Application Security with OWASP ASVS

OWASP ASVS is a comprehensive check list of application security. You go through the check list, assess a software, report to stakeholders, improve security. OWASP ASVS is a superset of PCI DSS and OWASP Top 10.

Application Security with OWASP ASVS

Short Formula

OWASP ASVS = check list of application security
Security-Checklist-Medium

You go through the check list and... check the security of your software.

Overview

OWASP ASVS (Application Security Verification Standard) is a guide to assess an application or a platform: secure payment, healthcare, business application. You need a plan, a way to start, and to get practical outcomes.

PDF: OWASP Application Security Verification Standard 3.0.1.

OWASP ASVS is a superset of PCI DSS and OWASP Top 10:

OWASP ASVS > PCI DSS + OWASP Top 10

(See OWASP ASVS "Appendix D: Standards Mappings").

For What

  • Case 1: To improve security of your application.
  • Case 2: To carry out security assessment, penetration testing.

Below I proceed over the case #1.

One of the best ways to use the Application Security Verification Standard is to use it as blueprint create a Secure Coding Checklist specific to your application, platform or organization.

Step 1: Select the Level

The desirable level of application security.

ASVS Levels Meaning Color Notes
Level 3 Advanced
 
The highest level. Everyone wants to get here.
Level 2 Standard
 
Standard. "Adequate".
Level 1 Opportunistic
 
You still have no security, but at least you read the yellow columns in the document
Level 0 Cursory
 
"Flexible", "customized by each organization", you know what it means: you have no security, byatch!

ASVS contains recommendations how to select the level. For instance, all network accessible applications should meet the level 1 at least, and the highest level 3 is suitable for payment, healthcare equipment, for protecting trade secrets.

Let's consider "V1. Architecture, design and threat modeling":

  1. Level 1: all components are well-known (identified).
  2. Level 2: Level 1 + implementation is good.
  3. Level 3: Level 2 + meta requirements are met, threat model exists, architecture is drawn, everything is defined, described, identified etc.

Of course, a higher level is better for security, but implies much more efforts to achieve.

Step 2: Follow the Check List

Select the level, follow the color.
asvs-level-is-selected

Go through all chapters.

  1. V1. Architecture, design and threat modeling
  2. V2. Authentication
  3. V3. Session management
  4. V4. Access control
  5. V5. Malicious input handling
  6. V7. Cryptography at rest
  7. V8. Error handling and logging
  8. V9. Data protection
  9. V10. Communications
  10. V11. HTTP security configuration
  11. V13. Malicious controls
  12. V15. Business logic
  13. V16. File and resources
  14. V17. Mobile
  15. V18. Web services
  16. V19. Configuration

Step 3: Share the Report

The report can be used internally or publicly as a result of compliance control (like PCI DSS).

Application Security Verification Report is a report that documents the overall results and supporting analysis produced by the verifier for a particular application.

The End

ASVS is written in a pretty straightforward comprehensive way, has a simple structure, and helps you to do your work: you go through the check list, assess a software, report to stakeholders, improve security.