What is ASVS?
The OWASP Application Security Verification Standard (ASVS) provides a basis for testing web application technical security controls and provides architects, developers, testers, security professionals, with a list of requirements for secure development.
The standard provides a basis for testing application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection. This standard can be used to establish a level of confidence in the security of Web applications.
While the overall objective of ASVS is to help organisations develop and maintain secure applications, this can be explained in three parts.
- Used as a metric – Provide application developers and application owners with a yardstick with which to assess the degree of trust that can be placed in their Web applications
- Used as guidance – Provide guidance to security control developers as to what to build into security controls in order to satisfy application security requirements
- Used during procurement – Provide a basis for specifying application security verification requirements in contracts
Three Security Verification Levels
The Application Security Verification Standard defines three security verification levels, with each level increasing in depth.
- ASVS Level 1 is meant for all software
- ASVS Level 2 is for applications that contain sensitive data, which requires protection
- ASVS Level 3 is for the most critical applications – applications that perform high value transactions, contain sensitive medical data, or any application that requires the highest level of trust
Each ASVS level contains a list of security requirements. Each of these requirements can also be mapped to security-specific features and capabilities that must be built into software by developers.
OIC ASVS Certification a must for App Devs
As of 2017, OIC offers ASVS certifications. The ASVS certification process will
- Help you ensure your product isn’t vulnerable to the most common attacks
- Provide security best practice guidance to protect users and their data
- Provide acknowledgment of having obtained a standard that investors can use to compare and measure the security controls in an application
- Assist with compliance and/or regulatory requirements
Interested? Email us: firstname.lastname@example.org