Are only security professionals responsible for the security of applications? Not at all! By meeting specific security requirements as early as the development stage, you can drastically increase the security of web applications. Eliminating 100% of risk is impossible, but the Open Web Application Security Project was created to help you minimize it. Learn what OWASP is, how developers can improve security with the use of ASVS, and what security levels are.
- A 2020 report by WhiteHat Security showed that 30% of all applications have at least one security vulnerability that is considered critical or high-risk.
- According to a Symantec report, 75% of websites have security vulnerabilities that could allow hackers to access sensitive data.
What the OWASP ASVS is and why it matters
In a world full of digital threats, developers and testers need standards to make sure that web apps are built securely. OWASP ASVS stands for Application Security Verification Standard, which is a set of security requirements for verifying the level of security in web applications. It categorizes the security requirements into three levels – Level 1, Level 2, and Level 3. The ASVS document includes control security levels.
Exploring the Basics of the OWASP Application Security Verification Standard
The OWASP ASVS principles assume that solutions to prevent cyberattacks can be implemented at the application-building stage. By following common principles, it is easier to minimize the possibility of attacks and data leakage, and increasing protection against security risks and vulnerabilities is easier.
In this way, it is not only security specialists who are responsible for application safety, as at the development stage, proven solutions are already applied by developers to reduce risks and safeguard the created system.
Understanding the Importance of Security Requirements
Rather than creating security requirements for each application anew, with the ASVS, the same security control requirements allow you to address the challenges of the applications you create now, as well as those that developers will build in the future.
Diving into Verification and Security Controls
It is important to understand the importance of technical security controls in safeguarding sensitive information. The ASVS 4.0 covers a comprehensive list of controls that an application must adhere to in order to meet certain security standards. Security experts recommend using the new ASVS to ensure that the right measures are in place to protect against potential threats. This standard provides guidelines on how to address complex requirements and enhance security within applications.
1) Preventing injection attacks – this happens when an attacker sends malicious data in their command/query to access sensitive data. OWASP recommends techniques such as filtering, validating, encoding and escaping to prevent attacks.
2) Using parameterized queries to mitigate SQL attacks – SQL injection is a technique of injecting code that may ruin your database. These are queries in which only the parameters are provided during the execution phase, preventing the attacker from changing the query itself.
3) Preventing sensitive data exposure – applying measures such as identifying sensitive data and employing encrypting algorithms to prevent exploiting weaknesses, and configuring Transport Layer Security (TLS). This type of weakness can be revealed when web applications do not meet the requirements in terms of GDPR and PCI DSS, or when a company stores sensitive data that is no longer in use or will not apply proper cipher methods to protect their data.
Consult your project directly with a specialist
Book a meetingKey Differences Between ASVS 3.0 and ASVS 4.0 version
The OWASP ASVS standard is regularly improved by a group of developers and the community and supported financially by numerous organizations.
ASVS version 3.0 was released in 2015. ASVS 4.0, in turn, was released in 2019. They have some key differences in terms of application security verification requirements.
ASVS 4.0 introduced a new structure which includes a separate business logic verification requirements section. This adds an extra layer of security measures to safeguard web applications. In ASVS 4.0, web service verification has been enhanced to ensure the highest level of security for web services. The new version also provides a more comprehensive list of security requirements for application security assessment. This updated standard will allow you to assess and verify the application security requirements more effectively than ASVS 3.0.
As of the time of writing, the latest applicable version is 4.0.3, which was released in October 2021.
Implementing the OWASP ASVS in Web Applications
Implementing security verification standards will allow you to better manage critical areas such as authentication, data security, session management, and vulnerabilities related to code.
It’s important to choose the right strategy, so if you’re just planning an ASVS project, it’s a good idea to confront the knowledge you have with specialists in this area.
There are also tools available, including open-source ones, which will facilitate the process by automating ASVS testing and validation processes. The topic of tools could be discussed in a separate article. It would be useful for you to know what types of open-source tools (if you choose to have one) you can choose from:
- Static Application Security Testing Tools (e.g., GitHub code scanning)
- Dynamic Application Security Testing Tools (ZAP)
- Interactive Application Security Testing (IAST) Tools (Contrast CE for Java and .NET only)
- Updated Open-Source libraries (e.g., using Maven)
- Static Code Quality Tools (SonarQube)
Implementation – where to start?
- Visit the OWASP ASVS project website
- Download the newest ASVS – currently 4.0.3 from October 2021
- Read it and follow the information described in the standard
- Compare organization policies, SOP’s, and working methodology with best practices
described in ASVS and patch the biggest flaws
Exploring the Three Levels of ASVS Security Verification
As per the ASVS 4.0 structure, there are three levels of application security.
- ASVS level 1
It is a “bare minimum” from an application security standpoint. At level 1, manual pen-tests and app scans are performed. All checks can be automated. Verification does not require access to code & documentation. The Open Web Application Security Project recommends that all websites and apps developed should meet this standard. - ASVS level 2
This level ensures protection against most of the contemporary cybersecurity risks. At level 2, audits and pen-tests are performed to assess vulnerabilities to the most known software-related threats. Verification requires access to the code base, documentation, SOP, etc., and cannot be fully automated. This level is recommended for most applications and industries that operate on sensitive data. - ASVS level 3
This level represents the strongest security requirements for applications that need to be “secure by design”. At level 3, the architecture and code are examined, as well as security verification for avant-garde security threats. The highest level is recommended for critical applications and industries with high security and compliance requirements (banking, financial, governments, healthcare, military, critical infrastructure projects, etc.).
OWASP ASVS levels goals
- Standardization of security frameworks (mitigation of conflicting requirements)
- Up-to-date security guidance (new types of app architectures)
- Projects security improvement
- Agile practices compatibility (DevSecOps culture
Enhancing Application Security Through ASVS as a Framework
ASVS is crucial for enhancing application security, as it ensures that applications meet a set of security verification requirements outlined in the OWASP ASVS checklist.
Proper security at different levels is much easier to implement with a checklist. A checklist should be available for each of the three levels, checking for vulnerabilities in key areas.
What is OWASP Top 10
It is worth being familiar with the OWASP top ten list which highlights the most critical web application security risks and vulnerabilities over time.
Applications of the OWASP ASVS
Since 2001, when the foundation was established, several case studies have highlighted the benefits of compliance with the ASVS. Companies that decide to implement the standard decrease the number of security incidents and breaches, and gain customer trust and satisfaction. Below you will find the real-world scenarios of applying OWASP standards.
Benefits of ASVS
- Improving safety awareness and security of the project
- Aid in building security checklist and security requirements
- Correlation with other standards/frameworks/security checklists (PCI DSS,
NIST, CWE list) - Having a clear description of verification actions
- Getting guidance on automation – once we know what needs to be tested, we get the
requirements for tools we are planning to use
Expert Insight:
Kamil Goryń, Senior DevOps Engineer
“Not everything needs to be implemented at once.
The key is to build awareness of potential threats, ways
to mitigate them and apply solutions that address the
most serious threats. Even a minimum security is
better than no security at all”
Summary – OWASP Security
OWASP security guidelines work well whenever you need to improve the security of web applications. The ASVS project is a recognized framework that helps dozens of organizations globally build more secure software apps. By using the ASVS, programmers and testers may rest assured that the application they are developing meets certain security standards.
Streamline Your Application Maintenance
Leszek Jaros, our Head of Telco and AMS Practice, is here to help you navigate the complexities of Application Maintenance Services. Book a consultation to boost your application's efficiency
Schedule a meeting
The article was written in collaboration with:
Kamil Goryń
Senior DevOps Engineer. An experienced cybersecurity expert, specializing in security engineering, with roles as Cybersecurity Head and pentester team leader, collaborating with medical, pharmaceutical, and banking sectors.