December 2, 2020

Free OWASP ASVS Testing Guide

If you are just learning about OWASP’s testing standard or are considering the best way to prove the security of an application, this guide is meant for you!
Get your download here!

Last Updated on January 15, 2024

Many security professionals and software developers around the world have heard of the Open Web Application Security Project (OWASP) through its widely used Top Ten Web Application Security Risks” documentOWASP intends its famous Top 10 to be used for basic awareness about common vulnerabilities, and as a checklist for teams just starting out with web application security. 

The Top 10 is not meant to be used as a security standard—as both the document and OWASP website explicitly state.

For teams that have moved past the first steps of their security journey and need a security standard to guide development and testing, OWASP advocates moving to its more comprehensive Application Security Verification Standard (ASVS) 
To clarify the intended uses of the OWASP Top 10 and the ASVSAndrew van der Stock joined us on a recent episode of The Virtual CISO Podcast. Andrew is Senior Application Security Leader at OWASP and a major contributor to both documents. Hosting the episode is John VerryPivot Point Security’s CISO and Managing Partnerwho is a “huge OWASP fan.

Why aren’t more teams moving from the OWASP Top 10 to the OWASP ASVS?

John asks is it because the  Top 10 is “… a fully pen-testable, fully dynamic application security testable framework  (and that popular pen testing tools like Burp Suite and AppSpider cross-reference the Top 10”)?
Andrew counters that the ASVS is available in JSON format, “So we’re easily consumable by tools. … Realistically, for things like Burp, Zap and other tools, because [the ASVS is] more granular [than the Top 10], you can be a little bit more specific about what the ASVS issue is. Therefore, you can fork the ASVS and say, ‘Hey, we’re not going to deal with 200 of these things because we can’t test for it, and here’s the ones we do care about.’”
Andrew further notes: “The ASVS Level 1 is entirely pen-testable. It’s also completely integration testable. So, from the developer perspective, everything on Level 1 can be integration tested using Selenium or whatever your favorite framework is. 

“I would highly recommend people look at [ASVS] Level 1 as the new testing checklist,” highlights Andrew. “Because it is so granular, and it’s easy to fork, and it’s consumable by machine technology.”

John adds that this change would support modern CI/CD methods: “That seems to start to align with a shift that we’re seeing from a testing perspective, where people are starting to talk about, ‘Don’t give me a report at the end of the test, put stuff into Jira for me. Open up tickets.’”
Andrew agrees: “The most advanced organizations will actually use something like the ASVS to drive the test cases. So every time they do a build they automatically test the application for that particular issue; they don’t have to do a pen test.” 
While the venerable OWASP Top 10 remains extremely valuable across the industry, the ASVS is “the future” in terms of testing, security attestation and alignment with other cybersecurity standards. Teams should consider moving from the Top 10 to ASVS Level 1 as a new starting point for basic web app security guidance and validation. 
This podcast episode shares extremely valuable expert guidance you won’t find elsewhereClick here to listen to the full episodeand to peruse the rest of our growing selection of top-shelf podcast content.  
If you don’t use Apple Podcasts, click here to access all the episodes from The Virtual CISO Podcast. 

Free OWASP ASVS Testing Guide

If you are just learning about OWASP’s testing standard or are considering the best way to prove the security of an application, this guide is meant for you!