What is OWASP ASVS

OWASP ASVS in General
The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted.

The primary aim of the OWASP Application Security Verification Standard (ASVS) Project is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard.

The OWASP ASVS defines verification and documentation requirements that are grouped on the basis of related coverage and level of rigor, different verifications scopes are associated with diffferent security levels. The Standard defines four hierarchical levels. As you go from level 1 to level 4 more coverage and rigor is required to satisfy that level’s security requirements. Level 4 (“Internal Verification”) is typically appropriate for critical applications that protect life and safety, critical infrastructure, or defense functions.

Security Requirement Types Defined
OWASP ASVS defines 5 main types or categories of security requirements:
  • Security Control Behavior Requirements
  • Security Control Use Requirements
  • Security Control Implementation Requirements
  • Security Control Verification Requirements
  • Reporting Requirements
Requirements belonging to these requirement types or categories are detailed in Detailed Verification Requirements section of the standard.
Detailed Verification Requirements
OWASP ASVS defines 14 areas for various security requirements:
  • Security Architecture
  • Authentication
  • Session Management
  • Access Control
  • Input Validation
  • Output Encoding/Escaping
  • Cryptography
  • Error Handling and Logging
  • Data Protection
  • Communication Security
  • HTTP Security
  • Security Configuration
  • Malicious Code Search
  • Internal Security
In order to claim that you to satisfy a security level defined by OWASP ASVS, you should prove that you satisfy all the related security requirements for that level. Levels and associated security requirements can be found in the tables at the end of the standard (in Detailed Verification Requirements section).

I will not be going too deep into the requirements themselves. For further information you can find the standard here: http://sourceforge.net/projects/owasp/files/Guide/

At the time I am writing this ver. 2.0.1 is the latest version.

Hope this helps someone.

Good luck,
Serdar.

Leave a Reply

Your email address will not be published. Required fields are marked *