Application security is an essential part of any modern software development process. With the rise of cyber threats and attacks, it is crucial to ensure that web applications are secure and protected against potential vulnerabilities. One of the most widely recognized standards for web application security is the OWASP ASVS (Application Security Verification Standard). In this article, we will explore how companies can use the OWASP ASVS to improve their application security.
What is the OWASP ASVS?
OWASP ASVS is a standard for testing the security of web applications. It has a series of security requirements and recommendations, organized into three levels of verification. Each level corresponds to a different level of security assurance, with level 1 providing basic security assurance, and level 3 providing the highest level of security assurance. OWASP also hosts other helpful web app security testing resources, such as the Web Security Testing Guide (WSTG) aimed at web application developers and security professionals.
ASVS provides a great baseline for application security testing, as it covers a wide range of security controls, including authentication, access control, input validation, error handling, cryptography, and many others. By testing against the ASVS, you can:
- Identify potential security vulnerabilities in your web applications and implement appropriate security controls to address these vulnerabilities before they are exploited by attackers.
- Meet compliance requirements: Many industries have regulatory requirements that mandate certain security controls for web applications. Testing against the ASVS can help you meet these requirements and demonstrate compliance.
- Improve Customer Confidence in your web applications by testing against the ASVS and demonstrating your commitment to security.
- Reduce Risk: Security breaches can be costly in terms of financial loss, reputational damage, and legal liabilities. Testing against the ASVS can help you reduce the risk of security breaches by identifying and addressing potential vulnerabilities.
Last August, CREST and OWASP launched the OWASP Verification Standard (OVS) — a new quality assurance standard for the global application security industry. The standard aims to streamline application security testing and will allow organizations of all sizes to be able to require application software providers to pass an OWASP test. It was created to meet the growing need for standardization in application security testing, as more organizations embrace DevSecOps best practices to secure their software supply chain.
Additionally, the App Defense Alliance — of which Google is a founding member — launched their Cloud App Security Assessment (CASA) framework. This framework is based on ASVS to provide a consistent set of requirements to harden security for any application. CASA provides multiple assurance levels in which low-risk cloud applications can be evaluated using either a self-assessment or automated scan.
How to Implement the OWASP ASVS
Implementing the OWASP ASVS involves several steps:
- Define the Scope: This includes identifying which applications will be tested, and the level of verification required for each.
- Conduct the Test: You can conduct ASVS testing yourself or outsource it to a third-party service provider, like NCC Group. Testing should be conducted according to the requirements and recommendations of the ASVS.
- Analyse the Results: You can use the test results to pinpoint potential security vulnerabilities and implement appropriate security controls to address identified vulnerabilities.
- Maintain Compliance: Regularly review and update security controls to meet requirements of ASVS and other regulatory bodies.
The OWASP ASVS is a powerful tool for improving the security of web applications. By testing against the ASVS, companies can identify potential security vulnerabilities, meet compliance requirements, improve customer confidence, and reduce their risk of security breaches. Implementing the ASVS requires careful planning and execution, but the benefits of improved application security are well worth the effort.
Customizing ASVS
ASVS is a great starting point regarding application security, however it can be a daunting task to address all the 260 requirements and controls that are specified across the three distinct levels. The levels range from L1 for low assurance level applications where each requirement is penetration testable, to L3 for the most critical applications where the verification requires white-box style interactions with developers, source code, and so on.
Most of the organizations we work with to implement and ASVS testing program only use a small subset of these controls, as a full test using them all would take person-months of effort to complete, for both assessment and developer teams, and thus would be cost-prohibitive. For example, NCC Group assisted one client to develop an ASVS-based testing program that used about 20 requirements for a baseline assessment, and about 70 for the deeper “tier 2” assessment. We also helped customize many of the ASVS requirements to improve their testability with minimal dependencies, including developing questionnaires to elicit enough information from developers to cover some of the L2-3 ASVS requirements without excessive access to development team staff and source code repos. So, do not expect to use ASVS “out-of-the-box,” but rather you will need to customize it to your needs, sometimes heavily.
How We Can Help — NCC Group Application Security Testing
NCC Group Application and Software services can help you reduce risk across the application lifecycle, from development, to testing and production, starting with application security testing:
- Our consultant can support your organization by tailoring the ASVS to support your needs. Be it to be used to guide security architecture, as a checklist for specialized secure coding, or as a driver from a testing perspective.
- We use application security design review and threat modelling to help organizations identify gaps in app security relative to recognized design patterns, including authentication, and security event logging and response.
- We also offer dynamic/static application security testing (DAST/SAST) via a fully managed, automated service to help organizations assess, track and remediate common application vulnerabilities on a continual basis.
Global Practice Lead, Web Application Security
Steven is a Senior Security Consultant/Penetration tester with a strong background in software development and software architecture. He is a Principal Consultant at NCC delivering on and offsite consultations and conducting infrastructure, web and mobile application assessments, secure code reviews and security architecture reviews for a varied range of clients. He has created and delivered hands-on training to developers and other audiences. Steven has a varied background in developing complex systems, mainly in Java. He has the capability to analyse problems and provide sound advice on possible solutions.
At NCC Group, OWASP ASVS is our second language.
We’re a regular contributor of the OWASP (ASVS), and our methodology covers all the OWASP Top 10 web application security risk — and more.
We’re also a CREST approved member. We perform hundreds of web application and API assessments every year and remain one of the world’s leading experts in web technology security assessment.