The Application Security Verification Standard (ASVS) developed by the Open Web Application Security Project (OWASP) provides a robust framework for conducting penetration testing (pentesting) and security audits of web applications and infrastructure.

In the evolving landscape of network security, with risks emerging in sophistication and frequency, maintaining a baseline level of compliant security procedures is highly recommended.

Fortunately, the ASVS framework is tightly aligned with other industry standards such as those set by the National Institute of Standards and Technology (NIST) in their Special Publication 800-63.

Why consider OWASP ASVS?

Many cyber security organizations and in-house enterprise security teams take note of the OWASP ASVS and use it to gauge the effectiveness of their penetration testing services.

The comprehensive OWASP ASVS framework defines three progressive levels of security verification that organizations can choose from based on their specific needs, risk profiles, and compliance requirements. Adhering to ASVS standards ensures that an organization’s incumbent systems and applications are thoroughly assessed for vulnerabilities and weaknesses, following a structured and definitive approach. What’s more OWASP ASVS is a regular component in training programs which can be encouraging for those considering a career in cyber security.

The ASVS allows organizations to assess whether they need to adopt a higher or lower level of checks, security measures, and processes to maintain compliance. A common obstacle in a company’s endeavors to become OWASP ASVS compliant is deciding the right level for their organizations’ needs. The guidance outlined below explores the key aspects of each ASVS level, helping you determine the right fit for your organization.

Understanding ASVS levels

1. ASVS Level 1 - Entry level security

ASVS L1 is the base security level recommended by OWASP with the organization imploring businesses to build websites and applications to meet the requirements set out here.

A Level 1 assessment primarily focuses on identifying and mitigating well-known and discoverable vulnerabilities. It will usually include a manual penetration test and vulnerability scan on a web application against the OWASP Top 10 and similar open-source checklists, detailing well-known vulnerabilities and issues. In summary, it checks for easy-to-locate security risks but does not require delving deeper.

An OWASP Level 1 assessment can be conducted as a black box penetration testing exercise or a gray box exercise, with the automated security scanning process meeting the requirements of ASVS Level 1.

This type of OWASP assessment is suitable for applications that do not store or handle sensitive data, or as the initial stage of a multi-assessment development project, to isolate and catch known vulnerabilities early on. Such examples of organizations that could benefit from a Level 1 assessment would be companies using third-party payment processes with their own security and encryption standards, websites or apps processing non-sensitive information, or resources with secure portals processing payment or personal data.

2. ASVS Level 2 - Enhanced security verification

OWASP tends to recommend an ASVS Level 2 assessment for most websites and applications handling sensitive data. The Level 2 standard includes pentesting and audits to assess threat exposure and risks of software most vulnerable, ensuring that the correct security controls are in place, working, and configured inside the application.

This penetration testing assessment is usually conducted at a gray box level, validating the proper configuration of security controls using a mixture of automated and manual processes.

The Level 2 assessment is suitable for organizations that are:

• Processing payments or financial transactions
• Implementing business-critical functions
• Handling personal, healthcare, or sensitive business-to-business (B2B) data
• Operating in industries where data protection is crucial

3. ASVS Level 3 - Comprehensive application security

The Level 3 ASVS assessment represents the highest level of security verification, incorporating advanced security verification for application vulnerabilities and secure design principles.

The Level 3 assessment includes an in-depth assessment of an organization’s security architecture and coding, requiring a modularized application structure with separated components (such as physical instances and network connections).

Also, ASVS L3 requires organizations to assess individual security controls and measures for confidentiality, integrity, app availability, authentication, non-repudiation, authorization, and auditing. As such, the Level 3 assessments are more in-depth than Level 2 assessments, checking for encryption, transactions, logging, input validation, and other system tools, conducted from within the system itself.

This type of OWASP security assessment would be best suited for organizations with high compliance and regulatory security requirements such as government agencies, financial institutions, and healthcare providers. Companies subject to PCI DSS compliance may find that more comprehensive open-source information hubs offer more insights than the OWASP Top 10, which could help them isolate more intricate development vulnerabilities.

Choosing the right ASVS level

When selecting the appropriate ASVS assessment level for your organization, consider the following factors:

1. Sensitivity of Data
   • Applications handling highly sensitive data (e.g. personally identifiable information (PII), financial or healthcare data) should aim for higher ASVS assessment levels (2 or 3) to ensure more in-depth and comprehensive security controls. Applications that do not handle such sensitive data can opt for ASVS Level 1 as a baseline.
2. Compliance Requirements
   • Highly regulated industries such as finance, healthcare, or government often mandate stringent security standards, necessitating ASVS Level 3 assessments. Less regulated industries may find ASVS Level 2 sufficient for their needs.
3. Business Criticality
   • Applications or systems critical to business operations should undergo higher OWASP ASVS assessments (Levels 2 or 3) to mitigate risks and ensure continuity. Non-critical applications may get by with ASVS Level 1 assessments.
4. Risk Tolerance
   • Organizations with an elevated risk profile or threat exposure may find that ASVS Level 3 offers more peace of mind as it minimizes potential vulnerabilities and security breaches for similar-sized firms. Organizations with a higher risk tolerance may find ASVS Level 1 or 2 perfectly suitable.
5. Development Stage
   • During the development lifecycle, ASVS Level 1 assessments can be conducted to spot common vulnerabilities early on and establish a security baseline. As the lifecycle continues, higher ASVS Levels should be considered for more comprehensive security validation, particularly as more data gets aggregated and processed.

It's important to note that the ASVS levels are not merely checklists but rather guidelines for dynamic testing and security verification. Cyber security professionals and analysts should tailor the correct assessment approach based on the specific application, industry, and organizational needs.

As a final point, ASVS assessments should be conducted regularly, not reserved solely as a one-time exercise to tick the necessary compliance boxes. Applications, websites, and security infrastructure evolve drastically over time, and thus, so does the need to conduct ongoing testing and verification that their security is stable, robust, and compliant.

Remember that ASVS’s goal is to provide a defined framework for organizations to identify and mitigate vulnerabilities; it’s not there to do the job for you. Your security team should implement the correct steps and processes following the right level of assessment for your organization to ensure the safety and integrity of the assets and data you hold.