OWASP Verification Standard: Application Security and Standards

At the beginning of August, CREST partnered with OWASP to release the OWASP Verification Standard (OVS), which is designed to formalise and expand on OWASP’s existing work on application security and their own security standards, including their Top 10 Project.

OWASP has existed since December 2001 and has been supporting penetration testers and developers alike ever since with tens of thousands of participants. CREST, on the other hand, were founded in 2006 and have since grown into an organisation with just under 300 members.

What’s New?

The OVS covers both web and mobile application testing, using the respective OWASP standards as a baseline. It serves as a measure to clients looking for penetration testing companies that those companies are able to deliver the Application Security Verification Standard (ASVS) and the Mobile Application Security Verification Standard (MASVS) to CREST standards.

In order to apply, companies must be an existing member of CREST’s organisation, having demonstrated their penetration testing capabilities and signed the Code of Conduct, followed by an assessment specific to the OVS. This provides assurance to client organisations that they are receiving a high standard of service, and we are pleased to confirm that we are already in the process of applying to become a member of the standard.

There is a tiered approach to the standard, with Level 1 and Level 2 accreditations possible, the latter being more rigorous and in-depth. While level 1 can be considered a standard baseline, level 2 requires input from multiple sources beyond a simple penetration test, including discussions with developers and source code review. A level 3 exists to cover those organisations that require the highest level of assurance.

The OVS recognises that there isn’t a one-size-fits-all approach for all organisations, and empowers accredited organisations to decide what the correct level should be during the scoping phase of any engagement. The OVS does provide some baseline signposting for organisations, where industries such as healthcare or financial services are considered to require a higher level of security than retail.

The OWASP ASVS is currently on version 4.0.3, released in October 2021, and covers 14 key areas of application security, including session management, input validation and data storage to name a few. It is designed using a checklist approach, providing a clear and succinct methodology to completing an assessment, regarding of the required tier. Level 1 is designed to be completable via a penetration test, while later tiers require a hybrid of testing and input from developers.

Similarly, the MASVS standard sits at version 1.4.2 (released January 2022), and encompasses 8 areas of mobile security, such as code quality, platform interaction and cryptography. It also uses a checklist approach, although has two main tiers rather than three. This standard focuses on the client-side mobile application, rather than remote web services, so it may require some elements of the ASVS in order to be considered a comprehensive assessment.

Both standards have been developed and refined over several years, with contributions from a variety of sources and cyber security professionals. This information has been assessed and combined into these standards, which are reviewed on a regular basis and updates made as necessary, to ensure that the standards reflect the latest cyber security trends.  

Conclusion

The OVS sets a new benchmark within cyber security, ensuring that penetration testing consultancies can demonstrate their abilities in web and mobile application security assessments, while client organisations can be confident they are receiving a comprehensive test of their applications.

While consultancy organisations have incorporated OWASP’s standards and frameworks into their methodologies for many years, the new partnership with CREST formalises this procedure and ensures a consistent and measurable standard for the future.

For more information on our Penetration Testing Services, click here.

Check out some of our OWASP blogs on our Pentest People website.

‍