The Application Security Verification Standard (ASVS) is a standard that every tester and developer must read! A tester/developer has to use parts of it in their daily routine. Let me explain what the ASVS is  and why to use it?

The ASVS is developed in the OWASP community http://owasp.org/. OWASP is a worldwide and open community and that`s why this standard is  open and free for use. The first version of this standard is published in 2008 as a result of the OWASP summer of code (For those who don`t know what the OWASP stand for please open the first link).

“ASVS defines four levels of Web application security verification.”

Because the ASVS is an open standard, all organizations and development teams can use it to improve their Secure Development Lifecylce process. And to prove their application for security more in detail. By adopting this standard all organisations get a corresponding method to verify their “level” of security.

The Standard has four different levels and each higher level implies the lower one with his particular checkpoints. The lowest two levels (levels 1 and 2) are both divided into two parts; part A and B. For both levels part A is for the dynamic vulnerability scan. Level B is for the static source code part of testing. The increase of each level is also an increase of the depth and width of the verifications. The levels are complementary to each other.

To accomplish a level you have to fulfil the checkpoints at both A and B. This is a strong element of the ASVS survey. You can`t get a good insight in the quality if you`re only focused at the dynamic or only at the static part!

“The relation between dynamic and static scanning is like the relation between a car and his engine. A car without an engine is useless for his purpose and only an engine without a car isn`t very useful.”

The list of verifications has 14 main requirements. Each specific requirement has +/-10 verification points. To reach a higher level you have to fulfil all the checks of the particular level. In case of only missing one verification point in a level, you haven`t completed this level and are still on the lower one.

What to do with this all if you`re a tester?

• Read the Standard to your vision.
• Learn from the Standard to make your test cases and development process more complete.
• Get inspiration to find specific defects in your application.
• Give some insight in an important quality attribute; named security.

If you need some “sales” material use this link

If you need some background information for how to use and implement it use this link

If you want to read the total ASVS it’s free to download it here

Here is a figure that described the relation between the ASVS level and the skills and knowledge that is needed to use it. As you can see is there a increase of knowledge and skills for the higher levels. That means that a developer or tester needs experience to accomplish higher levels.

“Reaching higher levels is like gaming, you have to do it often to get skills and learn the right tricks to validate or build the right aspects.”

1. Trackbacks Says:
   September 10th, 2010 at 22:38
   • Software Testing and more » Blog Archive » CIA testing, an easy Security Test Approach
   • Software Testing and more » Blog Archive » A letter to a friend