Join us at the 2023 OWASP AppSec Israel conference at The Tel Aviv Expo, in central Tel Aviv, Israel. Bishop Fox Security Consultant III Shanni Prutchi will present her session, "ASVS Testing: You Keep Saying Those Words" on Wednesday, May 17 at 10:45 a.m. IDT. 

"ASVS Testing: You Keep Saying Those Words"

As the OWASP Application Security Verification Standard (ASVS) grows in popularity, more companies are exploring it to assess the security of their web applications against the verification requirements outlined. Although the standard itself claims that all the requirements can be verified through penetration testing, source code, system configuration, documentation, and access to application developers, some companies are not willing to accept documentation and attestation by developers as legitimate evidence for verification, as the veracity of their claims is not guaranteed. However, these companies are not aware of the extensive access necessary to truly test against all the standard’s verification requirements, and they are not to blame. In fact, the ASVS does not clearly communicate the exact access necessary for testing applications against level two and level three requirements.

The presentation will cover an analysis of the entire 286 verification requirements listed in the standard to identify the exact access necessary to accurately verify each one. While almost all level one requirements can, by definition, be verified by penetration testing, level two and level three requirements require a mix of penetration testing, documentation, and access to infrastructure, such as logging systems, CI/CD pipelines, and server configuration. Not only will this newly outlined detail assist in the generation of test cases, but it will also provide context to the companies who request testing against the ASVS.