First of all, it’s important to know that Le Top 10 is an awareness document that explains the main application risks, making it perfect for education, rapid self-assessment and “quick wins”.
On the other hand,ASVS is a comprehensive requirements framework for systematically building, testing and validating applications.
What is the OWASP Top 10?
The OWASP Top 10 is a list of the ten most common web security vulnerabilities, designed to make developers and organizations aware of the highest-priority risks to correct or monitor.
Here are the 10 biggest risks associated with a web application for version 2021. (A new version should be released in 2025).
- A01 – Access controls faulty
- A02 – Cryptography and inadequate data protection
- A03 – Injection
- A04 – Unsafe design
- A05 – Component security vulnerabilities
- A06 – Incorrect safety configurations
- A07 – Weak identification and authentication
- A08 – Inadequate error handling and logging
- A09 – Data integrity check
- A10 – Client-side security
Its aim is to raise awareness and help educate people about the risks of Web applications.
What is OWASP ASVS?
The Application Security Verification Standard (ASVS) provides a detailed list of technical requirements for designing, developing and verifying the security of web applications and services.
You can free my introductory post here: https://medium.com/@btk667/owasp-asvs-cest-quoi-9ffd3cb06ad9
It’s a structured framework, designed for testing and integration into the SDLC. The current stable version is ASVS 5.0.0.
Each requirement is identifiable and formulated in a verifiable way – practical for acceptance during code reviews, tests or an external audit.
ASVS is organized into chapters covering all aspects of web development. These include architecture, design, authentication and ID management, sessions, access control, validation/encoding, cryptography, logging and error management, data protection, communications, code integrity, business logic, files/resources, APIs and configuration.
The OWASP organization even offers Cheat Sheets to better understand and manage controls in day-to-day operations.
When to use one or the other
The Top 10 is for getting started or beginning to build a security culture by training developer teams, creating checklists and achieving quick wins in the short term.
But if we want to build more seriously and above all validate our work methodically, we need to integrate the ASVS into the SDLC, starting with the first level, then progressing as our maturity increases. Our maturity increases as the quality of our tools and procedures increases, and as they become rapidly repeatable.
Effort and costs
Top 10
Low cost for training, list, targeted corrections.
Rapid impact on basic hygiene, but beware: partial coverage of risks and little fine-grained traceability.
ASVS
Greater investment with selection of requirements, adaptation to SDLC, addition of tests (automated and manual), collection of evidence.
Reduced residual risk and greater demonstration of compliance for your customers and suppliers.
I invite you to click on “Follow” to continue learning more about information security and privacy topics.
