September 10, 2020

Last Updated on January 15, 2024

The Application Security Verification Standard (ASVS) from the Open Web Application Security Project (OWASP) is now at Version 4. Besides being some of the best guidance available for testing web application security, the ASVS also aims to elevate the level of web application security across the board.

Among the most controversial aspects of the OWASP ASVS Version 4 controls is the Authentication Verification Requirements, specifically around passwords.

In this area and several others, ASVS 4 controls “have been adapted to be a compliant subset of selected NIST 800-63b [Digital Identity Guidelines] controls, focused around common threats and commonly exploited authentication weaknesses.” NIST 800-63b views passwords as “pre-breached” and obsolete.
ASVS 4 further states, “… with the release of over 5 billion username and password breaches, it’s time to move on. … We have to start the transition to a post-password future now.”

As Daniel Cuthbert, ASVS project leader and co-author, told host John Verry in a recent episode of The Virtual CISO Podcast, “Password requirements… this one was really controversial because the world of passwords have become a bit muddy, because 10, 15 years ago we were told that you need to do these random uppercase, lowercase, lots of rubbish that cause nothing but security friction, and it never actually stopped people doing attacks. So we say, ‘For a Level 2 application, there are a number of controls that need to be valid or present in order for it to be deemed good.’”

Daniel continues: “For example , verify that you can have more than 64 character passwords. Verify that your passwords contain spaces, because a lot of us don’t. Verify if you want to, you can have emoji or Kanji or whatever you want in the password, right? So it goes through each of these little steps that, if followed, raise the bar when it comes to security.”
“Things that are the bane of everybody’s life, [like] forcing password changes. Why? So we have it in there, 2.1.10, ‘Verify that there are no periodic credential rotation of password history requirements,’ which was very controversial and a lot of people didn’t like it. But it’s like, ‘We need to mature, we need to grow up,’” asserts Daniel.
If your business is interested in maturing its web application security posture, ASVS 4 is a great place to start. To get Daniel and John’s expert insight about the OWASP ASVS and how it can help, click here to listen to the podcast episode in its entirety. If you don’t use Apple Podcasts, you can find all the episodes from The Virtual CISO Podcast here.
For more (NIST 800-63b-aligned 🙂 information: