Why ASVS Is The Gold Standard For Application Security

According to Contrast Security’s 2020 Application Security Observation Report, 96% of web apps have at least one vulnerability, and 26% of those are serious.

The continued proliferation of application vulnerabilities confirms that development teams are not certain about their application’s security requirements, and security teams are not performing consistent and comprehensive assessments.

Enter OWASP’s Application Security Verification Standard

The Open Web Application Security Project (OWASP) Foundation was launched in 2001 to improve software security worldwide.

One of its key projects is the Application Security Verification Standard (ASVS), which is a community-driven effort that started in 2008 and has become the global industry standard for application security.

While ASVS focuses on web and API-based applications, MASVS and ISVS projects cover mobile and IoT applications respectively.

The framework provides a set of security requirements and controls that enable:

  • Organizations to design, develop, and maintain secure modern web applications and services
  • Security service providers to offer standardized and repeatable services, and consumers to align their requirements with the provider’s offerings

ASVS contains a total of 286 controls that are grouped into the following three levels in order to meet applications with different security requirements:

  Purpose Requirements
Level 1 This is for applications with low assurance needs or those that don’t handle sensitive data.

The Canadian Center for Cyber Security recommends that small and mid-size businesses secure their applications based on ASVS L1 at a minimum, and to include this set of controls as a requirement in contractual agreements with software vendors. Testing at this level can be done with a combination of automatic and manual methods without access to source code, documentation, or developers.


Level 2 Typically, appropriate for applications that handle sensitive data, provide business-critical or sensitive functions or industries where integrity is a critical facet to protect their business. This level requires access to documentation, source code, configuration, and the people involved in the development process.
Level 3 This is for applications that require high levels of security assurance and are considered critical such as those that perform high-value financial transactions, contain sensitive medical data, or used by the military. This level requires more in-depth analysis of architecture, coding, and testing than all the other levels.

While a large number of Level 1 controls can be covered by automated testing, the overall majority require manual activities.

ASVS requirements were created with the following goals in mind:

  • To be used as a metric: Provide application developers and owners with means to measure the level of trust that an application provides.
  • To be used as a guidance: Provide guidance to developers in order to satisfy application security objectives.
  • To be used during procurement: Provide the means to scope application security assessment requirements in statements of work.
How Service Providers use ASVS

ASVS should be used by those who offer application security assessment services, allowing for consistent test coverage in accordance with the client’s assurance requirements. The standard can be used for black-box pentesting, as well as deeper white-box assessments where access to project documentation, source code, and development team is required.

When choosing an application security service provider, consider the following:

  • Application security assessment services should use ASVS as a basis.
  • Appropriate testing method(s) should be selected and indicated in a report.
  • A summary of the verification findings should be provided including passed and failed tests.
  • Any excluded verification requirement must be indicated in any report.
  • Detailed records (work papers, screenshots, movies, scripts, electronic recordings) of tests should be kept to prove the findings.
  • OWASP doesn’t certify vendors or software, and does not provide official ASVS certifications.
How Architects, Developers, QA, and Procurement use ASVS

In addition to serving as a security application assessment framework, ASVS can be used by architects, developers, QA, and procurement teams as a:

  • Detailed security architecture guidance
  • Replacement for off-the-shelf secure coding checklists
  • Guide for automated unit and integration tests
  • The basis for secure development training
  • Driver for Agile application security
  • Framework for procuring secure software.
Invest in the right security

It’s worth spending the time and money to select the appropriate level of ASVS and align all development and assessment activities, including those provided by external service vendors to build and maintain secure software. This prevents attackers from being able to exploit your application and prevents costly fixes, and protects damage to your organization’s reputation.

ASVS is ingrained into Forward Security’s DNA, and used as a key component of our services. When performing application security risk assessments, we conduct design reviews, threat modelling, and penetration testing activities aligned with this standard. In addition, our Eureka DevSecOps service leverages ASVS for the selection of security requirements incorporated into the software and practices around building and maintaining secure systems.

To find out more about our ASVS-aligned services and how we can help you build a best-in-class application security program, contact us today.

How Mature is Your DevSecOps?

Our comprehensive DevSecOps Maturity Assessment covers 8 key phases of DevSecOps practices, 29 questions in total.

By evaluating your team on each capability, you can determine if your DevSecOps maturity level is early, intermediate, or advanced. Your assessment includes a custom report that provides your overall maturity as well as detailed recommendations you can take to enhance your security posture.