ASVS process
8.4 ASVS process
The Application Security Verification Standard (ASVS) is a long established OWASP flagship project, and is widely used to build a culture of security as well as verification of web applications.
It can be downloaded from the OWASP project page in various languages and formats: PDF, Word, CSV, XML and JSON. Having said that, the recommended way to consume the ASVS is to access the github markdown pages directly - this will ensure that the latest version is used.
What is ASVS?
The ASVS is an open standard that sets out the coverage and level of rigor expected when it comes to performing web application security verification. The standard also provides a basis for testing any technical security controls that are relied on to protect against vulnerabilities in the application.
The ASVS is split into various sections:
- V1 Architecture, Design and Threat Modeling
- V2 Authentication
- V3 Session Management
- V4 Access Control
- V5 Validation, Sanitization and Encoding
- V6 Stored Cryptography
- V7 Error Handling and Logging
- V8 Data Protection
- V9 Communication
- V10 Malicious Code
- V11 Business Logic
- V12 Files and Resources
- V13 API and Web Service
- V14 Configuration
The ASVS defines three levels of security verification:
- applications that only need low assurance levels; these applications are completely penetration testable
- applications which contain sensitive data that require protection; the recommended level for most applications
- the most critical applications that require the highest level of trust
Most applications will aim for Level 2, with only those applications that perform high value transactions, or contain sensitive medical data, aiming for the highest level of trust at level 3.
Why use it?
The ASVS is well established, the earlier versions were written in 2008, and it has been continually supported since then. The ASVS is used to generate security requirements, guide the verification process and also to identify gaps in the application security.
The ASVS can also be used as a metric on how mature application security processes are; it is a yardstick with which to assess the degree of trust that can be placed in the web application. This helps provide a good security culture: the application developers and application owners can see how they are doing and be confident in the maturity of their processes in comparison with other teams and organizations.
How to use it
The OWASP Spotlight series provides an overview of the ASVS and its uses: ‘Project 19 - OWASP Application Security Verification standard (ASVS)’.
The appropriate ASVS level should be chosen from:
- Level 1: First steps, automated, or whole of portfolio view
- Level 2: Most applications
- Level 3: High value, high assurance, or high safety
This is not a judgmental ranking, for example if an application needs only Level 1 protection then that is a valid choice. Tools such as SecurityRAT can then help create a subset of the ASVS security requirements for consideration.
Application developer teams and application owners can then gain familiarity with the appropriate security requirements and incorporate them into the process and culture of the organization. To help navigate the ASVS, the OWASP Cheat Sheets have been indexed specifically for each section of the ASVS which can be used to explain and expand on each requirements category.
The OWASP Developer Guide is a community effort; if there is something that needs changing then submit an issue or edit on GitHub.