To have a clearer image on how our security testing services will be beneficial for your applications, we decided that implementing an appropriate security standard is the best approach on projects entrusted to us.
After an intense analysis from our experts, we concluded that the most complete and adequate security standard to implement for our customers is Application Security Verification Standard (ASVS) from OWASP.
The Application Security Verification Standard is a list of application security requirements and tests used worldwide by security professionals, penetration testers, software architects and developers to define what a secure application is.
Using this standard, even our non-technical customers will understand what we investigate, why this is the best approach and what is the exact level of security that the application has.
Security Verification Levels
The Application Security Verification Standard defines three security verification levels, with each level increasing in depth.
ASVS Level 1 (Opportunistic)
Level 1 is meant for all software and is typically appropriate for applications where low confidence in the correct use of security controls is required. It is also used to provide a quick analysis of a fleet of enterprise applications or to assist in developing a prioritized list of security requirements as part of a multi-phase effort.
An application achieves ASVS Level 1 if it adequately defends against application security vulnerabilities that are easy to discover, such as those included in the OWASP Top 10 and other similar checklists.
ASVS Level 2 (Standard)
Level 2 addresses applications that contain sensitive data, such as those that handle significant B2B transactions, process healthcare information, implement business critical or sensitive functions.
An application achieves ASVS Level 2 if it adequately defends against most of the risks associated with software today, if security controls are in place, effective and used within the application.
ASVS Level 3 (Advanced)
This is the highest level of verification within the ASVS and is typically reserved for applications that require significant levels of security verification, such as those found within the military, health and safety area, critical infrastructure and so on.
An application achieves ASVS Level 3 if it adequately defends against advanced application security vulnerabilities and also demonstrates principles of good security design.
Each ASVS level contains a list of security requirements. Each of these requirements can also be mapped to security-specific features and capabilities that must be built into software by developers.
ASVS Level 1 is recommended for all applications, regardless of industry, acting as the starting point to managing risks that are the easiest to find. However, organizations should look more deeply into their unique risk characteristics, based on the nature of their business, before deciding what their security needs are.