OWASP Global AppSec Lisbon 2024

Application security requires a systematic approach and dealing with software security throughout every stage of the software development lifecycle. However organizations typically struggle in creating an effective improvement roadmap and they end up in the rabbit hole of fixing security tool generated vulnerabilities. We believe that leveraging ASVS as a security requirements framework as well as a guide to unit and integration testing is by far the best pick in terms of ROI. By turning security requirements into “just requirements” organizations can enable a common language shared by all stakeholders involved in the SDLC.


In this study, we have analyzed the complete ASVS to determine how much of it could be automated using various testing strategies. Our analysis indicates that 162 ASVS requirements (58%) can be automatically verified using unit, integration and acceptance tests. The verifiability can be further augmented by another 10% with SAST, DAST and SCA tooling.


We have also designed an empirical study where we have added 98 ASVS requirements to the sprint planning of a relatively large web application. We have followed a security test-driven development approach where a test engineer was asked to write unit and integration tests for as many requirements as possible in 8 man-days. We have succeeded in implementing 90 ASVS requirements, which are now running as part of the regression test suites on every commit.

Our study demonstrates that leveraging ASVS for deriving securit test cases can create a common theme across all stages of the software development lifecycle making security everyone’s responsibility.