How to use OWASP ASVS to Protect Web Applications
Published November 21, 2023.
Global online content has soared dramatically since 2020 - with the average daily usage being close to 7 hours. For more than a quarter of their day, every day, your customers are generating important data such as personal details and card information. App users may not often think much about the data they provide. But for malicious users - all this data is a digital goldmine held by businesses like yours.
On average, SiteLock reports that sites experience approximately 94 attacks every day. More than 22 billion records were exposed in 2021. This figure includes only publicly disclosed incidents, so the actual extent of the issue is likely much larger. This article guides you through how to use the OWASP ASVS standard to protect your web application and safeguard your data.
What is OWASP ASVS?
The OWASP Application Security Verification Standard (ASVS) is an open application security standard that provides a framework for assessing the security of web applications and services.
The goal of ASVS is to help organizations establish a level of confidence in their applications' security and identify and mitigate risks. ASVS includes a set of security requirements that you can use to assess the safety of web applications and services. These requirements cover many security concerns, including authentication, authorization, data security, session management, and application security.
Application Security Verification Standard 4.0 updates
The latest version of ASVS - ASVS 4.0 - was released in March 2019 and is regarded as the gold standard for security requirements as it covers both traditional and modern architectures.
Significant changes include the removal of Level 0, meaning that security expectations are baked into an application from the start. It also moves security policies towards being more proactive against vulnerabilities developing as a baseline. Minimum checks are in place, and nothing is ever disregarded and seen as potential access and target point for attacks.
Current levels of ASVS
The requirements for each level are necessary to provide different levels of security for different types of applications.
- Level 1 - Basic provides the most basic level of security and is typically sufficient for small applications with low-security risks. ASVS Level 1 is often assigned to applications that don't deal with sensitive data, which makes them less of a target for attacks.
- Level 2 - Standard provides a higher level of security and is typically required for applications with medium security risks. This often includes apps that conduct transactions or handle sensitive data that can be leveraged for financial gains by malicious users. Level 2 is usually assigned to applications susceptible to injections, validation, and authentication-based attacks.
- Level 3 - Advanced provides the highest level of security and is typically required for applications with high-security risks. Level 3 requires the highest level of protection and contains highly sensitive information such as personal details, finance, and legal documents. For level 3, security is often integrated at the beginning of the application pipeline, right through to production deployment, with automated monitoring as a secondary precaution.
Each level inherits requirements from its predecessor. For level 2 requirements to be satisfied, level 1 requirements must also be satisfied. For software to comply at level 3, it must also comply at levels 1 and 2.
OWASP ASVS structure
The official ASVS 4.0 is split into 14 chapters and covers everything you can potentially encounter regarding software development. From architecture designing and threat modeling requirements to API and web services verification, each of the 14 chapters targets a specific area and provides a comprehensive cyber security risk assessment checklist at each level.
Chapter 2 covers authenticator verification requirements, which include:
- password security
- authenticator lifecycle
- credential storage
- look-up secret verifier, amongst others.
Each of these subsectors contains a description of the requirement and a checklist explaining required tasks for organizations to complete. Some tasks are relevant for all levels, and others are only for one or two levels.
How to use OWASP ASVS to protect your web application
Here are four key ways OWASP ASVS can assist in protecting your web application:
You can use ASVS 4.0 to measure your organization's progress in implementing application security controls and identifying areas where additional work is needed. By using ASVS 4.0 as a security performance metric, organizations can more easily find gaps in their security controls and plans and ensure these are improved promptly.
Using OWASP ASVS as a guide to ensure security can also be beneficial for reputational purposes. OWASP does not provide certifications to any vendor, verifier, or software, as it is a not-for-profit and vendor-neutral organization. However, meeting this standard means that your customers can trust your application and know that their data is handled safely.
Knowledge and guidance
OWASP ASVS can be used to improve security knowledge and provide security policy development guidance. In addition, it can be used to educate developers, ops teams, and anyone involved in the software development lifecycle about best security practices. The standards and requirements under each chapter can bring awareness to security knowledge gaps and ensure that your software is developed with best practices in mind.
Organizations often struggle with assessing the security of the products and services they procure. The Open Web Application Security Project (OWASP) Application Security Verification Standard (ASVS) can be used during the procurement assessment process to provide a comprehensive, standardized list of security requirements that can be used to verify the security of products and services.
ASVS can be used to create a Request for Information (RFI) or Request for Proposal (RFP) that vendors can use to assess their products and services. ASVS 4.0 allows organizations to quickly compare the security of different products and services and make informed decisions about which to procure.
OWASP ASVS can be used to secure agile projects by providing a comprehensive checklist of application security requirements that can be used to guide the development process. ASVS can also supplement other security measures and help ensure security is built into the agile development process.
The 14 chapters highlight areas that require security at each agile development phase, such as the application's design, implementation, and deployment. ASVS can help ensure that the application is secure before it is deployed.
Using JIT to implement OWASP ASVS
Security is often forgotten or under-implemented for many teams due to time constraints. JIT streamlines the process of integrating OWASP ASVS by providing OWASP ZAP tools out of the box to help with your security needs - in addition to a suite of tools to help you easily and quickly integrate minimum viable security across your entire software pipeline. Get started today with JIT and check out how we can help you cover all your security needs.