Why ASVS Is The Gold Standard For Application Security

According to Verizon 2020 Data Breach Investigations Report, 70% of breaches were caused by outsiders, 86% of breaches were financially motivated and 43% of breaches were attacks on web applications, more than double the results from last year. The continued proliferation of application vulnerabilities confirms that development teams are not certain about their application’s security requirements, and security teams are not performing consistent and comprehensive assessments.

Enter OWASP’s Application Security Verification Standard

The Open Web Application Security Project (OWASP) Foundation was launched in 2001 to improve software security worldwide. One of its key projects is the Application Security Verification Standard (ASVS), which is a community-driven effort that started in 2008 and has become the global industry standard for application security. While ASVS focuses on web and API-based applications, MASVS and ISVS projects cover mobile and IoT applications respectively. 

The framework provides a set of security requirements and controls that enable:

• Organizations to design, develop, and maintain secure modern web applications and services
• Security service providers to offer standardized and repeatable services, and consumers to align their requirements with the provider’s offerings 

ASVS contains a total of 286 controls that are grouped into the following three levels in order to meet applications with different security requirements:   

• Level 1: This is for applications with low assurance needs or those that don’t handle sensitive data. The Canadian Center for Cyber Security recommends that small and mid-size businesses secure their applications based on ASVS L1 at a minimum, and to include this set of controls as a requirement in contractual agreements with software vendors. Testing at this level can be done with a combination of automatic and manual methods without access to source code, documentation, or developers.
• Level 2: Typically appropriate for applications that handle sensitive data, provide business-critical or sensitive functions or industries where integrity is a critical facet to protect their business. This level requires access to documentation, source code, configuration, and the people involved in the development process.
• Level 3: This is for applications that require high levels of security assurance and are considered critical such as those that perform high-value financial transactions, contain sensitive medical data, or used by the military. This level requires a more in-depth analysis of architecture, coding, and testing than all the other levels.

While a large number of Level 1 controls can be covered by automated testing, the overall majority require manual activities.

ASVS requirements were created with the following goals in mind:

• To be used as a metric: Provide application developers and owners with means to measure the level of trust that an application provides.
• To be used as a guidance: Provide guidance to developers in order to satisfy application security objectives.
• To be used during procurement: Provide the means to scope application security assessment requirements in statements of work.?

How Service Providers use ASVS

ASVS should be used by those who offer application security assessment services, allowing for consistent test coverage in accordance with the client’s assurance requirements. The standard can be used for black-box pentesting, as well as deeper white-box assessments where access to the project documentation, source code, and development team is required. 

When choosing an application security service provider, consider the following:

• Application security assessment services should use ASVS as a basis.
• Appropriate testing method(s) should be selected and indicated in a report. 
• A summary of the verification findings should be provided including passed and failed tests. 
• Any excluded verification requirement must be indicated in any report.
• Detailed records (work papers, screenshots, movies, scripts, electronic recordings) of tests should be kept to prove the findings.
• OWASP doesn’t certify vendors or software and does not provide official ASVS certifications.

How Architects, Developers, QA, and Procurement use ASVS

In addition to serving as a security application assessment framework, ASVS can be used by architects, developers, QA, and procurement teams as a: 

• Detailed security architecture guidance
• Replacement for off-the-shelf secure coding checklists
• Guide for automated unit and integration tests
• The basis for secure development training 
• Driver for Agile application security
• Framework for procuring secure software.

Invest in the right security

It’s worth spending the time and money to select the appropriate level of ASVS and align all development and assessment activities, including those provided by external service vendors to build and maintain secure software. Doing so prevents attackers from being able to exploit your application and prevents costly fixes, as well as protects damage to your organization’s reputation.  

ASVS is ingrained into Forward Security’s DNA and used as a key component of our services. When performing application security risk assessments, we conduct design reviews, threat modelling, and penetration testing activities aligned with this standard. In addition, our Eureka DevSecOps service leverages ASVS for the selection of security requirements incorporated into the software and practices around building and maintaining secure systems. 

Get in touch to find out more about our ASVS-aligned services and how we can help you build a best-in-class application security program.

Copyright and License: Version 4.0.2, October 2020 Copyright ? 2008-2020. The OWASP Foundation. This document is released under the Creative Commons Attribution ShareAlike 3.0 license. For any reuse or distribution, you must make clear to others the license terms of this work.