We've rebranded! Find out more about our rebrand to LRQA Nettitude here
Select Page


The Open Web Application Security Project (OWASP) Application Security Verification Standard (ASVS) is a set of requirements that developers and security testers can use to ensure an application meets current security best practices.

This is most often applied to web applications, although it can also be applied to other types of applications.

What are the different levels of the Application Security Verification Standard?

You can find the official ASVS documentation here: https://owasp.org/www-project-application-security-verification-standard/

ASVS is divided into three levels. All levels include an assessment against a set of defined security requirements. From a penetration testing perspective, the levels are as follows:

ASVS Level 1:

  • Aligns to a standard penetration testing methodology.
  • All requirements can be assessed through interactions with the application.

ASVS Level 2:

  • According to OWASP, this should apply to most applications.
  • ASVS Level 2 goes into greater depth. It involves a review of the development and security processes that would not be covered by a standard penetration test.
  • It requires a collaborative review. This will involve close communication with developers and infrastructure owners.

ASVS Level 3:

  • This is for critical applications e.g. military, CNI, online banking, etc.
  • In addition to the elements included in Levels 1 and 2, an in-depth analysis of coding and system architecture is also included.
  • This level provides maximum assurance and requires significant inputs from both the assessing team and the application team.

All three of these levels are cumulative; each level also includes the elements mentioned below.

In our experience, most applications do not even meet OWASP ASVS Level 1 assurance. At LRQA Nettitude, we can help your application team change that by getting your application to an appropriate cybersecurity posture.

What do the different levels of ASVS assessments include?

ASVS Level 1:

An ASVS Level 1 assessment provides assurance that an application meets the expected set of security requirements identified during development. This can provide businesses with a clear understanding of their current security posture, offering the development team-specific direction for improvement if requirements have not been met.

While all checks for this level are performed as part of a standard penetration test, in an ASVS Level 1 assessment, the results are documented for each of the specified security requirements. This allows simple and accurate tracking of whether requirements have been met.

ASVS Level 2:

An ASVS Level 2 assessment goes much more in-depth than a Level 1 assessment. Although it offers the same benefit of being able to clearly assess specific security requirements set out during development, this type of assessment will provide a greater level of security analysis. It will also include reviewing development and maintenance processes, along with the internal configuration of the application.

This type of assessment requires real-time communication with the development team.

ASVS Level 3:

An ASVS Level 3 assessment is typically only recommended for critical applications. It includes a review of all Level 2 requirements, as well as an assessment of more stringent security controls that wouldn’t generally be included for standard applications.

Unsure which level of Application Security Verification Standard is right for you?

Understanding what level of OWASP ASVS is right for your application is a key step to ensuring you are achieving the right security assurance for your organisation.

Our expert team are available to help discuss your business and application requirements and suggest an approach that is right for you.

Get a free quote