OWASP ASVS - Application Security Verification Standard Testing

Manual application security verification aligned to OWASP ASVS.

The OWASP Application Security Verification Standard (ASVS) is the most widely recognised framework for application security requirements, used by developers, security teams, enterprise procurement, and auditors to define and verify what secure application development looks like in practice. Our CREST-accredited consultants deliver manual, expert-led ASVS testing and reporting across all three levels, giving your organisation verified evidence of your application’s security posture in a format that procurement teams, compliance functions, and auditors accept.

Discuss Your ASVS Requirements >

Service Overview

What is OWASP ASVS?

The OWASP Application Security Verification Standard (ASVS) is a community-driven framework that defines security requirements for web applications across the full development lifecycle. It is structured around three levels of verification, each reflecting a different risk profile and depth of assurance, from baseline security hygiene through to the rigorous verification required by critical and high-assurance applications.

ASVS has been adopted widely across the industry, by development teams building secure-by-design applications, by enterprise procurement teams setting minimum security requirements for third-party software, and by compliance and audit functions requiring independent evidence of application security controls. It works alongside, not instead of penetration testing, providing a structured checklist framework that complements the active exploitation approach of a manual assessment.

ASVS Level Overview

OWASP ASVS Levels

Level 1: Foundational Security

Level 1 represents the baseline security standard that all applications should meet. It covers the most commonly exploited vulnerability classes, including the OWASP Top 10, and is appropriate as a starting point for any application, or as the primary target for applications that do not handle sensitive data or perform critical functions. Level 1 verification can be achieved through black box penetration testing and is the entry point for organisations beginning an ASVS programme. It provides a documented baseline and a clear picture of where an application stands against industry-accepted minimum standards.

Appropriate for: Applications with limited sensitive data handling, early-stage security programmes, and as the first phase of a multi-level ASVS approach.

Level 2: Standard Assurance

Level 2 is the recommended target for the majority of applications, particularly those handling sensitive data, conducting significant transactions, or interacting with critical systems or business processes. It goes beyond surface-level vulnerability identification to verify that an application's security controls are correctly implemented and functioning as intended across a broader range of attack scenarios.

Level 2 verification requires deeper access than black box testing alone, including authenticated testing, source code review where applicable, and structured verification of controls across all ASVS requirement categories. The result is a comprehensive, evidence-backed picture of your application's security posture against the industry standard most commonly referenced in procurement and compliance contexts.

Appropriate for: Applications handling healthcare data, financial transactions, personal data at scale, or any system where a security failure would have significant operational or regulatory consequences.

Level 3: High Assurance

Level 3 is the highest tier of ASVS verification and is designed for applications where security failure carries severe consequences, national infrastructure, safety-critical systems, military applications, or any environment where a breach could endanger life, cause widespread harm, or result in catastrophic operational impact.

Level 3 verification is the most comprehensive application security assessment available under the ASVS framework. It requires a combination of penetration testing, source code review, architecture analysis, and formal verification of controls across all requirement categories. The output is a rigorous, independently verified statement of an application's security posture suitable for the most demanding audit and assurance requirements.

Appropriate for: Critical national infrastructure, defence and government applications, safety-critical systems, and any application where the highest available level of independent assurance is required.

Our Services

Pentest ASVS Services

Level 1 — ASVS-Aligned Penetration Testing & Reporting

ASVS Level 1 requirements are addressed as part of our standard web application penetration testing. However, a standard penetration test report does not provide the structured evidence needed to satisfy Level 1 verification requirements for procurement or compliance purposes.

Where documented ASVS evidence is required, we provide ASVS-aligned reporting alongside our standard assessment. This includes the full scope of testing, a completed verification checklist mapped to Level 1 requirements, test results documented against each ASVS control, including both passed and failed items and clear remediation guidance for any failed requirements.

Levels 2 & 3 — Application Security Verification

Levels 2 and 3 require a broader programme of assessment than penetration testing alone. Many ASVS controls at these levels cannot be verified through external testing, they require authenticated access, source code review, architecture analysis, and structured verification procedures conducted in collaboration with your development and security teams.

Our Level 2 and Level 3 engagements are scoped individually to the application under review. We work with your team to understand the application's architecture, data flows, and technology stack before agreeing the assessment approach — ensuring our verification covers the controls most relevant to your application and delivers the evidence your compliance or procurement process requires.

Every Level 2 and Level 3 engagement is conducted manually by directly employed, CREST-certified consultants, producing a verified, evidence-backed report mapped to the full ASVS requirement set at the relevant level.

Our ASVS Clients

Who We Work With

Software Vendors & Development Teams

Using ASVS as a secure development framework and requiring independent verification that their application meets the standard before release or as part of a continuous security programme.

Enterprise Procurement Teams

Requiring third-party applications to demonstrate ASVS compliance as a condition of procurement, or verifying the security posture of software under consideration.

Compliance & Audit Functions

Requiring independent, structured evidence of application security controls mapped to a recognised industry framework.

Organisations Subject To Sector-Specific Regulation

Healthcare, financial services, and other regulated industries where application security requirements are increasingly framed around recognised standards.

Contact Us

Discuss Your ASVS Requirements

Whether you’re working towards initial Level 1 verification or need a full Level 3 assessment programme, fill in the form below and a member of our team will be in touch within one business day to discuss your requirements.