Application Security Verification Standard (ASVS) is a list of application security requirements or tests that can be used by architects, developers, testers, security professionals, and even consumers to define what a secure application is.
In October 2015 version 3.0 of the standard was released, and the requirements set to define a secure application have been updated. In this blog post we will give you an introduction to OWASP ASVS 3.0.
What is OWASP Application Security Verification Standard (ASVS) 3.0?
The standard provides a basis for how security in web applications can be verified. In addition it comes with suggestions for recommended security levels in different types of applications.
Software developers can use the standard in order to develop and maintain secure applications. Moreover, consumers can use ASVS as a basis to set specific requirements when procuring software solutions. The goal of the OWASP Application Security Verification Standard is to establish a level of confidence in the security of web applications.
What are the OWASP ASVS 3.0 objectives?
The OWASP ASVS Project has developed the requirements with the following objectives in mind:
- Use as a metric – Provide application developers and application owners with a yardstick with which to assess the degree of trust that can be placed in their web applications.
- Use as guidance – Provide guidance to security control developers as to what to build into security controls in order to satisfy application security requirements.
- Use during procurement – Provide a basis for specifying application security verification requirements in contracts.
OWASP ASVS 3.0 verification levels
The OWASP ASVS defines three security verification levels, with each level increasing in depth:
- Level 1 is meant for all software.
- Level 2 is for applications that contain sensitive data, which requires protection.
- Level 3 is for the most critical applications that requires the highest level of trust.
Each OWASP Application Security Verification Standard level contains a list of security requirements.
The role of automated penetration testing tools
It is not possible to complete OWASP ASVS verification using automated penetration testing tools alone. Whilst many of the requirements in Level 1 can be performed using automated tests, the overall majority of requirements are not amenable to automated penetration testing.
As the application security industry matures, the lines between automated and manual testing have blurred. Automated tools are now often manually tuned by experts, and manual testers often leverage a wide variety of automated tools.
In the next blog post, we will look into Level 1 to 3 in further detail, exploring what the different levels entail.
This blog post is based on contents provided by OWASP, and it follows a Creative Commons Attribution ShareAlike 3.0 license.