OWASP ASVS

Over the years we’ve had multiple clients come to us and mention that they have had a previous “penetration test” or “vulnerability assessment” performed only to receive a report which is essentially the results of a vulnerability scanner like OpenVAS or Nessus.

While those reports are certainly useful, they don’t replace the depth and coverage that a high quality penetration test or vulnerability assessment provide.

To help standardize application security testing, OWASP has created a standard called ASVS (Application Security Verification Standard).

The OWASP ASVS is a community-driven effort to standardize security testing and to combine multiple existing standards such as PCI DSS, OWASP Top 10, NIST 800-63-3, and the OWASP Proactive Controls 2018 in a commercially workable format.

Pensive Security performs OWASP ASVS attestations which take penetration testing to the next level. While penetration tests are typically focused around “target of opportunity” and only show areas that are vulnerable, ASVS attestations bring you all the value of a penetration test while also comparing your application to a well-respected standard and showing you the good as well as the bad.

Plus, at the end of the verification process, you will receive an attestation from Pensive Security, stating that you have met the requirements outlined in the standard. This is especially useful when proving to customers and partners that your application meets a rigorous set of security requirements.

The ASVS has three verifications levels, and the one that is appropriate for you will depend on the type of data your application manages and how your application operates on that data.

The standard has three levels (Level 1, Level 2, and Level 3). As the level increases, the depth of the testing increases. The level that is appropriate for an application will depend on the type of data the application stores. For instance, if an application stores or handles large amounts of medical data they would likely need a Level 3 verification. On the other hand, if an application needs only a low assurance level, a Level 1 verification may be appropriate. Generally, a Level 2 is appropriate for most organizations.

While penetration testing is typically “target of opportunity”, the ASVS has a list of requirements which increase with each verification level. These requirements ensure that each specific item is tested during the engagement.

For example, in section 3.1.1 of the ASVS standard, there is a requirement: “Verify the application never reveals session tokens in URL parameters.” During an ASVS security test, the security company would specifically check whether or not that requirement is met, and indicate in the report if the requirement is “passed” or “failed”. This is in contrast to a traditional penetration test, where if the objective of the pentest did not involve testing session management, it might not be tested.

One great aspect of pursuing an ASVS attestation is the ongoing relationship between the business and the security company. Due to the nature of ASVS, there is considerable back and forth during the engagement. This ultimately leads to a very secure application and a third-party attestation from a trusted security company showing that the application has met the rigorous standards of the ASVS. For instance, a typical ASVS security test roadmap might look like:

1. The business requests an ASVS security test at a specific assurance level (Level 1, Level 2, Level 3)
2. The security company performs the test and provides line items showing which requirements were passed, which were failed, and a description, proof-of-concept, and remediation steps for each issue.
3. The business remediates the issues reported with guidance from the security company.
4. The security company provides a final report showing all requirements as passed and all issues as remediated. The security company provides a written third-party attestation which confirms that the application adheres to the standard at the appropriate assurance level.

A typical penetration test and an OWASP ASVS security test both provide a large amount of value and can greatly enhance an application’s security. The appropriate type of security test depends on a business’s needs.

Often a penetration test is the better option when a new feature has been implemented and that feature needs to be tested specifically. Or perhaps the company is only worried about a specific component of the application (such as the database) and an in-depth standardized security assessment is excessive.

In addition, the ASVS is specifically oriented toward web applications and does not make sense in the context of a network or cloud infrastructure penetration test. In these cases, a network or cloud penetration test is appropriate.

However, for mobile application testing, the MASVS (Mobile Application Security Verification Standard) has been introduced by OWASP and includes a similar set of requirements as ASVS but specifically oriented toward mobile applications.

In many cases an ASVS test provides additional value to a business over a web application penetration test. For instance, when a business needs to demonstrate to a partner or customer that the application has achieved a specific level of security. Or if the business needs a more rigorous and comprehensive set of requirements covered during the engagement. In both these situations, an ASVS attestation is the better option.

In addition to high-quality penetration testing, vulnerability assessments, and many other services, Pensive Security provides all three levels of OWASP ASVS attestations. These attestations have provided extremely high value to our customers and are an important part of our client’s security roadmap. Often, OWASP ASVS attestations are one part of an longer-term security plan which includes several services. These services are strategically organized into a security plan which reduces the overall security risk of a business and demonstrates that security excellence to customers and partners.

Interested in an OWASP ASVS attestation? Set up a meeting with us today!