OWASP ASVS Assessment
In addition to our standard web application tests, we offer the possibility to have your application audited according to the OWASP Application Security Verification Standard (ASVS); or your mobile application according to the Mobile Application Security Verification Standard (MASVS).
The ASVS standard formulates an extensive list of requirements which should be adhered to during development and operation of secure software. It works particularly well as a guideline during development, where it helps in defining security requirements early and with integrating them into a Secure Software Development Lifecycle (SSDLC). But this standard can also be used for assessing and verifying the security of existing software.
The collection of ASVS requirements comprises very technical aspects (“Verify that your code is conceptually secure against SQL injection attacks.”) as well as conceptual matters (“Can logs contain sensitive data? Where are logs stored? Who has access to logs?”). Consequently, an ASVS analysis usually involves questions that cannot be answered in blackbox tests. Instead, these aspects have to be verified in source code analyses, configuration reviews or audits.
Depending on the protection needs of an application, the OWASP distinguishes ASVS levels 1 to 3:
- Level 1 aims at applications with low protection needs and is formulated in a way that its requirements can be checked in a penetration test.
- Most business applications process some kind of sensitive data and hence fall into level 2. Large parts of this level are concerned with conceptual issues which have to be assessed via an audit.
- Level 3, finally, formulates additional security requirements for applications with particularly high protection needs, for instance ones which process health data.
Documentation is delivered in an Excel file where all ASVS requirements as well as the respective test results and assessments are listed. Focus of this document is a well structured and searchable representation of the plethora of ASVS security requirements. Additionally, a management summary gives an overview of important findings.
We can help you with:
- Review of your web or mobile application according to OWASP ASVS / MASVS with the help of penetration tests, source code analyses, configuration reviews and audits
- Clear and easy to understand documentation of results and suggested measures
For more information about the OWASP ASVS, please visit the official website.
Static code analysis can be a supplement or alternative to penetration testing:
The Big Application Security Penetration Testing FAQ for Clients provides answers to many important questions concerning the commissioning of penetration tests.