Background
The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development.
The standard defines three levels (1,2,3) of assurance, with increasing rigour and a list of security requirements for each.
OWASP state that it "does not currently certify any vendors, verifiers or software". The ASVS standard also states that:
It is not possible to fully complete ASVS verification using automated penetration testing tools alone. Whilst a large majority of requirements in L1 can be performed using automated tests, the overall majority of requirements are not amenable to automated penetration testing.
and that whilst
The use of automated penetration testing tools is encouraged to provide as much coverage as possible...Automated tools and online scans are unable to complete more than half of the ASVS without human assistance
Answer
AppCheck can therefore be considered as an appropriate control against several of the OWASP ASVS requirements at levels 1-3, but that it could not be used as a sole listed control against all requirements. It would be needed to be implemented alongside source code review, SAST tooling, security architecture reviews, peer code review and unit and integration testing.
Comments
0 comments
Please sign in to leave a comment.