Understanding OWASP ASVS Security Coverage

Web applications serve as the backbone of business operations, and the rise in cyber threats has put a spotlight on vulnerabilities that can compromise the integrity and confidentiality of web applications. But where to start?

Security frameworks can help security and development teams understand the top risks and how to harden their applications against them, while guiding technical professionals on how to protect their applications against attacks. This is where the Open Web Application Security Project (OWASP) steps in with its Application Security Verification Standard (ASVS), offering a comprehensive set of security requirements and controls designed to safeguard web applications.

The Purpose of OWASP ASVS



Founded in 2001, the Open Web Application Security Project (OWASP) is a non-profit organization that promotes secure software development, primarily focusing on the SDLC (Software Development Lifecycle) and web applications. In this context, the OWASP Application Security Verification Standard (ASVS) serves a critical role in the realm of web application security.

The primary purpose of OWASP ASVS is to provide a framework for organizations, developers, and security professionals to understand and implement the best practices in securing web applications. ASVS outlines a comprehensive set of security requirements and controls that address various security vulnerabilities and threats faced by web applications.

Furthermore, the OWASP ASVS acts as a benchmark for assessing the security level of web applications. It allows organizations to evaluate their current security practices against a recognized standard, identifying areas of improvement and guiding the development of more secure systems. The standard is designed to be applicable across different types of applications and technologies, making it a versatile tool in the security arsenal of any organization.

Depending on the resources available to dedicate to your application security initiative and your security requirements, the framework is broken down into three levels. Level 1 starts with basic requirements, and they become more thorough as you move up:

• Level 1: This level includes basic security controls that should be implemented in all web applications. According to the framework, “An application achieves ASVS Level 1 if it adequately defends against application security vulnerabilities that are easy to discover, and included in the OWASP Top 10 and other similar checklists.”
• Level 2: This is appropriate for applications handling sensitive data, adding additional security measures. The framework states: “An application achieves ASVS Level 2 (or Standard) if it adequately defends against most of the risks associated with software today.”
• Level 3: This level involves advanced security measures for applications that handle highly sensitive data or require very high levels of trust. The framework states: “This level is typically reserved for applications that require significant levels of security verification, such as those that may be found within areas of military, health and safety, critical infrastructure, etc.”

While the ASVS framework defines specific guidelines to surface high-impact vulnerabilities, it is up to the reader to translate these guidelines into specific security controls. For example, item 1.7.2 states that organizations should “Verify that logs are securely transmitted to a preferably remote system for analysis, detection, alerting, and escalation”. It is up to the reader to determine which log aggregation and analysis tools they should use to complete the objective.

Which Vulnerabilities Does OWASP ASVS Target?



The OWASP ASVS addresses a comprehensive array of vulnerabilities, including the following:

• SQL injection: These attacks occur when malicious actors can insert or manipulate SQL queries in the input fields of an application, allowing them to access or manipulate database information without being authorized.

• Cross-Site Scripting (XSS): XXS is a vulnerability that enables attackers to inject malicious scripts into web pages viewed by other users, potentially stealing user data or impersonating users.

• Improper session management: This involves flaws in how user sessions are managed and authenticated, which can allow attackers to hijack active sessions and gain unauthorized access to applications.

• Cross-Site Request Forgery (CSRF): A vulnerability that tricks a user into executing unwanted actions on a web application in which they're currently authenticated, potentially compromising user data or performing actions maliciously.

• API security: This refers to issues related to APIs, including insufficient authentication, lack of rate limiting, and insecure data exposure, which can lead to unauthorized access and data breaches.

» Here's how to run an API scanner with OWASP ZAP

Tools for OWASP ASVS Vulnerabilities

To mitigate risks posed by threats like SQL Injection and CSRF, it's highly recommended to use specialized tools that offer protection during operation, code-level analysis, and simulated attacks to expose potential weaknesses:

• Web Application Firewalls (WAFs): WAFs act as a shield in front of your web application, inspecting incoming traffic for malicious patterns. They can block attacks like SQL injection and XSS, enforce session management policies, and offer protection against CSRF. Common tools include open source tools like Modsecurity and commercial tools like Cloudfare.

• API gateways: API gateways act as a central point of control for your APIs, enforcing authentication, authorization, rate limiting, and input validation, addressing API security vulnerabilities. Cloud providers provide such API gateways to manage your APIs.

• Identity and Access Management (IAM) solutions: These tools centralize the management of user identities, authentication, and authorization across multiple applications, adding an extra layer of security to the system. Like API gateways, cloud providers provide IAM solutions to manage these authentication-related security controls.

• Static Application Security Testing (SAST): SAST tools analyze the dataflow of applications to surface vulnerabilities like injections and buffer overflows. These tools can be integrated early into the SDLC (like the IDE of SCM) to analyze code as its being written. Consider open source tools like Semgrep, which provides high efficacy scanning compared to many others. See our list of best SAST tools here.

• Container scanning: Container scanning tools like Trivy can analyze dockerfiles, container registries, and containers in runtime for vulnerable packages, excessive privileges, and misconfigurations.
• Software Composition Analysis (SCA): SCA tools analyze the open source libraries and their dependencies used within applications to surface known vulnerabilities, usually categorized as CVEs. Check out our favorite SCA tools like npm-audit here.

While these tools play a crucial role in addressing OWASP ASVS vulnerabilities, it's easy to fall into the trap of thinking they're a cure-all solution.

The truth is that finding and managing a multitude of tools to cover every single aspect of OWASP ASVS can be a complex, expensive, and time-consuming endeavor. Specific vulnerabilities often demand specialized solutions, making the selection and configuration process a continuous challenge.

Additionally, the expertise required to effectively manage these tools can be significant, especially for smaller organizations.

» Learn more about using OWASP ASVS to protect web applications

Jit's Strategy for OWASP ASVS Coverage

All in all, the OWASP ASVS standard provides a powerful framework for web application security, but its complexity often creates a significant barrier to implementation. Jit, as a DevSecOps orchestration platform, addresses this challenge head-on.

With Jit’s OWASP ASVS Security Plan, you can enjoy comprehensive coverage with automated integration, tool selection, configuration, and seamless mapping to ASVS requirements. Rather than translating ASVS requirements into specific controls and implementing them throughout your SDLC, simply activate Jit’s ASVS Plan to automatically roll out these controls across your repos to begin scanning code.

Security scanning and remediation occurs within the IDE or PR, so developers never need to leave their environment to resolve vulnerabilities before production.

By eliminating these time-consuming tasks, you can quickly leverage the full benefits of OWASP ASVS with minimal effort.

Aligning your application security with best practices

Understanding application security best practices can be difficult even for advanced software engineers. The variety of security risks presented while handling sensitive data becomes apparent with just a brief skim through the ASVS framework.

By creating ASVS, OWASP did much of the strategic heavy lifting for improving application security. It provides a far-reaching breakdown of the most common risks. That said, there is considerable work for the reader to actually implement these practices – the framework does describe how to implement the controls needed to satisfy the guidelines. Translating each guideline into a specific security control and process requires a thorough time investment.

That's why we built the ASVS Security Plan described above. Learn more about the plan here or get started with Jit for free to activate the plan.