Modernize Your AppSec Program with OWASP ASVS
Overview of the Application Security Verification Standard
Founded in 2001, and incorporated as a US non-profit charity in 2004, the OWASP is an open community that’s focused on helping organizations design, develop, acquire, operate and maintain applications – especially web-based applications – that are secure and trustworthy.
Application Security Verification Standard (ASVS) published by OWASP is a robust security framework available to all organizations interested in improving the security of their web applications. It provides a basis for testing web application technical security controls and provides developers with a list of requirements for secure development. It comprises a total of 286 controls and 14 verification topics.
Aside from being used to assess the security of an application, a few other potential uses for the ASVS including detailed security architecture guidance, secure coding checklist, guide for automated unit and integration tests and secure development training
Release 4.0 of ASVS incorporates multiple security standards, including the NIST 800-63-3 Digital Identity Guidelines, OWASP Top 10 2017, OWASP Proactive Controls 2018, PCI-DSS 3.2.1 Sections 6.5, and a mapping to the Common Weakness Enumeration (CWE).
Application Security Verification Levels
ASVS defines three security levels with each level increasing in depth:
- Level 1 is the base testing level and covers the minimum controls for best-practice application security. ASVS Level 1 is for low assurance levels and is completely penetration testable. Level 1 assesses 131 good application security practices. Level 1 is only sufficient to protect against opportunistic attacks.
- Level 2 is now “the recommended level for most apps” or for any apps that “contain sensitive data.” In short, Level 2 is where the risk-based, best-practice methodology really begins with ASVS 4.0. Level 2 controls are determined to thwart targeted determined attacks and it assesses 267 good application security practices.
- Level 3 is the highest level of verification in ASVS. This level is typically reserved for applications that require significant levels of security verification, such as those that may be found within areas of military, health and safety, critical infrastructure, etc. It assesses 286 good application security practices.
What is new in ASVS 4.0?
- Holistic approach, integration with other OWASP projects: Proactive Controls, Security Principles, Top 10
- NIST 800-63 – Authentication & Session Management
- Level 1 Meets – PCI DSS 3.2.1 Sections 6.5
- CWE Numbering
- Improved Controls for Modern Applications
- Mobile Application Security Verification Standard (MASVS) is a separate project
- Data Protection has been expanded (Topic 8.3) to include controls around – Sensitive Private Data (GDPR)
Security Training for Development Teams
Left shifting has moved developers to the frontlines of application security. As enterprises make the transition to agile development practices, training developers in secure coding techniques and use of ASVS technical controls can help in building a strong foundation for a secure SDLC program. It will also eliminate friction between security and development teams.
Some widely used tools include:
OWASP Security Shepherd
OWASP Security Shepherd is a web and mobile application security training platform. It can be used to host competitive CTF style events to unearth security champions in your development teams. Platform can be leveraged to educate developers on the various application security controls available in ASVS for application security testing.
HackEDU provides a cloud based interactive training platform with hands-on labs that train developers on offensive and defensive coding techniques. It has full coverage of the OWASP Top 10 for web and API vulnerabilities.
Developers learn about secure coding on their technology stack to ensure immediate relevance to their jobs. Integration with code scanning tools facilitates just-in time training. Training can be deployed at scale to distributed development teams to build a common baseline knowledge of security. Test drive the platform here.