Why choose Bulletproof CREST OVS pen tests?
CREST OVS Certified
Bulletproof are fully accredited to deliver certified CREST OVS security assessments
Competitive OVS Prices
Bulletproof CREST OVS prices are competitive without sacrificing our high testing quality
Level 1 & 2 Tests
Get the right assurance with CREST OVS Level 1 & Level 2 tests available for web & mobile apps
Trusted Expertise
We’re UK market leaders in security testing, cyber security, infosec, data protection & more
What is CREST OWASP Verification Standard (OVS)
CREST OWASP Verification Standard (OVS) is a security testing framework designed as a gold-standard for mature, comprehensive application security assessments for web and mobile. OVS testing provides increased levels of assurance for organisations looking for a more in-depth application security test than traditional penetration testing services.
CREST partnered with OWASP to align OVS to the existing Application Security Verification Standard (ASVS) and Mobile Application Security Verification Standard (MASVS) frameworks. This gives CREST OVS a structured and detailed approach to the very highest specifications of application security testing. OVS application testing analyses the overall security of an application, including development practices, operating systems, hosting infrastructure and more.
Who is a CREST OVS test for?
CREST OVS is for organisations which have outgrown traditional web and mobile application penetration testing and are looking for greater security assurance to match their maturity. CREST OVS security testing goes beyond examining the remote threat landscape, giving organisations a big-picture look their overall application security.
CREST OVS application testing is for you if you are any of the following:
- You’re a mature organisation that has well established processes
- You already undertake regular penetration testing
- You’re looking to improve or refine existing application development practices & processes
- You need a higher level of application security assurance backed by industry standards
Different types of CREST OVS App Assessment
CREST OVS assessments follow the OWASP ASVS/MASVS framework, which is structured into two levels. Each level contains a set of security requirements, controls, and corresponding verification checks.
OVS Level 1
A Level 1 assessment follows ASVS/MASVS Level 1 specifications, and in addition to automatic scans and manual penetration testing activity, also requires discussion with dev teams and sysadmins, though no access to source code is needed.
OVS Level 2
A Level 2 assessment is more in-depth. In addition to everything in Level 1, it also includes a detailed documentation review, time with dev, product, security and operational departments for workshops, analysis of coding/SLDC practices, access to backend systems, source code, network and data flows, and more.
Web Applications (ASVS)
OVS ASVS Level 1
Suitable for apps needing a detailed level of security assurance. OVS Level 1 is for applications that don’t process sensitive information.
OVS ASVS Level 2
OVS Level 2 is a higher level of security assurance for apps that power business transactions or handle sensitive data, such as payment and healthcare applications.
Mobile Applications (MASVS)
OVS MASVS Level 1
Suitable for all mobile applications and meets foundational requirements of code quality, data handling, and interaction with the mobile environment.
OVS MASVS Level 2
A higher level of assurance for mobile applications that power business transactions or handle sensitive information, such as personal, finance or patient data.
OVS MASVS-R Level 1 & 2
An enhanced level assurance for mobile applications needing verification of resilience against specific threats such as repackaging, code cracking, and more.
Benefits of CREST OVS security testing
CREST OVS security testing is a clear signpost to buyers and users that an app has been rigorously tested against a defined, comprehensive security framework.
-
Quality-assured security
Standardised reports, open frameworks & proven processes deliver high application security assurance.
-
Get your app out to industry
Helps engagement with app store providers & security-focussed industries, e.g. financial services
-
Support compliance
OVS testing delivers robust criteria acceptance for multiple frameworks & meets supply chain security demand
-
Boost sales growth
Increase customer confidence & market profile with internationally recognised & standardised testing
-
Prioritised remediations
A smart dashboard automatically prioritises findings & built-in remediation advice helps you fix faster
-
Eliminate bias & assumptions
CREST OVS security tests use external expertise to challenge your security assumptions & uncover bias
Get a fast CREST OVS quote
Comprehensive application security testing for high-assurance scenarios. Level 1/Level 2 ASVS & MASVS tests form a UK leader in CREST accredited penetration testing.
- Official CREST OVS provider
- Level 1 & 2 of ASVS/MASVS
- Test your security maturity
- Trusted UK provider of pen testing
- Proven track record
CREST OVS app assessment vs penetration testing
Penetration testing is a fundamental security control that every organisation should undertake, but as your security matures, so should your testing regimes. CREST OVS security tests give robust, confident assurance of your application security.
A traditional web or mobile application penetration test assumes the position of a remote threat actor, and aims to enumerate all security weaknesses from that position. You’ll get a great overview of the security of your application, but penetration testing typically won’t find vulnerabilities that need knowledge of documentation, source code, or operating infrastructure to uncover. Web app penetration testing typically uses the OWAST Top 10 framework for application vulnerabilities.
By contrast, a CREST OVS web app security test goes much deeper, and is aligned to OWASP ASVS and MASVS frameworks. It finds everything a traditional pen test would find and also explores operational infrastructure, documentation, coding practices and internal processes. It can require access to source code, interviews with developers, workshops with operational teams, and more. A remote threat actor would not have this information, meaning CREST OVS security assessments find critical weaknesses that are out of sight of traditional penetration tests.
How does CREST OVS compare to OWASP Top 10?
The OWASP Top 10 /Mobile Top 10 and OWASP ASVS/MASVS are both frameworks developed by OWASP for improving the security of web applications, but they serve different purposes and target different aspects of security. The OWASP Top 10 doesn’t include specific checks – instead it looks at the top 10 most critical application security risk types. Each risk is represented in a category of common vulnerabilities and crafted to identify vulnerabilities risks across the board. Here’s a comparison between the OWASP Top 10 and ASVS Level 2
Focus
OWASP Top 10
Common and fundamental vulnerabilities
ASVS/MASVS Level 2
Broader set of security requirements and controls beyond top 10 vulnerabilities
Depth
OWASP Top 10
High-level overview with descriptions and remediation guidance
ASVS/MASVS Level 2
Detailed set of security requirements, testing procedures and remediation guidance (depending on verification level)
- 260 ASVS controls
- 66 MASVS controls
Purpose
OWASP Top 10
Identification, awareness, remediation, and prioritisation of security efforts
ASVS/MASVS Level 2
Designing, building and verifying the security of applied controls
Security Needs & Risk Profile
OWASP Top 10
Does not distinguish thoroughness in depth and rigor
ASVS/MASVS Level 2
Tailored based specific security needs.
Level 1
Fundamental Application Security Verification Requirements
Level 2
Standard Application Security Verification Requirements
Interaction
OWASP Top 10
High-level overview of:
- External security controls
- Target functionalities.
- User journeys
- Associated infrastructure environment
- Comprised components
ASVS/MASVS Level 2
Workshops with Development Teams
- Code practises
- SDLC practises
- Integration with development processes
Workshops with Security & Operational Teams
- Monitoring of applied controls
- Response to incidents
- Previous remediation applied
- Architectural security design considerations
- Deployment and maintenance of infrastructure
Workshops with Product Owners
- Business logic requirements & other considerations
- Data sensitivity
- Compliance & regulatory requirements
Visibility
OWASP Top 10
Defined by the target scope and associated need-to-know components
ASVS/MASVS Level 2
Access to
- Backend system configuration (i.e. database server)
- Source code
- CI/CD
- Network flow and data flow diagrams
- User stories and test cases
- And much more
Other Benefits
OWASP Top 10
None
ASVS/MASVS Level 2
- Promotion of secure development practices
- Improving quality of services
- Refining existing processes
- Proactively identifying and remediating security issues
Assurance
OWASP Top 10
None
ASVS/MASVS Level 2
Strong compliance demonstration to various standards such as ISO 27001, SOC 2, PCI DSS, FTC, GDPR
CREST OVS application testing you can trust
At Bulletproof, we believe you can expect more from your CREST OVS security assessment than a report. As one of the leading UK security testing companies, Bulletproof gives you actionable insight to power faster, more effective remediations.
- All threat findings detailed in our dashboard-driven platform
- Remediation guidance included for each & every threat
- Insight into business impacts, likelihood & ease of exploitation
- At-a-glance prioritisation to track threats & manage remediation progress
- Make strategic improvements aligned to ASVS & MASVS Level 1 and Level 2
Meet our pen test team
Bulletproof takes pride in building and nurturing the best cyber talent to ensure our penetration testing services always get the best security outcomes for our clients. Our global teams of OSCP & CREST penetration testers are highly skilled, speak at security events and have discovered CVEs.
I take pride knowing that my team are always thinking creatively to get the best outcomes for our pentest customers. They think like the attacker and are always improving their knowledge to stay on top of emerging threats. Jordan Bulletproof Penetration Testing Manager Follow Jordan on Linkedin
CREST OVS FAQs
Only CREST-accredited companies and penetration testers can perform OVS security testing. CREST member companies must pass rigorous assessments, and individual employees must be highly skilled in application security testing. So if you’re looking for a high-assurance security test for your web or mobile apps, CREST OVS testing from Bulletproof is a safe bet.
CREST OVS app assessments were created for organisations who need enhanced levels of security testing for their web and mobile applications. It provides a greater levels assurances for security-mature organisations.
CREST OVS assessments are specifically aligned to OWASP’s ASVS for web apps and MASVS for mobile applications. By formalising the delivery of ASVS/MASVS, CREST has created a high-assurance security test for organisations who need to go beyond traditional penetration testing.
Delivering a CREST OVS security assessment is similar to a traditional penetration test. In addition to information about URLs, user roles, API backends, a CREST OVS security assessment can require technical documentation, network and data flows, source code, time with development and operational teams, and much more.
What our customers say
Bulletproof's security qualifications
With OSCP & CREST certified expert pen testers and 7+ years in the industry, Bulletproof penetration testing services have a proven track record of finding flaws and helping businesses stay ahead of the hackers.
More penetration testing learning resources
Get a fast CREST OVS quote
One of our expert CREST OVS consultants will get back to you as soon as possible.
Trusted by top brands
Rated 5 stars on Google