In October 2015 version 3.0 of the standard was released, and the requirements set to define a secure application have been updated. In this blog post we will give you an introduction to OWASP ASVS 3.0.
What is OWASP Application Security Verification Standard (ASVS) 3.0?
The standard provides a basis for how security in web applications can be verified. In addition it comes with suggestions for recommended security levels in different types of applications.
Software developers can use the standard in order to develop and maintain secure applications. Moreover, consumers can use ASVS as a basis to set specific requirements when procuring software solutions. The goal of the OWASP Application Security Verification Standard is to establish a level of confidence in the security of web applications.
Use as a metric – Provide application developers and application owners with a yardstick with which to assess the degree of trust that can be placed in their web applications.
Use as guidance – Provide guidance to security control developers as to what to build into security controls in order to satisfy application security requirements.
Use during procurement – Provide a basis for specifying application security verification requirements in contracts.
OWASP ASVS 3.0 verification levels
The OWASP ASVS defines three security verification levels, with each level increasing in depth:
Level 1 is meant for all software.
Level 2 is for applications that contain sensitive data, which requires protection.
Level 3 is for the most critical applications that requires the highest level of trust.
Each OWASP Application Security Verification Standard level contains a list of security requirements.
The role of automated penetration testing tools
It is not possible to complete OWASP ASVS verification using automated penetration testing tools alone. Whilst many of the requirements in Level 1 can be performed using automated tests, the overall majority of requirements are not amenable to automated penetration testing.
As the application security industry matures, the lines between automated and manual testing have blurred. Automated tools are now often manually tuned by experts, and manual testers often leverage a wide variety of automated tools.
In the next blog post, we will look into Level 1 to 3 in further detail, exploring what the different levels entail.
Encripto values your privacy. Therefore, we do not use tracking cookies. Read our policy for more information. AcceptRejectRead More
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.