Do you really need an ASVS-audit? When is it wise to conduct an actual ASVS-audit and what is required so you can say that your software really is ASVS-audited. A tailored application security audit where ASVS is taken into account as a frame of reference is not enough to say that the application has been ASVS-audited.
In the procurement of ASVS security testing (Application Security Verification Standard), it is important to assess the need for testing. If a standard-compliant ASVS report is desired, the selected level of the entire framework must be tested. ASVS is a pass/fail audit based on specific questions for the application suite, not a traditional application security test or audit.
It is important to identify in which cases a genuine ASVS audit is desired and in which cases it is sufficient to consider ASVS requirements as part of a customized security test. If ASVS standard points are included in a customized implementation, it does not guarantee ASVS compliance, and the application cannot be called ASVS-audited based on this.
ASVS, or Application Security Verification Standard, is a framework developed by OWASP for testing web applications. This standard is divided into three different levels.
ASVS L1: This level is aimed at applications with basic security requirements. All applications should strive for this level regardless of the application and its purpose. L1-level testing ensures that the application is protected against the most common attacks, such as SQL injections, XSS attacks, and basic authentication weaknesses.
ASVS L2: This level is intended for applications that handle sensitive information or perform critical functions for the company. At this level, access to the source code and workshops with the development team are required to support the testing.
ASVS L3: This level is for high-security applications, such as those used by governments, banks, or military systems. It includes the most comprehensive assessment and may require access to the system’s infrastructure.
In ASVS testing, the whole is implemented so that when the customer orders ASVS L2 level testing, it always automatically includes ASVS L1 level points. The current ASVS L1 and L2 levels together contain a total of 259 questions, all of which assess the maturity of the application from different perspectives. L3 level is very rarely implemented.
The reason to want an actual and complete ASVS-audit can be due to regulatory demands or end customer demands. Sometimes it might also be wise to consider whether it is wise to proactively conduct the security audit following the standard, as this can come up later is discussions with potential customers that demand the application to be tested.
The purpose of ASVS testing is not only to find vulnerabilities but also to assess the overall architecture of the application from a security perspective. ASVS ensures that the application meets modern security requirements, from data protection to access control and error handling.
ASVS testing may be carried out purely as a workshop review. However, this does not meet the standard’s requirements, as L1-level testing, for example, requires a thorough audit of the application. Sometimes, an application is subjected to a mere audit that does not consider, for example, code reviews or documentation checks. It is important that ASVS testing covers all areas of the standard to ensure comprehensive application security.
What pitfalls can follow? ASVS tests are often more expensive than traditional security audits. It is important that all parties involved in the testing have a clear understanding that the purpose is to conduct a standard-compliant ASVS test at some level. If the testing does not meet the standard’s requirements, ambiguities and problems may arise, especially when the audit is used as evidence of the application’s security, for example, to end customers or authorities.
Steps to procure comprehensive ASVS testing In the competitive bidding or ordering process for ASVS testing, it is good to consider at least the following essential points:
- Find out how the implementation of the testing differs from a traditional security audit.
- Ask how the verification of ASVS levels L1 and L2 differs in practice. What specific requirements and checks does each level include, and how do they affect the application’s security?
- Ask how the final report is prepared. Does the final report show all ASVS points and references to the standard? Have all points been reviewed and marked as either ‘Failed,’ ‘Pass,’ or ‘N/A’?
- If the report does not show all ASVS points and information on which points have passed and which have not, or if there are no differences in the verification of L1 and L2 levels, it may be a situation where the implementation is a customized implementation similar to a traditional security audit instead of ASVS testing.
Following the standard in ASVS testing in all its aspects produces a more comprehensive result, ensuring that the application’s security is verified in all required aspects. This makes presenting the audit as evidence, for example, to one’s customers, unproblematic, and the security risks have been genuinely reviewed and minimized.