What is penetration testing? The basics of pentesting
A complete guide to penetration testing - from the basics to advanced techniques.
Read more →The Application Security Verification Standard (ASVS) is one of the most important OWASP standards, defining a framework for verifying the security of web applications. In this article you will learn how the OWASP ASVS methodology is used in professional penetration testing and why it is crucial for the security of your application.
The OWASP Application Security Verification Standard (ASVS) is a security framework that provides a basis for testing web application security controls and supplies developers with a list of requirements for secure application development.
Unlike the OWASP Top 10, which focuses on the most critical application security threats, ASVS offers a comprehensive catalog of security controls organized into functional categories.
"ASVS is not a checklist of vulnerabilities to verify, but a comprehensive standard for verifying the security of web applications" - OWASP Foundation
OWASP ASVS defines three verification levels, each corresponding to different security needs and risk levels:
A baseline level of protection for applications with low security risk. It contains 43 controls focused on:
A medium level of protection for applications handling sensitive data. It contains 59 L1 controls plus an additional 62 controls covering:
The highest level of protection for highly critical applications. It contains all L1 and L2 controls plus an additional 26 controls:
Penetration tests based on the OWASP ASVS methodology differ significantly from standard pentests. Here is how the professional process unfolds:
Instead of chaotically hunting for vulnerabilities, an ASVS pentest proceeds systematically through each control category:
Testing techniques: Brute force, credential stuffing, multi-factor bypass
Tools: Hydra, Burp Suite, Postman
Testing techniques: Horizontal/Vertical privilege escalation, IDOR
Tools: Burp Suite, AuthMatrix, OWASP ZAP
Testing techniques: SQL injection, XSS, XXE, deserialization
Tools: SQLMap, XSStrike, Burp Suite
Testing techniques: GraphQL testing, REST API abuse, rate limiting
Tools: Postman, GraphQL Voyager, APISecurityTest
An ASVS pentest report includes a detailed compliance matrix showing the status of each control:
Based on our experience at SEC4CHECK, here are the most frequently occurring weaknesses across individual ASVS categories:
The most common problems are a lack of rate limiting and improper password management:
Insecure Direct Object Reference (IDOR) is the most common vulnerability in this category:
The most common problems are improper input validation leading to injection attacks.
Choosing a pentesting company that applies the OWASP ASVS methodology is crucial for the quality and completeness of security testing. Here is why:
Companies that do not apply ASVS often perform "ad-hoc" tests, checking only the basic vulnerabilities from the OWASP Top 10. ASVS guarantees a systematic pass through every aspect of application security.
ASVS is recognized by organizations such as:
A detailed compliance matrix with concrete remediation recommendations
Clear definition of remediation priorities in line with the ASVS levels
The ability to track security improvements across subsequent tests
Optimizing security investments by focusing on the most important controls
If you are planning to commission penetration tests based on OWASP ASVS, here is a step-by-step guide on how to prepare:
The OWASP ASVS methodology is the gold standard in web application penetration testing. It provides a systematic, comprehensive and measurable approach to security verification that far surpasses traditional tests based on the OWASP Top 10 alone.
By choosing a pentesting company that applies ASVS, you invest in:
At SEC4CHECK we specialize in penetration testing based on the OWASP ASVS methodology. Our team of experts will help you identify and eliminate vulnerabilities in line with the highest industry standards.
Contact us