Niall is a product & service security development lifecycle coach, advocate & awareness disseminator. He is also a passionate implementer of quality and best practices.
OWASP Application Security Verification Standard (ASVS) is an industry-respected open-source framework of security requirements that MUST be incorporated when designing, developing, testing and deploying modern web applications for digitalised environments. It provides the security verification requirements to address your defined security questions.
OWASP ASVS Level 2 ensures that business-level security controls are in place, are effective, and are used by business-critical applications to defend against vulnerabilities and against attacks. Security threats to Level 2 applications will typically be by skilled and motivated attackers who focus on specific targets using tools and techniques that are highly practised and effective at discovering and exploiting weaknesses within applications.
The objective is that applications are secure-by-design and secure-by-default.
Secure Design is King
OWASP ASVS requirements should be applied as a customisable security blueprint for identifying the relevant security requirements according to identified potential threats to business entry points, gateways, critical assets and credentials. The OWASP Top 10 provides a starting-point high-level summary of the very minimum security coverage required.
Bake The Security In
For each application, required OWASP ASVS requirements should be pinpointed during feature design and epics and stories planning in order to ensure that the required security controls are part of development from the outset.
How to start
The development team scrutinise the intended application or service design using the defined security questions as a guideline. This will identify the entry points, boundaries, components and interconnections and that are security-relevant.
The application team can then utilise the OWASP Application Security Verification Standard (ASVS) requirements to produce security epics and stories that can be managed as Jira tickets,
Do not expect perfection from the beginning – getting security right is difficult and it is a learning-by-doing experience – but doing secure design and development in a structured and traceable way using industry-respected methods and materials is already a good start.