In this blog post we will have a look at the OWASP Application Security Verification Standard (ASVS) levels.
OWASP ASVS is a list of application security requirements or tests that can be used by architects, developers, testers, security professionals, and even consumers to define what a secure application is. If you are not familiar with the standard, you can read more about it in this blog post.
OWASP ASVS – Level 1: Recommended for all software
Level 1 is intended to ensure that web applications are adequately protected against application security vulnerabilities that are easy to discover, and included in the OWASP Top 10″ and other similar checklists.
Level 1 controls can be ensured by a combination of automatic and manual testing techniques. No access to source code is required.
Threats to the application at this level are most likely from attackers looking for “low-hanging fruits”. These are vulnerabilities which can be discovered and exploited with simple techniques. Although the threat level for each industry may vary, all industries are exposed to opportunistic attackers looking for vulnerable applications on the internet. Level 1 is therefore recommended for all applications.
OWASP ASVS – Level 2: Recommended for applications that contain sensitive data
An application achieves ASVS Level 2 if it adequately defends against most of the risks associated with software today. In addition to penetration testing, level 2 requires at least some access to developers, documentation, code, and authenticated access to the system.
Level 2 is typically appropriate for applications that handle significant business-to-business transactions, including those that process healthcare information, implement business-critical or sensitive functions, or process other sensitive assets.
Threats to Level 2 applications will typically be skilled and motivated attackers focusing on specific targets using tools and techniques that are highly practiced and effective at discovering and exploiting weaknesses within applications.
OWASP ASVS – Level 3: Recommended for the most critical applications
Level 3 is typically reserved for applications that require significant levels of security verification. This could be applications found within areas of military, health and safety, critical infrastructure, etc.
Organizations may require ASVS Level 3 for applications that perform critical functions, where failure could significantly impact the organization’s operations, and even its survivability. An application achieves this level if it is adequately defended against all advanced security vulnerabilities, and it also demonstrates principles of good security design. Vulnerabilities at this level would most likely be exploited by determined attackers.
An application at ASVS Level 3 requires more in depth analysis, architecture, coding, and testing than all the other levels.
Encripto values your privacy. Therefore, we do not use tracking cookies. Read our policy for more information. AcceptRejectRead More
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.