OWASP Application Security Verification Standard (ASVS) testing

helping organisations develop and maintain secure applications

The OWASP Application Security Verification Standard (ASVS) is a community-driven effort to establish a framework for security requirements throughout the application development lifecycle and beyond. It has been adopted by many developers, security professionals, application vendors and procurement teams as a critical industry standard. 

OWASP ASVS has two main goals:

  • to help organisations develop and maintain secure applications.
  • to allow security service vendors, security tools vendors, and consumers to align their requirements and offerings.  

At Pentest, our testing services are designed to help you work towards the OWASP ASVS, whatever level you wish to obtain, and are based on the exact requirements of your organisation, as well as the application under consideration.

which OWASP ASVS level is right for your application?

Level 1

This is considered the ‘bare minimum’ security level that all applications should look to achieve and is useful as the first step of a multi-phase approach, or for when an application does not store or handle sensitive data. To meet Level 1 standards, applications need to be tested to ensure they defend adequately against easy to exploit vulnerabilities, low effort techniques and vulnerabilities outlined in security checklists such as the OWASP Top 10. 

Level 2

ASVS Level 2 is considered the ‘standard’ security level an application should achieve and ensures that the application under consideration defends against most of the risks associated with software today. 

This level should be the baseline for any application that processes sensitive data, such as healthcare data, handles significant business to business transactions or interacts with any critical assets or processes. 

Level 3

This is the highest level within the ASVS and should be considered for critical applications that require a significant levels of security verification, for example those used within national infrastructure, related to physical health and safety or within military operations.  

You may also wish to consider Level 3 if applications perform critical functions, or where the failure of an application could result in a significant impact to your organisation’s operations, or even its ability to survive.


our OWASP ASVS testing services

Level 1

OWASP ASVS Level 1 requirements are checked as part of our penetration testing methodology (where appropriate). However, a standard penetration test report lacks the comprehensive information needed to truly satisfy ASVS Level 1.

Where clients require documented evidence for ASVS Level 1 verification, we can perform a web application ASVS penetration test. This follows the same testing methodology as before but in addition to a standard report it also includes documentation on the full scope of the test, a completed verification checklist, test results outlined by ASVS (both passed and failed) and gives clear indications to how failed tests are to be resolved.

Level 2 & 3

The other two levels contain tests that cannot be performed by looking at them “from the outside” or require further testing or verification procedures. Where an application requires Level 2 and Level 3 attestation, we offer a range of application auditing services that are tailored to the application under review and designed in line with the OWASP Application Security Verification Standard (ASVS).

why choose us

Our ASVS testing services are designed to support your overall information security efforts. It’s this support that truly sets us apart and whether it’s your first test, or you’ve conducted hundreds, our team are dedicated to making the process as seamless as possible, to pass on their wealth of expertise and to deliver long-term value to you and your organisation. 

experience and expertise

Our team of security consultants have years of experience and a depth of expertise in application security testing. We invest significant time into security research projects, honing and developing skills which allow our consultants to deliver the best possible results for your organisation.

dedicated contact throughout

Every organisation we work with is appointed a dedicated account manager. Our account managers understand the complexity of coordinating application tests and will work with you to ensure your test runs smoothly.

testing tailored to you

No two organisations are the same and neither are our OWASP ASVS tests. We work closely with you to fully understand the application in question, the security challenges, operational needs and priorities before we undertake any work.

quality reporting

Every test report undergoes an internal QA process and is peer reviewed. Our reports are designed around the OWASP ASVS requirements and provide you with a managerial overview of findings, an in-depth technical review of the tests conducted, as well as our remediation advice.

post-test support

Our job doesn’t finish on the delivery of a test report and our expert consultants will be available to answer any questions, to share their expert knowledge and to provide remediation support to internal development teams or external suppliers.

added value

Value is about more than just cost. Our value comes from scoping engagements accurately, our detailed reports, providing your team with post-test support, the expert knowledge we impart and by going above & beyond the tick box deliverables used by other information security providers.

contact us

Want to find out more about our OWASP ASVS testing services? Our team are on hand to provide you with the information and support you need. Please fill out the form below and a member of our team will be in touch shortly.