OWASP Application Security Verification Standard (ASVS)

Helping organisations develop and maintain secure applications

What is the OWASP ASVS & how can we help?

The OWASP Application Security Verification Standard (ASVS) is a community-driven effort to establish a framework for security requirements throughout the application development lifecycle and beyond. It has been adopted by many developers, security professionals, application vendors and procurement teams as a critical industry standard. 

OWASP ASVS has two main goals:

  • To help organisations develop and maintain secure applications.
  • To allow security service vendors, security tools vendors, and consumers to align their requirements and offerings.  

At Pentest, our testing services are designed to help you work towards the OWASP ASVS, whatever level you wish to obtain, and are based on the exact requirements of your organisation, as well as the application under consideration.

Find out more about Pentest

Find out more about Pentest, the support we offer and
the reasons clients choose us.

Which OWASP ASVS level is right for your application?

Level 1

This is considered the ‘bare minimum’ security level that all applications should look to achieve and is useful as the first step of a multi-phase approach, or for when an application does not store or handle sensitive data.

To meet Level 1 standards, applications need to be tested to ensure they defend adequately against easy to exploit vulnerabilities, low effort techniques and vulnerabilities outlined in security checklists such as the OWASP Top 10. 

Level 2

ASVS Level 2 is considered the ‘standard’ security level an application should achieve and ensures that the application under consideration defends against most of the risks associated with software today. 

This level should be the baseline for any application that processes sensitive data, such as healthcare data, handles significant business to business transactions or interacts with any critical assets or processes. 

Level 3

This is the highest level and should be considered for critical applications requiring significant security verification, for example those used within national infrastructure, physical health & safety or military operations.  

You may also wish to consider Level 3 if applications perform critical functions, or where the failure of an application could result in a significant impact to your organisation’s operations, or even its ability to survive.

Not sure what level you require?

Our team will be happy to discuss your individual requirements and provide a no obligation proposal based on your needs.

Our OWASP ASVS services

Level 1 - ASVS Reporting

OWASP ASVS Level 1 requirements are checked as part of our web app penetration testing (where appropriate). However, a standard test report lacks the comprehensive information needed to truly satisfy this level.

Where clients require documented evidence for ASVS Level 1 verification, we can provide ASVS reporting in addition to our standard report. This will include documentation on the full scope of the test, a completed verification checklist, test results outlined against the ASVS (both passed and failed) and gives clear indications on how failed tests are to be resolved.

Level 2 & 3

The other two levels contain tests that cannot be performed by looking at them “from the outside” or require further testing or verification procedures. Where an application requires Level 2 and Level 3 attestation, we offer a range of application auditing services that are tailored to the application under review and designed in line with the OWASP Application Security Verification Standard (ASVS).

Why choose Pentest?

Our test process isn’t the only reason clients choose to work with us. Find out more about Pentest, our ethos and the support we offer our clients.

Contact us

Want to find out more about our OWASP ASVS reporting? Our team are on hand to provide you with the information and support you need. Just fill out the form below and one of our team will be in touch shortly.