OWASP ASVS

Application Security Verification Standard (ASVS) is a standard developed by OWASP that defines levels of security verification for applications. At Haxoris, we use ASVS as a framework for penetration testing of web and mobile applications.

ASVS provides clear, testable requirements for application security controls across authentication, access control, data protection, and more. It is widely adopted as a security verification framework that improves consistency and depth of security testing.

The ASVS standard is divided into three levels – from basic security to advanced requirements for critical systems:

  • Level 1: Basic security level suitable for public applications without sensitive data.
  • Level 2: Standard level for applications that process personal or internal data.
  • Level 3: The highest level of security intended for high-risk applications – e.g., in healthcare, finance, or critical infrastructure.
OWASP ASVS - Illustration of the security standard for application verification

When do we use ASVS?

We use ASVS primarily during penetration tests of applications that require compliance with regulations such as GDPR, PCI-DSS, or NIS2. Thanks to its tiered structure, we can tailor the scope of testing based on the risk level of the environment.

  • During development of internal tools for processing sensitive data
  • For applications with multi-level authentication and authorization
  • When testing applications deployed in regulated sectors

Benefits of using OWASP ASVS

  • Clearly defined security goals for each type of application
  • Ability to tailor testing based on criticality
  • Suitable for both DevSecOps and manual testing
  • Globally recognized framework used by professionals

How We Apply ASVS in Penetration Testing

  1. Define scope and target ASVS level(s) per application risk
  2. Map controls to test cases across authentication, authorization, crypto, and configuration
  3. Perform manual testing supported by vetted tools to verify controls
  4. Document evidence, risk ratings, and prioritized remediation guidance
  5. Provide retest to validate fixes against ASVS requirements

What You Receive

  • Executive summary and scope/level alignment
  • Technical report mapped to ASVS controls with evidence
  • Actionable remediation checklist and references
  • Issue tracker export and one free retest

Why Choose Haxoris for ASVS-Based Testing?

Experience

Specialists in offensive security and application testing across sectors.

Transparency

Clear scope, consistent updates, and measurable outcomes.

Collaboration

Partnering with developers to streamline remediation and retest.

Professionalism

Ethical testing, safe handling of data, and reproducible results.

THEY TRUST US

Pixel Federation Logo
DanubePay Logo
Alison Logo
Ditec Logo
Sanaclis Logo
Butteland Logo
Piano Logo
Ultima Payments Logo
Amerge Logo
DS Logo
Wezeo Logo
DTCA Logo

Other services

Penetration testing of infrastructure

Assessment of the security of your internal and external infrastructure.

Penetration testing of cloud

Ensure the security of your cloud services with us.

Penetration testing of applications

Assessment of the security of your web and mobile applications.

Security check of IoT devices

Strengthen the security of IoT devices and embedded systems.

Penetration testing of AI and LLM integrations

Ensure the security of your AI integrations.

Phishing test

Test how your employees react to phishing emails.

Training of employees

Train your employees in the field of cybersecurity and cyber threats.

Not found what you were looking for?

Contact us and preconsult with us your needs.

ASVS & Penetration Testing – FAQ

OWASP ASVS defines a comprehensive set of security requirements used to verify application controls at varying levels.

Level 1 for low-risk apps, Level 2 for apps handling personal or internal data, and Level 3 for high-risk or regulated environments.

We map ASVS controls to test cases, ensuring consistent, reproducible verification of application security across domains.

Executive summary, technical report mapped to ASVS controls, remediation guidance, and a retest.

Secure your applications with OWASP ASVS

Book Now