Raising the bar for application security assessments with the ASVS and MASVS

image

Josh Grossman

Tuesday, September 20, 2022

Over the years, Google has continually leveraged OWASP internally as well as externally as part of their developer education around Android and Google Cloud security best practices. This includes presentations at various conferences such as Droidcon and online guidance for Google Cloud. Earlier this year, Google started going a little further by analyzing OWASP MASVS and ASVS to see if these two standards can be used more prescriptively within their developer community.

Background to the OWASP ASVS and MASVS

The Open Worldwide Application Security Project (OWASP) is a nonprofit foundation that works to improve the security of software by providing resources for developers and security professionals. This happens through free-to-access chapter meetups spread across the globe as well as a variety of volunteer-led, open source projects. As part of OWASP’s ethos of integrity, OWASP’s activities including projects are vendor-neutral and steered by the project leaders, independent of outside influences.

The first versions of the OWASP ASVS and MASVS projects were released in 2009 and 2018, respectively, and aim to provide comprehensive standards for developing secure web applications and mobile applications.

The standards are designed to help developers build secure software but can also be used in various other ways, including as a template for performing application security testing.

They include a set of positive security requirements which are designed to be self-contained and individually implementable and are organized into theme-based chapters. They are also split into different levels with additional requirements being added at each level in order to allow organizations to gradually start to comply with the standards.

Together the projects form the only mature standard for web and mobile application security.

Google’s adoption of OWASP resources

Over the years, Google has continually leveraged OWASP internally as well as externally as part of their developer education around Android and Google Cloud security best practices. This includes presentations at various conferences such as Droidcon and online guidance for Google Cloud. Earlier this year, Google started going a little further by analyzing OWASP MASVS and ASVS to see if these two standards can be used more prescriptively within their developer community. The use of industry security standards helps provide a consistent baseline for developers.

Google has been coordinating a working group with security assessors to define a template for a baseline assessment and a more in-depth assessment based on these projects.. This working group has been collaborating with and providing significant feedback to the respective project leadership

Additionally, Google has also become a primary supporter of the ASVS project through a $10,000 grant to help advance OWASP’s efforts. OWASP are grateful for this contribution which will be used to provide some support for the work on the upcoming ASVS 5.0 version including making it easier to perform assessments based on the standard.

The OWASP project leaders look forward to further contributions from Google and other major players in the technology industry to further develop and improve these projects and increase their awareness and use by application developers.