As the OWASP Application Security Verification Standard (ASVS) grows in popularity, more companies are exploring it to assess the security of their web applications against the verification requirements outlined.
However, the ASVS does not offer guidance on resources or test cases for each of its verification requirements. This is understandable, as the standard is not intended only for testing, and the level of assurance dictated by each target will differ. In recognition of this absence, this technical guide provides an analysis of the entire 278 verification requirements listed in the standard to identify the exact access necessary to accurately verify each one. While almost all level one requirements can, by definition, be verified by penetration testing, level two and level three requirements require a mix of penetration testing, documentation, and access to infrastructure, such as logging systems, CI/CD pipelines, and server configuration.
Our aim is that the guide will both assist in the generation of test cases and provide context to companies looking to test their applications against the ASVS.