Bishop Fox named “Leader” in 2024 GigaOm Radar for Attack Surface Management. Read the Report ›

Bishop Fox to Present at OWASP AppSec Israel

Tuesday, May 16 & Wednesday May 17
Pavilion 10 of the The Tel Aviv Expo, in central Tel Aviv, Israel
OWASP AppSec Israel 2023 on black and purple background.

Join us at the 2023 OWASP AppSec Israel conference at The Tel Aviv Expo, in central Tel Aviv, Israel. Bishop Fox Security Consultant III Shanni Prutchi will present her session, "ASVS Testing: You Keep Saying Those Words" on Wednesday, May 17 at 10:45 a.m. IDT. 

"ASVS Testing: You Keep Saying Those Words"

As the OWASP Application Security Verification Standard (ASVS) grows in popularity, more companies are exploring it to assess the security of their web applications against the verification requirements outlined. Although the standard itself claims that all the requirements can be verified through penetration testing, source code, system configuration, documentation, and access to application developers, some companies are not willing to accept documentation and attestation by developers as legitimate evidence for verification, as the veracity of their claims is not guaranteed. However, these companies are not aware of the extensive access necessary to truly test against all the standard’s verification requirements, and they are not to blame. In fact, the ASVS does not clearly communicate the exact access necessary for testing applications against level two and level three requirements.

The presentation will cover an analysis of the entire 286 verification requirements listed in the standard to identify the exact access necessary to accurately verify each one. While almost all level one requirements can, by definition, be verified by penetration testing, level two and level three requirements require a mix of penetration testing, documentation, and access to infrastructure, such as logging systems, CI/CD pipelines, and server configuration. Not only will this newly outlined detail assist in the generation of test cases, but it will also provide context to the companies who request testing against the ASVS.

Shanni P Headshot

About the speaker, Shanni Prutchi

Security Consultant III

Shanni Prutchi is a Security Consultant III at Bishop Fox focused on threat modeling, architecture security assessments, and application penetration testing. She graduated from Rowan University in New Jersey with a B.A. in Computing and Informatics and completed student research projects building smart contracts and calculating return on security investments (ROSI). She holds CompTIA Security+, PenTest+, and Associate of (ISC)² CSSLP certifications. In her free time she enjoys visiting museums, public speaking, and baking delicious sweets.

More by Shanni

Ready to get started? We can help.

Contact Us

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.