OWASP, Application Security Verification Standard, ASVS, 3.0, OWASP ASVS levels, level 1, level 2, level 3

In this blog post we will have a look at the OWASP Application Security Verification Standard (ASVS) levels.

OWASP ASVS is a list of application security requirements or tests that can be used by architects, developers, testers, security professionals, and even consumers to define what a secure application is. If you are not familiar with the standard, you can read more about it in this blog post.

OWASP ASVS – Level 1: Recommended for all software

Level 1 is intended to ensure that web applications are adequately protected against application security vulnerabilities that are easy to discover, and included in the OWASP Top 10″ and other similar checklists.

Level 1 controls can be ensured by a combination of automatic and manual testing techniques. No access to source code is required.

Threats to the application at this level are most likely from attackers looking for “low-hanging fruits”. These are vulnerabilities which can be discovered and exploited with simple techniques. Although the threat level for each industry may vary, all industries are exposed to opportunistic attackers looking for vulnerable applications on the internet. Level 1 is therefore recommended for all applications.

OWASP ASVS – Level 2: Recommended for applications that contain sensitive data

An application achieves ASVS Level 2 if it adequately defends against most of the risks associated with software today. In addition to penetration testing, level 2 requires at least some access to developers, documentation, code, and authenticated access to the system.

Level 2 is typically appropriate for applications that handle significant business-to-business transactions, including those that process healthcare information, implement business-critical or sensitive functions, or process other sensitive assets.

Threats to Level 2 applications will typically be skilled and motivated attackers focusing on specific targets using tools and techniques that are highly practiced and effective at discovering and exploiting weaknesses within applications.

OWASP ASVS – Level 3: Recommended for the most critical applications

Level 3 is typically reserved for applications that require significant levels of security verification. This could be applications found within areas of military, health and safety, critical infrastructure, etc.

Organizations may require ASVS Level 3 for applications that perform critical functions, where failure could significantly impact the organization’s operations, and even its survivability. An application achieves this level if it is adequately defended against all advanced security vulnerabilities, and it also demonstrates principles of good security design. Vulnerabilities at this level would most likely be exploited by determined attackers.

An application at ASVS Level 3 requires more in depth analysis, architecture, coding, and testing than all the other levels.

This blog post is based on contents provided by OWASP, and it follows a Creative Commons Attribution ShareAlike 3.0 license.