Why Cybercraft loves OWASP ASVS more than OWASP Top10

Share this article

What is the ASVS and who is OWASP?

The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls and provides developers with a list of requirements for secure development.

The ASVS standard was created by the Open Web Application Security Project® (OWASP) who are a non-profit foundation that works to improve the security of software. Through community-led open-source projects and tens of thousands of members, the OWASP Foundation is the source for developers and technologists to secure the web.

We say ASVS is really a no-brainer – It’s comprehensive.

Offensive security providers often use OWASP's Top10 list to test for the most common variabilities, which is a great starting point, but like it says in the name, it only covers the 10 most common areas of vulnerabilities and even OWASP says that the top10 list was only designed to be an awareness document to help avoid the most blatant and dangerous vulnerabilities.

ASVS’s testing coverage is significantly more comprehensive as it encompasses the Top10 list but expands into additional areas of the development lifecycle and development practices that could be exploited, giving us up to 286 controls over 14 different domains to check. This massive improvement to coverage and security helps the team here at Cybercraft sleep more comfortably at night.

Which ASVS level is the right level for me?

Each of the levels were design to provide a different level of coverage. As the ASVS level increases the number of requirements that are to be followed, and in some cases, the requirement itself has an increased level of security.

Let’s take a look at each of the levels and see what makes them different:

ASVS Level 1

The specifications for Level 1 are designed to outline the minimum acceptable level of security in an application.

Brochureware Sites
Simple CMS Platforms
Simple API services
Data Visualisation Platforms

ASVS Level 2

Any applications that handle or process sensitive/personal data should be following level 2’s requirements.

Over 100 additional security requirements across 14 domains are introduced at this level.

Data Collection Systems • Broadcast Media Platforms • Identity Verification

Data Collection Systems
Identity Verification Services
Complex API services
Consumer Management Systems
Youth Social Platforms
HR Systems

ASVS Level 3

Level 3 is the highest level in the ASVS standard. It is designed for applications that operate in an essential services industry or applications that, if compromised, could lead to loss of life.

Organisations may also choose to adobe ASVS level 3 standards for their application if they want the strong levels of assurance around the security of their application and the application is critical to the survival of the business.

Level 3 adds additional requirements, as well as redefining requirements to have more stringent acceptance criteria.

Banking Services
Health Management Systems
Electrical Systems
Legal Document Management
Food Supply Chain Systems
Manufacturing Systems

ASVS also has an optional Internet of Things (IoT) set of requirements that were curated specifically for the ever-growing IoT market as most commercial IoT devices are managed from a centralised system or platform.

Is ASVS worth the investment? (The answer is yes.)

We’ve gone ahead and crunched the numbers and considering that the number of security requirements from OWASP Top10 is almost doubled in ASVS level 1, the costs of your first step into ASVS changes only by 30% on average. The change from each level to the next also only changes by a small factor.

Answering this question from a risk management perspective, we’ve already seen that ASVS offers us a significant increase in coverage. From this, we know using ASVS will reduce the potential for lesser known and less technical security issues from compromising your organisation’s reputation and credibility in the market.

~1.3x increase

~1.6x increase

~1.8x increase

OWASP Top10 → ASVS Level 1

OWASP Top10 → ASVS Level 2

OWASP Top10 → ASVS Level 3

+56 baseline requirements

+56 baseline requirements
+137 strong requirements

includes source review

+55 baseline requirements
+130 strong requirements
+25 stringent requirements

includes source review

Is independent penetration testing necessary?

Yes, it is. The penetration testing of platforms and services is absolutely a vital part of a strong cyber risk management framework, no exceptions. It shows users of your systems that you take data security seriously and that as an organisation, you genuinely care about keeping confidential and personal data safe, as well as protecting your brand reputation in the market.

Well-known compliance standards used by organisations of all sizes to show their customers and clients that they take cyber security and privacy seriously. These standards all use independent penetration testing as a tool to gain compliance and certification.

For compliance standards and regional regulations:

PCI-DSS –

Organisations that store or process credit card transactions will be required to be PCI-DSS compliant as a part of their merchant agreement. As a part of the PCI-DSS standard, it has a dedicated requirement that focuses on regularly test security where penetration testing must be performed at least annually and at any time when significant modifications or upgrades have been made.

Service providers using segmentation must confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months and after making changes to these controls.

HISO HISF – Organisations in the New Zealand health industry who develop and use digital solutions will follow the Health Information Standard Organisation’s (HISO) Health Information Security Framework (HISF). As a part of ongoing monitoring and alerting, the HISF outlines the need to perform regular checks to ensure access to systems and networks are secure and lists penetration tests as the means to meet this.

ISO27001 – The topic of penetration testing for ISO27001 certification is outlined in the supporting standard, ISO27002:2013, where we see pen testing referenced under A18.2.3 (Technical compliance review). While it may not be explicitly required, using penetration testing helps to speed up your path to ISO27001 compliance and certification.

SOC2 – Pen testing only appears once in in the 2020 updated Trusted Services Criteria document published by AICPA and isn’t explicitly a required part of SOC2 certification, but penetration testing plays a particularly useful role in producing a report with the assurances needed for CC4.1 and demonstrate the organisations willingness to security concerns. Using ASVS further strengthens the demonstration of your organisation’s effort to uphold the SOC2 standard.

HIPAA – Similar to SOC2, penetration testing is not a named requirement for HIPAA compliance. However, given the analytical insights pen testing provides, all organisations that are required to comply with HIPAA should consider adopting a form of penetration testing to protect personal health information and ensure compliance within the framework.

Local & Foreign Privacy Legislation – We speak with too many organisations who are not aware of the full extent of their obligations under privacy laws. Organisations serving the NZ market must comply with the Privacy 2020 legislation, and those operating from NZ but serving foreign markets need to comply with the individual privacy laws in each region they serve. For example, a business serving the US market will need to adhere to privacy requirements of each of the 50 states.

A lot of these legislations, including New Zealand’s own current privacy legislation, now requires you to make an active effort in protecting personal information. Penetration testing of digital systems is one of the tools needed to be able to understand areas of concern and plan to mitigate or remediate any risks identified.

Where to next?

We’ve explained why we are advocates for the use of OWASP ASVS and helped to answer which ASVS level is right for you, what are the investment cost differences between each of the levels, and why independent testing is necessary. By now, you should be seeing the benefits of adopting ASVS for your application’s next annual penetration test.

It’s standards like OWASP’s ASVS that helps organisations protect not only their invaluable brand reputation and credibility in the market but helps to genuinely look after the private information our clients and staff who trust in us protect.

If you’d like schedule your next annual penetration test to find out more about ASVS, would like a copy of the ASVS documentation, or your already in the midst of development and want to integrate ASVS into your software delivery lifecycle, then call now on +64 (9) 363 2862 or via email Gage.Keenan@cybercraft.net and we will be happy to answer any questions you may have.