According to Contrast Security’s 2020 Application Security Observation Report, 96% of web apps have at least one vulnerability, and 26% of those are serious.
The continued proliferation of application vulnerabilities confirms that development teams are not certain about their application’s security requirements, and security teams are not performing consistent and comprehensive assessments.
The Open Web Application Security Project (OWASP) Foundation was launched in 2001 to improve software security worldwide.
One of its key projects is the Application Security Verification Standard (ASVS), which is a community-driven effort that started in 2008 and has become the global industry standard for application security.
While ASVS focuses on web and API-based applications, MASVS and ISVS projects cover mobile and IoT applications respectively.
The framework provides a set of security requirements and controls that enable:
ASVS contains a total of 286 controls that are grouped into the following three levels in order to meet applications with different security requirements:
The Canadian Center for Cyber Security recommends that small and mid-size businesses secure their applications based on ASVS L1 at a minimum, and to include this set of controls as a requirement in contractual agreements with software vendors. Testing at this level can be done with a combination of automatic and manual methods without access to source code, documentation, or developers.
While a large number of Level 1 controls can be covered by automated testing, the overall majority require manual activities.
ASVS requirements were created with the following goals in mind:
ASVS should be used by those who offer application security assessment services, allowing for consistent test coverage in accordance with the client’s assurance requirements. The standard can be used for black-box pentesting, as well as deeper white-box assessments where access to project documentation, source code, and development team is required.
When choosing an application security service provider, consider the following:
In addition to serving as a security application assessment framework, ASVS can be used by architects, developers, QA, and procurement teams as a:
It’s worth spending the time and money to select the appropriate level of ASVS and align all development and assessment activities, including those provided by external service vendors to build and maintain secure software. This prevents attackers from being able to exploit your application and prevents costly fixes, and protects damage to your organization’s reputation.
ASVS is ingrained into Forward Security’s DNA, and used as a key component of our services. When performing application security risk assessments, we conduct design reviews, threat modelling, and penetration testing activities aligned with this standard. In addition, our Eureka DevSecOps service leverages ASVS for the selection of security requirements incorporated into the software and practices around building and maintaining secure systems.
To find out more about our ASVS-aligned services and how we can help you build a best-in-class application security program, contact us today.
Our comprehensive DevSecOps Maturity Assessment covers 8 key phases of DevSecOps practices, 29 questions in total.
By evaluating your team on each capability, you can determine if your DevSecOps maturity level is early, intermediate, or advanced. Your assessment includes a custom report that provides your overall maturity as well as detailed recommendations you can take to enhance your security posture.