Since 1999
Solutions Home

Solutions by Industry

Core Capabilities

Technical Solution Details

Security Assessments

ASVS & MASVS Code Views Reviews (for OWASP Compliance)

Overview

The Application Security Verification Standard (ASVS) and its mobile counter-part Mobile Application Security Verification Standard (MASVS) are two review methodologies published by the Open Web Application Security Project (OWASP) which is a membership organization with a mission to provide educational content and standards free to the public to increase everyone’s security.

These standards provide a free and open methodology to systematically assess the security posture of your custom web application, web api, mobile, and (with some adjustments) desktop native applications.

Standards

The ASVS standard is split into fourteen domains, or areas of concern. The mobile variant MASVS has fewer domains, with some overlap but key differences.

Web (ASWS) Domains:

  1. Architecture, Design, and Threat Modeling: Focuses on embedding security considerations from the initial stages of development.
  2. Authentication: Ensuring users are who they claim to be through secure login mechanisms.
  3. Session Management: Protecting user sessions from hijacking and unauthorized access.
  4. Access Control: Restricting user access to only the functionalities and data they are authorized to view or modify.
  5. Validation, Sanitization, and Encoding: Preventing common injection flaws by properly handling user input.
  6. Stored Cryptography: Ensuring sensitive data is securely encrypted at rest.
  7. Error Handling and Logging: Implementing secure error handling and comprehensive logging for security monitoring and incident response.
  8. Data Protection: Protecting data in transit and at rest through various security measures.
  9. Communications: Securing communication channels using protocols like TLS/SSL.
  10. Malicious Code: Preventing the introduction and execution of malicious code.
  11. Business Logic: Identifying and mitigating security vulnerabilities within the application’s core functionality.
  12. Files and Resources: Securing access to application files and resources.
  13. API and Web Services: Ensuring the security of your application programming interfaces and web services.
  14. Configuration: Properly configuring security-related settings for the application and its environment.

Mobile (MASVS) Domains:

  1. Architecture, Design and Threat Modeling
  2. Data Storage and Privacy
  3. Cryptography
  4. Authentication and Session Management
  5. Network Communication
  6. Platform Interaction
  7. Code Quality and Build Setting
  8. Resilience

Review Service

The Rietta team has a proven process to thoroughly review your application source code and how it is deployed to help you understand your alignment with these important open ASVS or MASVS standards. We work with your team to understand your needs and produce a detailed report including actionable recommendations on how to address any gaps. Importantly, we understand how to tailor the standards to your specific context by excluding requirements that are not applicable to your situation, ensuring an efficient and effective review. Our process typically involves an initial consultation, source code analysis (and dynamic testing where relevant), a detailed findings report, and collaboration on remediation strategies.

Our clients have successfully satisfied their third-party audit requirements in regulated industries by utilizing our service. Our CEO, Frank Rietta, a life member of OWASP with extensive experience in application security, will provide signed attestation letters or bridge letters as appropriate to help address concerns that your stakeholders may have.

Not Authorized by OWASP

Please note that OWASP does not accredit or authorize specific companies to conduct ASVS or MASVS assessments. Our use of their mark on this page is for fair use only to clearly identify the standard that we follow. You are free to read and follow these standards on your own or use any consultant or contractor of your choice.

Frank Rietta is a life member of the OWASP, believes strongly in their mission, and supports the local club organization.

Next Steps

If you'd like to discuss your specific requirements, feel free to schedule a free consultation. We'll provide detailed information about our services and tailor a plan to meet your unique needs. You can reach us at our Atlanta office: +1 (770) 623-2059.

← Back to Solutions