While we’ve discussed OWASP (Open Web Application Security Project), it’s importance to the security of applications and development and the standards it sets, there are other aspects that deserve our attention. One of the primary elements of OWASP that demands such attention is the Application Security Verification Standard (ASVS).
If you use, have worked with or done any research on OWASP than you have inevitably run into the Application Security Verification Standard. So what exactly is the ASVS? What is it used for and why does it matter? These are questions that you should have or have probably already asked – and this is why you should know…
The Application Security Verification Standard (ASVS)
The ASVS was created by OWASP, often referred to as “the free and open software security community.” In that spirit and at its core ASVS was created by developers for developers. In order to understand the ASVS, it can be best explained by answering what it does and how it is used.
What it does is provide an established framework for security measures. How that is applied consists of varying levels of verification. Here is an overview of these two considerations that will help you to better understand the ASVS and its purpose.
Defining an Established Security Framework
OWASP provides measures, information and creates a common language and platform for developers, engineers and others in efforts to establish safe working environments for web applications. While OWASP has excelled in doing just that, verifying and confirming that those safety protocols are being met is the role of the ASVS.
What security measures are applied to what applications and what level of security does any particular application demand? These are the types of clarity that the ASVS provides, with the latter leading into how the ASVS is used and applied.
The OWASP.org site states that, “The OWASP ASVS defines verification and documentation requirements… .” By defining and establishing these verification and documentation standards, applications can be measured against them and rated by security levels.
Using the ASVS
The OWASP ASVS uses a range of “levels” to classify and determine the web application security verification level. This allows developers to more easily determine and see real-world application security needs. A level 1 application, for instance, might suffice for a web application that doesn’t require any other level of verification. This hierarchical system of levels makes determination of required application security simple and prevents less secure applications from getting through.
Although this sounds rather simple the work, years, time and effort invested into building the libraries, the OWASP community and even the ASVS verification process is anything but simple. The ASVS uses an individual or team as part of its verification protocol. This person or these people are called a “verifier” and according to the OWASP site, “It is a verifier’s responsibility to determine if an application meets all of the requirements at the level targeted by a review.”
The technical language, the developer and programmer jargon and other web application security discussions can make all of this seem overwhelming. What many organizations want to know is why it matters to them…
The Importance of OWASP ASVS for Companies
On the whole, most business owners, company presidents and CEO’s aren’t web application security experts. That is why they hire security teams and invest heavily in security measures. This isn’t a hypothetical situation either, this is real web warfare.
One article discussing web application security began this way:
“Qatar National Bank, a recent victim of a data breach exposing over 1.4GB of customers’ data, including full personal data and credit card information, suspects it was compromised…”
That story went on to say…
“Later, the same hacking team compromised six more financial institutions, using vulnerabilities in their websites and web applications.”
There are countless other stories involving companies dealing with web application breaches, failures and other serious occurrences. Why is web application security important for companies? There are plenty of businesses that could report millions of dollars worth of reasons and millions of customers too.
Any business that is succeeding and leading the way today, is connected. That means using web applications across a myriad of platforms and employing an array of different technologies. In order to succeed in the business market now, it requires a complete commitment to these technologies. To reach customers, develop new applications and interact on the business stage, security isn’t optional it is required.
The OWASP ASVS Advantage
This is where the advantage of using a system like the ASVS is completely realized. The first advantage offered through the ASVS is that it is an extension of the proven, supported and trusted OWASP principles and methodologies.
From this foundation, the level of application security is measured, documented and then rated and assigned a level as was previously discussed. This not only gives businesses a peace of mind, it more importantly offers a system that tests and proves applications and their level of security.
The companies that recognize the importance and practical reasons behind using the OWASP ASVS are already one step ahead. In addition to the security measures afforded through the ASVS, businesses can also promote the safety of their applications and interfaces.
Customer and clients today are educated and smart, that means they understand the importance of protecting their most private information. Perhaps, more than any other reason, it is the trust that a company can instill to their patrons because of measures like the ASVS.
We can do business safely, we can share data and information through web apps without great fear, if we make security a top priority. Customers will see this as a safe environment. Our business partners will appreciate the efforts made to ensure safe business transactions, while our business will benefit because of these and many other reasons.
From the programmer, developer and architect side of the fence, this system offers metrics to gauge security levels and it provides clarity into live application scenarios. From the business side, it is how companies protect themselves and those they do business with – that is smart business and that is why companies need to know about the ASVS.