Over the years, we’ve had multiple clients come to us and mention that they had a previous “penetration test” or “vulnerability assessment” performed only to receive a report containing only vulnerability scanner results, like OpenVas or Nessus.
While those reports are undoubtedly useful, they don’t replace the depth and coverage that a high-quality penetration test or vulnerability assessment provides.
To help standardize application security testing, OWASP has created a standard called ASVS (Application Security Verification Standard).
The acronym is a mouthful, but the standard provides a rigorous, normalized, and repeatable testing process for web application security verification.
The standard is very beneficial because when a business hires a security company to perform penetration testing, there is often a large disparity between the business’s expectations and the results the security company provides. The ASVS makes the requirements and objectives of the engagement clear and helps ensure the security company provides the quality of testing that the business is expecting.
Furthermore, when a business is asked to provide a penetration testing report to a partner or customer, an ASVS attestation from a trusted security company will carry significantly more weight than a standard penetration test, whose coverage can vary dramatically between security companies.
Before we dive into ASVS, let’s talk about OWASP, the organization that created the ASVS.
OWASP (Open Web Application Security Project) is a community-driven non-profit organization that works to improve the security of software. Because OWASP is an “open” security project, all of its materials are freely available online and can be accessed by anyone. Perhaps one of their most notable projects is the OWASP Top Ten, which identifies the top 10 security risks to a web application.
Many companies and organizations use the OWASP Top 10 to help identify security risks to their applications and to help developers avoid introducing those issues into their codebase.
OWASP also has several other projects, including Dependency-Track, Zed attack proxy, mobile and web security testing guide, and of course, the Application Security Verification Standard (ASVS).
The OWASP ASVS is a community-driven effort to standardize security testing. It combines multiple existing standards such as PCI DSS, OWASP Top 10, NIST 800-63-3, and the OWASP Proactive Controls 2018 in a commercially workable format. Each requirement in the ASVS is mapped to the Common Weakness Enumeration (CWE).
The standard has three levels (Level 1, Level 2, and Level 3). As the level increases, the depth of the testing increases. The level that is appropriate for an application will depend on the type of data the application stores. For instance, if an application stores or handles large amounts of medical data, it would likely need a Level 3 verification. On the other hand, if an application requires only a low assurance level, a Level 1 verification may be appropriate. Generally, a Level 2 is suitable for most organizations.
While penetration testing is typically “target of opportunity”, the ASVS has a list of requirements that increase with each verification level. These requirements ensure that each specific item is tested during the engagement.
For example, in section 3.1.1 of the ASVS standard, there is a requirement: “Verify the application never reveals session tokens in URL parameters.” During an ASVS security test, the security company would specifically check whether or not that requirement is met and indicate in the report if it has “passed” or “failed”. This is in contrast to a traditional penetration test, where if the objective of the pentest did not involve testing session management, it might not be tested.
One significant aspect of pursuing an ASVS attestation is the ongoing relationship between the business and the security company. Due to the nature of ASVS, there is considerable back and forth during the engagement. This ultimately leads to a very secure application and a third-party attestation from a trusted security company showing that the application has met the rigorous standards of the ASVS. For instance, a typical ASVS security test roadmap might look like:
- The business requests an ASVS security test at a specific assurance level (Level 1, Level 2, Level 3)
- The security company performs the test and provides line items showing which requirements were passed, which were failed, and a description, proof-of-concept, and remediation steps for each issue.
- The business remediates the issues reported with guidance from the security company.
- The security company provides a final report showing all requirements as passed and all issues as remediated. The security company provides a written third-party attestation that confirms that the application adheres to the standard at the appropriate assurance level.
A typical penetration test and an OWASP ASVS security test both provide a large amount of value and can significantly enhance an application’s security. The appropriate type of security test depends on a business’s needs.
Often a penetration test is the better option when a new feature has been implemented, and that feature needs to be explicitly tested. Or perhaps the company is only worried about a specific component of the application (such as the database), and an in-depth standardized security assessment is excessive.
In addition, the ASVS is specifically oriented toward applications and does not make sense in the context of a network or cloud infrastructure penetration test. In these cases, a network or cloud penetration test is appropriate.
For mobile application testing, the MASVS (Mobile Application Security Verification Standard) has been introduced by OWASP and includes a similar set of ASVS requirements but specifically oriented toward mobile applications.
An ASVS test provides additional value to a business over a web application penetration test in many cases. For instance, when a business needs to demonstrate to a partner or customer that the application has achieved a specific level of security. Or if the business needs a more rigorous and comprehensive set of requirements covered during the engagement. In both these situations, an ASVS attestation is the better option.
In addition to high-quality penetration testing, vulnerability assessments, and many other services, Pensive Security provides all three levels of OWASP ASVS attestations. These attestations have provided extremely high value to our customers and are essential to our client’s security roadmap. Often, OWASP ASVS attestations are one part of a longer-term security plan, which includes several services. These services are strategically organized into a security plan that reduces the overall security risk of a business and demonstrates security excellence to customers and partners.
Are you interested in an OWASP ASVS attestation? Set up a meeting with us today!