Application Security Verification Standard 4.0 defines a framework for pentesting and security audits as set by the Open Web Application Security Project (OWASP) and the National Institute of Standards and Technology (NIST) 800-63. ASVS defines different levels of security verification, with levels of stringency based on the domain and the needs of the application. Pentests are typically offered under this framework, with ASVS Level 1-3 depending on your security and compliance needs.
ASVS primarily functions as a framework for ensuring quality pentesting and audits. Different levels of the framework mean using more checks, different compliance standards, and differing levels of security.
Level 1 ASVS
ASVS L1 is the base level offered by OWASP. The organization suggests that all applications and websites should be built to meet this standard at minimum.
Level 1 assessment typically includes a manual pentest with scans of apps. In most cases, applications are tested against OWASP Top 10 and similar checklists. In essence, it checks for easy-to-find and well-known vulnerabilities to common issues but does not require digging deeper. This assessment can be performed black box but OWASP recommends using grey box. Automated scanning can meet the needs of about 50% of ASVS Level 1 under standard 4.0
This assessment is suitable for applications that do not store or handle sensitive data. It is also suitable as the first stage of a multi-assessment during development, to catch common vulnerabilities early.
Suitable for:
-
Applications using third-party payment processors, with their own security standards and encryption
-
Websites and applications not processing any personal information
-
Websites with secure portals to applications processing payment and personal data
Level 2 ASVS
OWASP recommends ASVS L2 for most applications and websites.
This standard includes pentesting and audits to assess vulnerabilities to most risks associated with software. This includes security controls are in place, effective, and correctly configured inside the application. The assessment is intended to check for most types of vulnerabilities at a grey box level.
Level 2 ASVS is suitable for:
-
Organizations processing payments
-
Applications implementing business critical functions
-
Applications processing sensitive data (payment, personal data)
-
Applications handling business-to-business transactions
-
Applications processing third-party healthcare information
-
Industries were data protection is a significant factor of business
Level 3 ASVS
Level 3 ASVS is the highest level of verification. It incorporates significant security verification for advanced application security vulnerabilities, demonstrates principles of good security design, and includes in-depth analysis of architecture and coding. ASVS L3 requires that organizations have modularized applications, separated by network connection or physical instance, and takes responsibility for individual security controls and measures. Here, security responsibilities include controls for confidentiality, integrity, app availability, authentication, non-repudiation, authorization, and auditing. This means L3 assessments go deeper than L2 and check for encryption, transactions, input validation, logging, and other system tools. This can only be done from inside the system.
Level 3 ASVS is appropriate for organizations with very high compliance and security needs. These include most organizations in government, healthcare, and finance industries.
Dynamic Testing
The ASVS levels are not a checklist of actions to perform to achieve compliance. Instead, OWASP asks pentesters to dynamically determine what’s needed for the pentest based on the organization. Cyver scales testing and norms to meet the needs of the industry, application, and its assets. This is critical to ensuring your application and assets remain secure, even at the lowest level of testing.
If you’re still unsure of which testing level you need, contact us to schedule a consultation.