04 May 2021
Application security is no longer an afterthought but something that all organisations and businesses need to be very careful about. Unsecured applications pose serious security threats since hackers can find ways to circumvent defences and attack unpatched vulnerabilities.
Application security is no longer an afterthought but something that all organisations and businesses need to be very careful about. Unsecured applications pose serious security threats since hackers can find ways to circumvent defences and attack unpatched vulnerabilities.
According to Verizon’s 2020 Data Breach Investigations Report:
This increase of cyber-attacks, both overseas and within New Zealand, has helped drive the changes to the 2020 Privacy act which now requires organisations to take cyber risks seriously and work towards mitigating them, specifically to prevent breaches of personal data.
The Open Web Application Security Project® (OWASP) has developed the OWASP Application Security Verification Standard (ASVS) which is a set of application security tests or requirements that can be used by security professionals, developers, architects, testers, and organisations to define, build, test, and verify the security of applications.
The ASVS standard can be used:
Cybercraft recommends that independent penetration testing be performed once a year on web applications to make sure that your organisation is doing the best it can to protect its data and systems.
More information about New Zealand testing against the OWASP ASVS standard is available on the Offensive Security/Web Penetration Testing product page.
The OWASP ASVS framework provides controls and a set of security requirements that enable organisations to design, develop, and maintain secure web applications and services. It also allows security service providers to provide standardised and repeatable services. Thanks to this standard, consumers can also align their security requirements to the providers' offerings.
OWASP provides information and steps to create a common platform for developers, security professionals, and others to establish a safe working environment for web applications. The role of ASVS is to verify and confirm those safety protocols to ensure application security. ASVS provides the required clarity about the level of security that a specific application should have. It also determined what security measures should be applied to which kinds of applications.
One of the most common ways to use the ASVS is to use it to create a Secure Coding Checklist specific to your organisation, application, or platform. The OWASP ASVS uses various “levels” to determine the web application security verification level. The higher the level, the stronger the security of the application.
Level 1 is the bare minimum level that all applications must achieve. It can be used as the first step in a multi-step process or when applications do not handle or store sensitive data. It is possible to check Level 1 controls automatically by tools or even manually without access to the source code.
Level 2 ensures that security controls are in place, are effective, and are used within the application. It is appropriate for those applications that handle major business-to-business transactions, process healthcare information, or implements business-critical or sensitive functions. It is also recommended for applications that process sensitive assets or in industries where integrity is a crucial aspect to protect the business.
This is the highest level of verification within the ASVS. It is reserved for applications that require very high levels of security verification, such as military, health and safety, and critical infrastructure.
Every day we hear countless stories of organisations dealing with web application breaches and other serious occurrences. A single breach could potentially cause organisations to lose large portions of their revenue or a large portion of their customers.
Successful organisations today have one thing in common, they are all connected. Organisations use web applications across various platforms and implement an array of different technologies. To develop new applications or to reach new customers, security is no longer optional, it is a necessity.
This is exactly where organisations realize the benefit of using OWASP ASVS. The first benefit is that ASVS is an extension of trusted OWASP principles and methodologies that are both trusted and supported internationally.
It measures the level of application security, documents it, and then rates and assigns a level to it. Doing so ensures that each application meets the required security requirements according to their needs. Organisations, on the other hand, get peace of mind as it also offers a system that tests and proves applications and their level of security. This is where OWASP ASVS wins over other testing frameworks. Other frameworks tend to treat all applications as the same, offering the same testing guidance regardless of the data that these applications handle. The OWASP ASVS factors in the criticality of the application and the classes of data that it processes or stores.
Organisations that are already using OWASP ASVS are already one step ahead. In addition to the ASVS security measures, they can also promote the safety of their applications and interfaces. The ASVS covers 14 categories of application-level security requirements, including:
It also offers guidance on incorporating security testing into the software development lifecycle.
OWASP ASVS is proactive rather than reactive, which offers improved visibility and planning. It allows businesses to stay ahead of security concerns and prevents several security issues.
Selecting the right level of ASVS and aligning it to all development and assessment activities is worth the time, money, and effort. By implementing the right application security measures, you can prevent hackers from exploiting your application. It will also prevent costly fixes as well as safeguard your organisation’s reputation.
Getting your organisation on board with OWASP ASVS can be quite a big undertaking. Cybercraft recommends considering a Fractional Chief Information Security Officer (CISO) who can provide board and executive level support on cyber risk management and mitigation on a monthly basis.
If you already have a web application and it is due for an independent web testing, check out our options for offensive security.
Cybercraft are here to help you create your secure digital future.
04 May 2021
UPDATE - SolarWinds Orion vulnerability being actively exploited - Earlier this week, FireEye publicly advised that a highly sophisticated state-sponsored actor had gained access to their network and have taken a copy of the FireEye Red Team tools.
Read more04 May 2021
An Australian supplier to the legal services industry has suffered a cybersecurity incident.
Read more04 May 2021
The Australian Cyber Security Centre (ACSC) has released a new publication – Protecting Against Business Email Compromise (BEC) – to help Australians defend against these deceptive and expensive scams.
Read more