Cybercraft OWASP ASVS 2021

08 May 2021

How the OWASP Application Security Verification Standard Makes Organisations Secure

Application security is no longer an afterthought but something that all organisations and businesses need to be very careful about. Unsecured applications pose serious security threats since hackers can find ways to circumvent defences and attack unpatched vulnerabilities.

Read More
Home Blog

Application security is no longer an afterthought but something that all organisations and businesses need to be very careful about. Unsecured applications pose serious security threats since hackers can find ways to circumvent defences and attack unpatched vulnerabilities.

According to Verizon’s 2020 Data Breach Investigations Report:

  • 70% of all data breaches were caused by outsiders.
  • 30% involving people within the targeted organisation.
  • 86% of all breaches were financially motivated.
  • 43% of all breaches were attacks on web applications, which has doubled compared to the previous year.

This increase of cyber-attacks, both overseas and within New Zealand, has helped drive the changes to the 2020 Privacy act which now requires organisations to take cyber risks seriously and work towards mitigating them, specifically to prevent breaches of personal data.

The Open Web Application Security Project® (OWASP) has developed the OWASP Application Security Verification Standard (ASVS) which is a set of application security tests or requirements that can be used by security professionals, developers, architects, testers, and organisations to define, build, test, and verify the security of applications.

The ASVS standard can be used:

  • When going to market with an RFP for a website or platform
  • When developing a digital solution in-house
  • To provide assurance to fund providers board members
  • As a part of regular web penetration testing
  • To help understand how vendors/suppliers are maintaining security.


Cybercraft OWASP ASVS 2021 1 x300 1 x200

OWASP ASVS in Web Penetration Testing

Cybercraft recommends that independent penetration testing be performed once a year on web applications to make sure that your organisation is doing the best it can to protect its data and systems.

More information about New Zealand testing against the OWASP ASVS standard is available on the Offensive Security/Web Penetration Testing product page.

Establishing a Security Framework

The OWASP ASVS framework provides controls and a set of security requirements that enable organisations to design, develop, and maintain secure web applications and services. It also allows security service providers to provide standardised and repeatable services. Thanks to this standard, consumers can also align their security requirements to the providers' offerings.

OWASP provides information and steps to create a common platform for developers, security professionals, and others to establish a safe working environment for web applications. The role of ASVS is to verify and confirm those safety protocols to ensure application security. ASVS provides the required clarity about the level of security that a specific application should have. It also determined what security measures should be applied to which kinds of applications.

Using the ASVS

One of the most common ways to use the ASVS is to use it to create a Secure Coding Checklist specific to your organisation, application, or platform. The OWASP ASVS uses various “levels” to determine the web application security verification level. The higher the level, the stronger the security of the application.

Level 1

Level 1 is the bare minimum level that all applications must achieve. It can be used as the first step in a multi-step process or when applications do not handle or store sensitive data. It is possible to check Level 1 controls automatically by tools or even manually without access to the source code.

Level 2

Level 2 ensures that security controls are in place, are effective, and are used within the application. It is appropriate for those applications that handle major business-to-business transactions, process healthcare information, or implements business-critical or sensitive functions. It is also recommended for applications that process sensitive assets or in industries where integrity is a crucial aspect to protect the business.

Level 3

This is the highest level of verification within the ASVS. It is reserved for applications that require very high levels of security verification, such as military, health and safety, and critical infrastructure.

Why should organisations use OWASP ASVS?

Every day we hear countless stories of organisations dealing with web application breaches and other serious occurrences. A single breach could potentially cause organisations to lose large portions of their revenue or a large portion of their customers.

Successful organisations today have one thing in common, they are all connected. Organisations use web applications across various platforms and implement an array of different technologies. To develop new applications or to reach new customers, security is no longer optional, it is a necessity.

This is exactly where organisations realize the benefit of using OWASP ASVS. The first benefit is that ASVS is an extension of trusted OWASP principles and methodologies that are both trusted and supported internationally.

It measures the level of application security, documents it, and then rates and assigns a level to it. Doing so ensures that each application meets the required security requirements according to their needs. Organisations, on the other hand, get peace of mind as it also offers a system that tests and proves applications and their level of security. This is where OWASP ASVS wins over other testing frameworks. Other frameworks tend to treat all applications as the same, offering the same testing guidance regardless of the data that these applications handle. The OWASP ASVS factors in the criticality of the application and the classes of data that it processes or stores.

Organisations that are already using OWASP ASVS are already one step ahead. In addition to the ASVS security measures, they can also promote the safety of their applications and interfaces. The ASVS covers 14 categories of application-level security requirements, including:

  • Architecture, Design and Threat Modelling Requirements
  • Authentication Verification Requirements
  • Session Management Verification Requirements
  • Validation, Sanitization and Encoding Verification Requirements
  • Stored Cryptography Verification Requirements
  • Error Handling and Logging Verification Requirements
  • Data Protection Verification Requirements
  • Communications Verification Requirements
  • Malicious Code Verification Requirements
  • Business Logic Verification Requirements
  • File and Resources Verification Requirements
  • Configuration Verification Requirements
  • Optionally IoT security

It also offers guidance on incorporating security testing into the software development lifecycle.

OWASP ASVS is proactive rather than reactive, which offers improved visibility and planning. It allows businesses to stay ahead of security concerns and prevents several security issues.

Selecting the right level of ASVS and aligning it to all development and assessment activities is worth the time, money, and effort. By implementing the right application security measures, you can prevent hackers from exploiting your application. It will also prevent costly fixes as well as safeguard your organisation’s reputation.

Where can I get help with OWASP ASVS?

Getting your organisation on board with OWASP ASVS can be quite a big undertaking. Cybercraft recommends considering a Fractional Chief Information Security Officer (CISO) who can provide board and executive level support on cyber risk management and mitigation on a monthly basis.

If you already have a web application and it is due for an independent web testing, check out our options for offensive security.

Cybercraft are here to help you create your secure digital future.

Share this article

More articles

SolarWinds Orion vulnerability being actively exploited

08 May 2021

SolarWinds Orion vulnerability being actively exploited

CERT NZ has published new updates which include more details on the vulnerable SolarWinds Orion systems and products affected as well as links to the latest version of the hotfix.

Read more
There's an Increase in Ryuk Ransomware Attacks

08 May 2021

There's an Increase in Ryuk Ransomware Attacks

CERT NZ warns New Zealand businesses to be prepared for a Ryuk ransomware attack. Here's what you need to know.

Read more