Define OWASP ASVS Level

The OWASP Application Security Verification Standard (ASVS) provides a basis for testing web application technical security controls. Organizations use it to establish a standardized level of confidence in the security of their web applications.

Level 1 is for low-risk applications and can largely be verified via automated tools. Level 2 is for applications containing sensitive data and requires manual business logic testing. Level 3 is for critical applications, such as healthcare or financial systems, requiring advanced, in-depth verification.

Evaluate the application's risk profile, data sensitivity, and business criticality. Low-risk informational sites typically align with Level 1, while transactional sites handling sensitive user data require Level 2 or Level 3 verification. To keep decisions consistent, tools like WatchDog Security's Risk Register can link ASVS level selections to documented application risks and treatment plans.

CyberSecure Canada requires organizations to formally define the ASVS level for each of their websites to ensure that appropriate web application security testing and verification are planned and executed.

Yes, CyberSecure Canada requires that the organization defines the target ASVS level for each of their websites to ensure all public-facing assets have a determined security baseline.

Organizations should assess the types of data processed, the application's criticality to business operations, and the potential impact of a data breach. High volumes of sensitive data automatically warrant higher ASVS levels.

The chosen levels can be documented within the organization's asset inventory, a secure development policy, or a dedicated OWASP ASVS level definition document mapped to each web property. Tools like WatchDog Security's Compliance Center can also map the documented ASVS level to this control and track assessment readiness alongside supporting evidence.

Organizations should retain documentation of the defined levels, alongside security testing reports, penetration test results, and development checklists that verify the application meets the specific ASVS controls. Tools like WatchDog Security's Vulnerability Management can aggregate findings and remediation status over time, making it easier to demonstrate ongoing alignment to the defined ASVS level.

Automated scanning is generally sufficient for verifying ASVS Level 1 controls. However, Levels 2 and 3 require manual penetration testing and code reviews to validate complex business logic and access controls.

The ASVS level should be reassessed at least annually, or whenever there are significant changes to the application's functionality, the data it handles, or the overall threat landscape.

Keeping ASVS level assignments accurate across many web properties is difficult when inventories are spread across spreadsheets and tickets. Tools like WatchDog Security's Asset Inventory can centralize your website list and record each site's target ASVS level, owner, and next review date so changes don’t get missed.

Auditors typically expect to see the defined ASVS level, the rationale, and proof of testing aligned to that level (e.g., reports, findings, remediation status). Tools like WatchDog Security's Compliance Center can map this control to required evidence and track collection status, while WatchDog Security's Vulnerability Management can consolidate scan and test outputs to support repeatable audit-ready reporting.