Expert CREST OVS application testing

Get a mature assessment of your web & mobile application security with CREST OWASP Verification Standard testing. CREST OVS aligns to OWASP ASVS & MASVS, for robust, detailed app security testing.

TRUSTED CREST OVS SERVICES

CREST approved
PEN TEST approved
Offensive Security OSCP
ISO 27001 Certified
National Cyber Security Centre Cyber Advisor
Cyber Essentials Certification
Cyber Essentials Plus Certification

Get a fast CREST OVS quote

Why choose Bulletproof CREST OVS pen tests?

CREST OVS Certified

Bulletproof are fully accredited to deliver certified CREST OVS security assessments

Competitive OVS Prices

Bulletproof CREST OVS prices are competitive without sacrificing our high testing quality

Level 1 & 2 Tests

Get the right assurance with CREST OVS Level 1 & Level 2 tests available for web & mobile apps

Trusted Expertise

We’re UK market leaders in security testing, cyber security, infosec, data protection & more

What is CREST OWASP Verification Standard (OVS)

What is CREST OWASP Verification Standard (OVS)

CREST OWASP Verification Standard (OVS) is a security testing framework designed as a gold-standard for mature, comprehensive application security assessments for web and mobile. OVS testing provides increased levels of assurance for organisations looking for a more in-depth application security test than traditional penetration testing services.

CREST partnered with OWASP to align OVS to the existing Application Security Verification Standard (ASVS) and Mobile Application Security Verification Standard (MASVS) frameworks. This gives CREST OVS a structured and detailed approach to the very highest specifications of application security testing. OVS application testing analyses the overall security of an application, including development practices, operating systems, hosting infrastructure and more.

Who is a CREST OVS test for?

Who is a CREST OVS test for?

CREST OVS is for organisations which have outgrown traditional web and mobile application penetration testing and are looking for greater security assurance to match their maturity. CREST OVS security testing goes beyond examining the remote threat landscape, giving organisations a big-picture look their overall application security.

CREST OVS application testing is for you if you are any of the following:

  • You’re a mature organisation that has well established processes
  • You already undertake regular penetration testing
  • You’re looking to improve or refine existing application development practices & processes
  • You need a higher level of application security assurance backed by industry standards
Get a CREST OVS quote

Different types of CREST OVS App Assessment

CREST OVS assessments follow the OWASP ASVS/MASVS framework, which is structured into two levels. Each level contains a set of security requirements, controls, and corresponding verification checks.

OVS Level 1

OVS Level 1

A Level 1 assessment follows ASVS/MASVS Level 1 specifications, and in addition to automatic scans and manual penetration testing activity, also requires discussion with dev teams and sysadmins, though no access to source code is needed.

OVS Level 2

OVS Level 2

A Level 2 assessment is more in-depth. In addition to everything in Level 1, it also includes a detailed documentation review, time with dev, product, security and operational departments for workshops, analysis of coding/SLDC practices, access to backend systems, source code, network and data flows, and more.

Web Applications (ASVS)

OVS ASVS Level 1

Suitable for apps needing a detailed level of security assurance. OVS Level 1 is for applications that don’t process sensitive information.

OVS ASVS Level 2

OVS Level 2 is a higher level of security assurance for apps that power business transactions or handle sensitive data, such as payment and healthcare applications.

Mobile Applications (MASVS)

OVS MASVS Level 1

Suitable for all mobile applications and meets foundational requirements of code quality, data handling, and interaction with the mobile environment.

OVS MASVS Level 2

A higher level of assurance for mobile applications that power business transactions or handle sensitive information, such as personal, finance or patient data.

OVS MASVS-R Level 1 & 2

An enhanced level assurance for mobile applications needing verification of resilience against specific threats such as repackaging, code cracking, and more.

Benefits of CREST OVS security testing

CREST OVS security testing is a clear signpost to buyers and users that an app has been rigorously tested against a defined, comprehensive security framework.

  • Quality-assured security

    Standardised reports, open frameworks & proven processes deliver high application security assurance.

  • Get your app out to industry

    Helps engagement with app store providers & security-focussed industries, e.g. financial services

  • Support compliance

    OVS testing delivers robust criteria acceptance for multiple frameworks & meets supply chain security demand

  • Boost sales growth

    Increase customer confidence & market profile with internationally recognised & standardised testing

  • Prioritised remediations

    A smart dashboard automatically prioritises findings & built-in remediation advice helps you fix faster

  • Eliminate bias & assumptions

    CREST OVS security tests use external expertise to challenge your security assumptions & uncover bias

Get a fast CREST OVS quote

Comprehensive application security testing for high-assurance scenarios. Level 1/Level 2 ASVS & MASVS tests form a UK leader in CREST accredited penetration testing.

  • Official CREST OVS provider
  • Level 1 & 2 of ASVS/MASVS
  • Test your security maturity
  • Trusted UK provider of pen testing
  • Proven track record

CREST OVS app assessment vs penetration testing

CREST OVS app assessment vs penetration testing

Penetration testing is a fundamental security control that every organisation should undertake, but as your security matures, so should your testing regimes. CREST OVS security tests give robust, confident assurance of your application security.

A traditional web or mobile application penetration test assumes the position of a remote threat actor, and aims to enumerate all security weaknesses from that position. You’ll get a great overview of the security of your application, but penetration testing typically won’t find vulnerabilities that need knowledge of documentation, source code, or operating infrastructure to uncover. Web app penetration testing typically uses the OWAST Top 10 framework for application vulnerabilities.

By contrast, a CREST OVS web app security test goes much deeper, and is aligned to OWASP ASVS and MASVS frameworks. It finds everything a traditional pen test would find and also explores operational infrastructure, documentation, coding practices and internal processes. It can require access to source code, interviews with developers, workshops with operational teams, and more. A remote threat actor would not have this information, meaning CREST OVS security assessments find critical weaknesses that are out of sight of traditional penetration tests.

How does CREST OVS compare to OWASP Top 10?

The OWASP Top 10 /Mobile Top 10 and OWASP ASVS/MASVS are both frameworks developed by OWASP for improving the security of web applications, but they serve different purposes and target different aspects of security. The OWASP Top 10 doesn’t include specific checks – instead it looks at the top 10 most critical application security risk types. Each risk is represented in a category of common vulnerabilities and crafted to identify vulnerabilities risks across the board. Here’s a comparison between the OWASP Top 10 and ASVS Level 2

Focus

OWASP

OWASP Top 10

Common and fundamental vulnerabilities

CREST

ASVS/MASVS Level 2

Broader set of security requirements and controls beyond top 10 vulnerabilities

Depth

OWASP

OWASP Top 10

High-level overview with descriptions and remediation guidance

CREST

ASVS/MASVS Level 2

Detailed set of security requirements, testing procedures and remediation guidance (depending on verification level)

  • 260 ASVS controls
  • 66 MASVS controls

Purpose

OWASP

OWASP Top 10

Identification, awareness, remediation, and prioritisation of security efforts

CREST

ASVS/MASVS Level 2

Designing, building and verifying the security of applied controls

Security Needs & Risk Profile

OWASP

OWASP Top 10

Does not distinguish thoroughness in depth and rigor

CREST

ASVS/MASVS Level 2

Tailored based specific security needs.

Level 1

Fundamental Application Security Verification Requirements

Level 2

Standard Application Security Verification Requirements

Interaction

OWASP

OWASP Top 10

High-level overview of:

  • External security controls
  • Target functionalities.
  • User journeys
  • Associated infrastructure environment
  • Comprised components
CREST

ASVS/MASVS Level 2

Workshops with Development Teams

  • Code practises
  • SDLC practises
  • Integration with development processes

Workshops with Security & Operational Teams

  • Monitoring of applied controls
  • Response to incidents
  • Previous remediation applied
  • Architectural security design considerations
  • Deployment and maintenance of infrastructure

Workshops with Product Owners

  • Business logic requirements & other considerations
  • Data sensitivity
  • Compliance & regulatory requirements

Visibility

OWASP

OWASP Top 10

Defined by the target scope and associated need-to-know components

CREST

ASVS/MASVS Level 2

Access to

  • Backend system configuration (i.e. database server)
  • Source code
  • CI/CD
  • Network flow and data flow diagrams
  • User stories and test cases
  • And much more

Other Benefits

OWASP

OWASP Top 10

None

CREST

ASVS/MASVS Level 2

  • Promotion of secure development practices
  • Improving quality of services
  • Refining existing processes
  • Proactively identifying and remediating security issues

Assurance

OWASP

OWASP Top 10

None

CREST

ASVS/MASVS Level 2

Strong compliance demonstration to various standards such as ISO 27001, SOC 2, PCI DSS, FTC, GDPR

CREST OVS application testing you can trust

CREST OVS application testing you can trust

At Bulletproof, we believe you can expect more from your CREST OVS security assessment than a report. As one of the leading UK security testing companies, Bulletproof gives you actionable insight to power faster, more effective remediations.

  • All threat findings detailed in our dashboard-driven platform
  • Remediation guidance included for each & every threat
  • Insight into business impacts, likelihood & ease of exploitation
  • At-a-glance prioritisation to track threats & manage remediation progress
  • Make strategic improvements aligned to ASVS & MASVS Level 1 and Level 2
Get a CREST OVS quote

Meet our pen test team

Bulletproof takes pride in building and nurturing the best cyber talent to ensure our penetration testing services always get the best security outcomes for our clients. Our global teams of OSCP & CREST penetration testers are highly skilled, speak at security events and have discovered CVEs.

CREST OVS FAQs

Only CREST-accredited companies and penetration testers can perform OVS security testing. CREST member companies must pass rigorous assessments, and individual employees must be highly skilled in application security testing. So if you’re looking for a high-assurance security test for your web or mobile apps, CREST OVS testing from Bulletproof is a safe bet.

CREST OVS app assessments were created for organisations who need enhanced levels of security testing for their web and mobile applications. It provides a greater levels assurances for security-mature organisations.

CREST OVS assessments are specifically aligned to OWASP’s ASVS for web apps and MASVS for mobile applications. By formalising the delivery of ASVS/MASVS, CREST has created a high-assurance security test for organisations who need to go beyond traditional penetration testing.

Delivering a CREST OVS security assessment is similar to a traditional penetration test. In addition to information about URLs, user roles, API backends, a CREST OVS security assessment can require technical documentation, network and data flows, source code, time with development and operational teams, and much more.

What our customers say

Bulletproof's security qualifications

With OSCP & CREST certified expert pen testers and 7+ years in the industry, Bulletproof penetration testing services have a proven track record of finding flaws and helping businesses stay ahead of the hackers.

CREST
CREST OVS Apps
CREST OVS Mobile
OWASP
PEN TEST
ISO 27001
ISO 9001
OSCP
OSWP
CREST
CREST OVS Apps
CREST OVS Mobile
OWASP
PEN TEST
ISO 27001
ISO 9001
OSCP
OSWP
CISSP
CISA
CISM
Offensive Azure Security Professional
AWS Certified Cloud Practitioner
CCENT
CEH
CISSP
CISA
CISM
Offensive Azure Security Professional
AWS Certified Cloud Practitioner
CCENT
CEH
Certified AppSec Practitioner
HM Government G-Cloud
Crown Commercial Service Supplier
Cyber Essentials
National Cyber Security Centre Cyber Advisor
Cyber Essentials
Cyber Advisor
Certified AppSec Practitioner
HM Government G-Cloud
Crown Commercial Service Supplier
Cyber Essentials
National Cyber Security Centre Cyber Advisor
Cyber Essentials
Cyber Advisor

More penetration testing learning resources

Get a fast CREST OVS quote

One of our expert CREST OVS consultants will get back to you as soon as possible.

Trusted by top brands

Rated 5 stars on Google

Aldermore
Dell
McAfee
NHS
Ocado
Polestar

Discover more cyber & compliance resources from Bulletproof


Trusted cyber security & compliance services from a certified provider