OWASP's less well known, but immensely useful, Application Security Verification Standard (ASVS) for web applications has been updated and a beta version was released just prior to AppSec EU last month.
The ASVS Web Application Standard 2013 defines a set of technical controls for applications that should be verified as part of security testing processes. They are primarily application controls but also include relevant ones in the host environment. The document describes three use cases — for application certification, for alignment of testing methodology and for selection of external suppliers.
The number of classes requirements has been expanded to 13, and now covers:
- Session management
- Access control
- Input validation
- Cryptography at rest
- Error handling and logging
- Data protection
- Malicious controls
- Business logic
- Files and resources
Each class includes around 10-20 specific requirements. The new sections, and re-allocation of some requirements means that the numbering has changed significantly. The cross-referencing will be important for those already using the ASVS Web Application Standard 2009.
Not all the requirements need to be achieved for every application. The choice can clearly be organisation-specific, based on its own risk assessment, but the document describes four levels of verification, each successive level increasing the number of mandatory requirements.
The project team, primarily Andrew van der Stock, Sahba Kazerooni, Daniel Cuthbert, and Krishna Raja, are working on gathering feedback from the community, creating use-case examples, and mapping to other OWASP projects such as the upcoming new Developer and Testing Guides.
Please help by providing your own ideas to finalise the beta release via the project's mailing list.