It’s always fun to start throwing out acronyms to get one’s technical juices flowing. To make sense of this blog post title, readers show know that OWASP is the Open Web Application Security Project, and that the ASVS is the Application Security Verification Standard. Of course, making sense of what this all means calls for additional explanation and more information.
Let’s start with a brief backgrounder on the OWASP and follow up with a closer look at the ASVS with special emphasis on what it does and why it’s important.
Introduction to the Open Web Application Security Project (OWASP)
Founded in 2001, and incorporated as a US non-profit charity in 2004, the OWASP is an open community that’s focused on helping organizations design, develop, acquire, operate and maintain applications – especially web-based applications – that are secure and trustworthy. The OWASP’s reach covers a lot, including:
- Dozens to hundreds of community-led open-source software projects
- 275-plus local OWASP chapters around the globe
- Tens of thousands of registered OWASP members (individuals and organizations)
- Popular, widely-followed and -attended education/training conferences
All OWASP projects, tools, documents, forums and chapters are free and open to those interested in improving application security.
Overview of the Application Security Verification Standard (ASVS)
The ASVS defines a basis for testing web application technical security controls (these are features or elements of an application designed to provide authentication and manage identity data, control access, provide data privacy and protection, and so forth). ASVS also equips developers with a checklist of requirements to ensure secure development practices and procedures, and to ascertain they produce secure code.
As standard, the ASVS seeks to provide guidance, metrics and evaluation criteria for secure applications. In the area of guidance, the ASVS offers instructions and information to those who develop security controls on what must be built into such controls to meet application security requirements.
In the area of metrics, the ASVS provides a yardstick of sorts against which to assess the degree of trust that applies to their web applications and development efforts. In the area of evaluation criteria, the ASVS works when procuring web applications from third parties to provide a basis for specifying (and enforcing) application security verification requirements in purchase agreements and contracts.
As of November 4, 2020, the latest version of the ASVS is 4.0.2. It is available for download from GitHub. The release comes in .ZIP and tar.gz formats, and is approximately 60 MB in size (compressed; ~100 MB uncompressed). The Standard document itself is included in that archive, along with a test runtime.
Release 4.0 of ASVS incorporates multiple security standards, including the NIST 800-63-3 Digital Identity Guidelines, OWASP Top 10 2017, OWASP Proactive Controls 2018, PCI-DSS 3.2.1 Sections 6.5, and a mapping to the Common Weakness Enumeration (CWE). By combining all of these standards in a single document, the ASVS helps reduce the number of unique security requirements a team must meet to be in compliance. In addition, the breadth of standards included in the ASVS makes it the leading web apps and services standard, covering traditional and modern application architecture, as well as agile security practices and DevSecOps culture.
Who uses ASVS?
The ASVS page includes an ASVS Users tab that names a variety of companies and agencies that have incorporated this standard into their software assurance toolsets. These include the following:
- Booz Allen Hamilton
- CGI Federal
- Denim Group
- Etebaran Informatics
- Minded Security
- Nixu
- ps_testware
- Proactive Risk
- Quince Associates Limited (SeeMyData)
What makes ASVS important for application security?
Simply put, ASVS creates a common set of terms and metrics, along with a shared platform so that software developers and engineers can create secure working environments for web applications.
The ASVS checks their efforts to verify and confirm that sufficient security and safety measures are present in web applications to warrant a certain level of trust. In fact, OWASP asserts that “The OWASP ASVS defines verification and documentation requirements” that suffice to measure applications against them, so they may be rated by security levels.
Thus, the ASVS provides a demonstrable and repeatable system to test and verify an application’s level of security. This is what lets organizations deploy their own software or software purchased from third parties with some degree of assurance that their data and information (and that of their customers, clients, and partners) will be safe and secure within such applications.
Kiuwan and ASVS
Kiuwan has built its own products following the ASVS. And when Kiuwan provides security scanning and remediation advice in its code security (SAST), open source Insights (SCA), and Code Analysis (QA) solutions, it shares the ASVS security framework, mindset, and requirements with those products’ users at every opportunity.
Just as ASVS helps Kiuwan ensure its own offerings are safe and secure, that same standard provides guidance and insight to help its customers do likewise.
