Bishop Fox named “Leader” in 2024 GigaOm Radar for Attack Surface Management. Read the Report ›

OWASP ASVS Demystified: A Practical Guide to Web Application Security Testing

In this technical guide, offensive security expert Shanni Prutchi provides analysis of the entire 278 verification requirements listed in OWASP's ASVS standard to assist in the generation of test cases and provide context to companies looking to test their applications against the standard.

OWASP ASVS Demystified digital guide on purple lock background.

As the OWASP Application Security Verification Standard (ASVS) grows in popularity, more companies are exploring it to assess the security of their web applications against the verification requirements outlined.

However, the ASVS does not offer guidance on resources or test cases for each of its verification requirements. This is understandable, as the standard is not intended only for testing, and the level of assurance dictated by each target will differ. In recognition of this absence, this technical guide provides an analysis of the entire 278 verification requirements listed in the standard to identify the exact access necessary to accurately verify each one. While almost all level one requirements can, by definition, be verified by penetration testing, level two and level three requirements require a mix of penetration testing, documentation, and access to infrastructure, such as logging systems, CI/CD pipelines, and server configuration. 

Our aim is that the guide will both assist in the generation of test cases and provide context to companies looking to test their applications against the ASVS.

Shanni P Headshot

About the author, Shanni Prutchi

Security Consultant III

Shanni Prutchi is a Security Consultant III at Bishop Fox focused on threat modeling, architecture security assessments, and application penetration testing. She graduated from Rowan University in New Jersey with a B.A. in Computing and Informatics and completed student research projects building smart contracts and calculating return on security investments (ROSI). She holds CompTIA Security+, PenTest+, and Associate of (ISC)² CSSLP certifications. In her free time she enjoys visiting museums, public speaking, and baking delicious sweets.

More by Shanni

Extend Your Knowledge

Check out these related resources.

Application Security webcast: Getting the Most of your Pen Test with Dan Petro headshot
Webcast

Application Security: Getting the Most Out of Your Penetration Tests

Learn how to make the most of your application pen test and implement steps for repetitive secure application design in the future.

Learn More
image of purple eBook cover with blue text and white page with graphs on dark background
Guide

Fortifying Your Applications: A Guide to Penetration Testing

Download this eBook to explore key aspects of application penetration testing, questions to ask along the way, how to evaluate vendors, and our top recommendations to make the most of your pen test based on almost two decades of experience and thousands of engagements.

Learn More
Dark purple background with text Application Security Anti-Patterns (In)secure by Design
Tech

Sep 22, 2022

(In)Secure by Design

By Chris Bush, Shanni Prutchi

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.