CREST OVS Web Application Assessment
CREST OVS (OWASP verification standard) is a new standard that has been created by CREST that utilises the OWASP ASVS (Application security verification standard) methodology. This methodology is an in-depth approach to assessing the overall security of an application, its underlying server, and its operating system. This standard should be utilised by security mature companies that have performed standard penetration tests against their applications and are looking to understand the overall security of their applications, as opposed to their remote threat landscape.
Understand Your Businesses Overall
What is the difference between a Penetration Test and a CREST OVS Web App Assessment?
A typical application penetration test is designed to assess the security of an application from a remote threat actor’s point of view, looking for any vulnerabilities that can be exploited without having access to the source code, underlying operating system, or detailed documentation.
A CREST OVS web application assessment covers the remote security of an application but it also focuses on the underlying operating system, and user accounts and examines technical documentation and internal processes to ensure these are up to a high standard.
For example, the consultant may require source code and detailed documentation describing each major data flow within the application. Due to a large portion of the methodology being points that cannot be determined remotely, this type of assessment requires significantly more client interaction than a typical Penetration Test.
CREST OVS Web App Assessment has
2 levels of Testing
CREST OVS Level 1
CREST OVS level one utilises the ASVS tier one methodology which takes an in-depth approach to assess the overall security of an application.
At this level, no access to source code is needed but significant client interaction and time with developers/system administrators is required.
CREST OVS Level 2
CREST OVS level two utilises the ASVS level two methodology which takes an even more in-depth approach to application security.
It likely requires access to source code, detailed documentation, and requires a lot of client interaction.
Why Does Your Business Require a CREST OVS Web App Assessment?
Businesses should aim to achieve the CREST OVS standard once they believe that they are a security mature organisation, that has already performed penetration tests against their application(s) and want a more in depth assessment.
How Does the CREST OVS Web Application Assessment Work?
The service works in a similar manner to a standard penetration test, however, on top of providing us with a URL and credentials, we will need detailed technical documentation of each major logic flow throughout the application and also some time booked with developers and system administrators to ask questions about the underlying server’s operating system and it’s user accounts.
Pentest People are accredited to CREST and UK NCSC CHECK standards and can provide infrastructure penetration testing against all types of IT infrastructure used within your organisation
The service would be delivered as part of the Pentest People Penetration Testing as a Service (PTaaS) and full access to the SecurePortal and other complementary tools would be provided.
The CREST OVS Service allows
access to SecurePortal
Until now, the traditional deliverable from a Penetration Testing engagement has been a lengthy 100+ page PDF report.
Pentest People have developed a solution to this issue where you interact with your vulnerabilities within the SecurePortal.
Constantly updating Vulnerability Information to stay in touch with the emerging threat landscape.
Receive overview and trend data of all of the current security issues you face in your organisation. All are viewable on an interactive dashboard.
Rest assured that your CREST OVS assessments are performed by qualified Security Consultants.
Our specialised team of security consultants hold industry qualifications such as CHECK Team Member & Team Leader, CCIE, CISSP and CEH.