP advocates moving to its more comprehensive Application Security Verification Standard (ASVS).
To clarify the intended uses of the OWASP Top 10 and the ASVS, Andrew van der Stock joined us on a recent episode of The Virtual CISO Podcast. Andrew is Senior Application Security Leader at OWASP and a major contributor to both documents. Hosting the episode is John Verry, Pivot Point Security’s CISO and Managing Partner, who is a “huge OWASP fan.”
Why aren’t more teams moving from the OWASP Top 10 to the OWASP ASVS?
John asks is it because the Top 10 is “… a fully pen-testable, fully dynamic application security testable framework (and that popular pen testing tools like Burp Suite and AppSpider cross-reference the Top 10”)? “I would highly recommend people look at [ASVS] Level 1 as the new testing checklist,” highlights Andrew. “Because it is so granular, and it’s easy to fork, and it’s consumable by machine technology.”
Andrew counters that the ASVS is available in JSON format, “So we’re easily consumable by tools. … Realistically, for things like Burp, Zap and other tools, because [the ASVS is] more granular [than the Top 10], you can be a little bit more specific about what the ASVS issue is. Therefore, you can fork the ASVS and say, ‘Hey, we’re not going to deal with 200 of these things because we can’t test for it, and here’s the ones we do care about.’”
Andrew further notes: “The ASVS Level 1 is entirely pen-testable. It’s also completely integration testable. So, from the developer perspective, everything on Level 1 can be integration tested using Selenium or whatever your favorite framework is.”
John adds that this change would support modern CI/CD methods: “That seems to start to align with a shift that we’re seeing from a testing perspective, where people are starting to talk about, ‘Don’t give me a report at the end of the test, put stuff into Jira for me. Open up tickets.’”
Andrew agrees: “The most advanced organizations will actually use something like the ASVS to drive the test cases. So every time they do a build they automatically test the application for that particular issue; they don’t have to do a pen test.”
While the venerable OWASP Top 10 remains extremely valuable across the industry, the ASVS is “the future” in terms of testing, security attestation and alignment with other cybersecurity standards. Teams should consider moving from the Top 10 to ASVS Level 1 as a new starting point for basic web app security guidance and validation.
This podcast episode shares extremely valuable expert guidance you won’t find elsewhere. Click here to listen to the full episode, and to peruse the rest of our growing selection of top-shelf podcast content.
If you don’t use Apple Podcasts, click here to access all the episodes from The Virtual CISO Podcast.
“I would highly recommend people look at [ASVS] Level 1 as the new testing checklist,” highlights Andrew. “Because it is so granular, and it’s easy to fork, and it’s consumable by machine technology.”