OWASP Application Security Verification Standard (ASVS) is an open standard regulating the range in the coverage and level of rigor when performing web application security verification. It specifies requirements for web applications/services and environments, represented by technical security controls, establishing a level of confidence. Furthermore, security requirements are organized in subsets forming three levels. The more secure application must be, the higher level is needed, and more controls are therefore applied. Security requirements are defined unambiguously for a certain compliance level. But how to define an OWASP ASVS level for a given web application? The answer to this question and the potential pitfalls are discussed in this talk.
OWASP ASVS was taken as a basis for security testing methodology of web applications to provide Non-functional Testing as a Service (NFTaaS) internally for EVRY and for the external customers, particularly within financial services. Key features of the security testing approach as well as their correlation with PCI DSS are considered. A transition from the theoretical approach to real world scenarios will be shown on the real examples.