Why We Use the OWASP ASVS for Web Application Testing

  1. Home
  2. Security for Busy People
31 Mar

Why We Use the OWASP ASVS for Web Application Testing

When most people think of a web application pentest, they think of finding the big stuff: SQL injection, broken access controls, session hijacking — the high-impact vulnerabilities that grab attention.

And yes, we absolutely find and report those.

But if your test is only looking for what’s broken — and not how well things are built — you’re missing a lot of the value.

That’s why at Asteros, we base our web application assessments on the OWASP Application Security Verification Standard (ASVS). It gives structure to the test, helps ensure full coverage, and shows your team where things are strong and where there’s room to improve.

What Does ASVS Cover?

The ASVS is a comprehensive framework — but here’s a peek at some of the key areas we test during every application assessment:

🔐 Authentication and Session Management

We test whether login, password reset, MFA, and session handling are implemented securely and predictably.

Examples:

  • Can we bypass authentication using forgotten password flows?
  • Does the session stay valid after logout?
  • Are session cookies missing HttpOnly, Secure, or SameSite attributes? If so, is there a reason behind it? Can it be exploited or make a vulnerability worse?
  • Is MFA enforced consistently across auth flows?

Even if login works, ASVS helps us evaluate how resilient it is to tampering, hijacking, or misuse.

🔓 Access Controls

Access control issues are among the most impactful — and most commonly overlooked.

Examples:

  • Can a regular user access admin-only endpoints by modifying parameters or headers?
  • Can one user view or modify another’s data by guessing an ID or URL pattern?
  • Is access enforced on the server, or just hidden in the UI?

We check horizontal and vertical access controls across roles, resources, and sensitive functions.

🔐 Cryptographic Practices

Encryption is often misunderstood. We don’t just check if crypto exists — we look at how it’s used.

Examples:

  • Are outdated TLS protocols or weak ciphers still in use? What are the latest recommendations?
  • Is JWT signing being done correctly?

We verify that encryption is configured securely and applied in the right places.

⚠️ Error Handling and Logging

Applications should fail safely — not give attackers hints or sensitive information.

Examples:

  • Do error messages reveal stack traces, database names, or internal logic?
  • Can we trigger verbose debug output through crafted inputs?
  • Is sensitive data like passwords, tokens, or PII/PHI being logged in plaintext?

These might not always be direct vulnerabilities — but they can make an attacker’s job way easier.

🔗 API Security

Many modern apps are mostly API-driven. We treat the backend like a first-class attack surface.

Examples:

  • Can we tamper with JSON or GraphQL requests to access other users’ data?
  • Are unauthenticated API routes exposing sensitive information?
  • Is rate limiting in place to prevent brute force or abuse?

We look at the full request/response lifecycle, not just the UI.

🧠 Business Logic and Other Risks

Some of the most damaging issues aren’t technical flaws — they’re logic flaws.

Examples:

  • Can a user cancel an order after receiving a refund?
  • Can someone game the system to apply multiple promo codes at once?
  • Does a user get elevated privileges through an overlooked onboarding flow?

These require human insight and a deep understanding of the app — which ASVS helps us build during testing.

What This Means for You

Using ASVS helps ensure:

  • We don’t miss critical controls or edge cases
  • You get visibility into what’s working — not just what’s broken
  • Your team walks away with actionable, prioritized findings — even if no major vulns are found
  • Your app is evaluated against a trusted industry standard — not just a vague mental checklist

And because ASVS is structured, your report supports compliance frameworks like SOC 2 and PCI-DSS, while still being readable and useful for your developers.

Bottom Line: ASVS Makes the Pentest More Valuable

Whether your app is full of security issues or already pretty solid, an ASVS-driven test gives you more than a vulnerability list — it gives you a real picture of your security posture, grounded in best practices.

If you’re building something real, you deserve a test that goes deeper than surface-level scans.

If that’s what you’re looking for, let’s chat 👇


    🔒 No spam. You aren't joining an email list. Just a quick reply from a real security professional: