Bulletproof’s range of cyber security, data protection and compliance services are your best defence against threats to your business. With nearly a decade of providing trusted security services, we’re continuing our mission of solving the greatest cyber security & compliance challenges through innovation and simplicity. Explore our range of services and find out how Bulletproof can help your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you.
Find out more about penetration testing – what it is, when you need it, and why it’s a core component of any business. Discover how pen test helps with compliance, powers best practices, and helps your organisation win new business.
Get peace of mind that your data protection is being managed by trusted, certified consultants. All Bulletproof data protection services are delivered by our highly trained, experienced and qualified staff.
Go beyond compliance with information security services that are designed to give real operational benefits to your business. All delivered by seasoned, certified Bulletproof security consultants.
No matter what your cyber or compliance challenges, Bulletproof is here to help. We like to work with you as a trusted partner to solve problems, not sell services. No pressure tactics and no false promises.
At Bulletproof we love to solve problems with simplicity & innovation. It’s our mission to make compliance & cyber security services accessible to all. We take pride in building and nurturing teams of exceptional talent, so we’re confident that our cyber security & compliance services are the best way to stay one step ahead of the hackers and protect your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you, no matter what you have to say.
Keiran Mather
Bulletproof’s penetration testers show how to abuse the ESC13 technique from Linux.
Read More
Get a mature assessment of your web & mobile application security with CREST OWASP Verification Standard testing. CREST OVS aligns to OWASP ASVS & MASVS, for robust, detailed app security testing.
I'd like to receive free cyber and compliance resources, and stay up-to-date with Bulletproof services. Privacy policy
Bulletproof are fully accredited to deliver certified CREST OVS security assessments
Bulletproof CREST OVS prices are competitive without sacrificing our high testing quality
Get the right assurance with CREST OVS Level 1 & Level 2 tests available for web & mobile apps
We’re UK market leaders in security testing, cyber security, infosec, data protection & more
CREST OWASP Verification Standard (OVS) is a security testing framework designed as a gold-standard for mature, comprehensive application security assessments for web and mobile. OVS testing provides increased levels of assurance for organisations looking for a more in-depth application security test than traditional penetration testing services.
CREST partnered with OWASP to align OVS to the existing Application Security Verification Standard (ASVS) and Mobile Application Security Verification Standard (MASVS) frameworks. This gives CREST OVS a structured and detailed approach to the very highest specifications of application security testing. OVS application testing analyses the overall security of an application, including development practices, operating systems, hosting infrastructure and more.
CREST OVS is for organisations which have outgrown traditional web and mobile application penetration testing and are looking for greater security assurance to match their maturity. CREST OVS security testing goes beyond examining the remote threat landscape, giving organisations a big-picture look their overall application security.
CREST OVS application testing is for you if you are any of the following:
CREST OVS assessments follow the OWASP ASVS/MASVS framework, which is structured into two levels. Each level contains a set of security requirements, controls, and corresponding verification checks.
A Level 1 assessment follows ASVS/MASVS Level 1 specifications, and in addition to automatic scans and manual penetration testing activity, also requires discussion with dev teams and sysadmins, though no access to source code is needed.
A Level 2 assessment is more in-depth. In addition to everything in Level 1, it also includes a detailed documentation review, time with dev, product, security and operational departments for workshops, analysis of coding/SLDC practices, access to backend systems, source code, network and data flows, and more.
Suitable for apps needing a detailed level of security assurance. OVS Level 1 is for applications that don’t process sensitive information.
OVS Level 2 is a higher level of security assurance for apps that power business transactions or handle sensitive data, such as payment and healthcare applications.
Suitable for all mobile applications and meets foundational requirements of code quality, data handling, and interaction with the mobile environment.
A higher level of assurance for mobile applications that power business transactions or handle sensitive information, such as personal, finance or patient data.
An enhanced level assurance for mobile applications needing verification of resilience against specific threats such as repackaging, code cracking, and more.
CREST OVS security testing is a clear signpost to buyers and users that an app has been rigorously tested against a defined, comprehensive security framework.
Standardised reports, open frameworks & proven processes deliver high application security assurance.
Helps engagement with app store providers & security-focussed industries, e.g. financial services
OVS testing delivers robust criteria acceptance for multiple frameworks & meets supply chain security demand
Increase customer confidence & market profile with internationally recognised & standardised testing
A smart dashboard automatically prioritises findings & built-in remediation advice helps you fix faster
CREST OVS security tests use external expertise to challenge your security assumptions & uncover bias
Comprehensive application security testing for high-assurance scenarios. Level 1/Level 2 ASVS & MASVS tests form a UK leader in CREST accredited penetration testing.
Penetration testing is a fundamental security control that every organisation should undertake, but as your security matures, so should your testing regimes. CREST OVS security tests give robust, confident assurance of your application security.
A traditional web or mobile application penetration test assumes the position of a remote threat actor, and aims to enumerate all security weaknesses from that position. You’ll get a great overview of the security of your application, but penetration testing typically won’t find vulnerabilities that need knowledge of documentation, source code, or operating infrastructure to uncover. Web app penetration testing typically uses the OWAST Top 10 framework for application vulnerabilities.
By contrast, a CREST OVS web app security test goes much deeper, and is aligned to OWASP ASVS and MASVS frameworks. It finds everything a traditional pen test would find and also explores operational infrastructure, documentation, coding practices and internal processes. It can require access to source code, interviews with developers, workshops with operational teams, and more. A remote threat actor would not have this information, meaning CREST OVS security assessments find critical weaknesses that are out of sight of traditional penetration tests.
The OWASP Top 10 /Mobile Top 10 and OWASP ASVS/MASVS are both frameworks developed by OWASP for improving the security of web applications, but they serve different purposes and target different aspects of security. The OWASP Top 10 doesn’t include specific checks – instead it looks at the top 10 most critical application security risk types. Each risk is represented in a category of common vulnerabilities and crafted to identify vulnerabilities risks across the board. Here’s a comparison between the OWASP Top 10 and ASVS Level 2
Common and fundamental vulnerabilities
Broader set of security requirements and controls beyond top 10 vulnerabilities
High-level overview with descriptions and remediation guidance
Detailed set of security requirements, testing procedures and remediation guidance (depending on verification level)
Identification, awareness, remediation, and prioritisation of security efforts
Designing, building and verifying the security of applied controls
Does not distinguish thoroughness in depth and rigor
Tailored based specific security needs.
Fundamental Application Security Verification Requirements
Standard Application Security Verification Requirements
High-level overview of:
Workshops with Development Teams
Workshops with Security & Operational Teams
Workshops with Product Owners
Defined by the target scope and associated need-to-know components
Access to
None
Strong compliance demonstration to various standards such as ISO 27001, SOC 2, PCI DSS, FTC, GDPR
At Bulletproof, we believe you can expect more from your CREST OVS security assessment than a report. As one of the leading UK security testing companies, Bulletproof gives you actionable insight to power faster, more effective remediations.
Bulletproof takes pride in building and nurturing the best cyber talent to ensure our penetration testing services always get the best security outcomes for our clients. Our global teams of OSCP & CREST penetration testers are highly skilled, speak at security events and have discovered CVEs.
I take pride knowing that my team are always thinking creatively to get the best outcomes for our pentest customers. They think like the attacker and are always improving their knowledge to stay on top of emerging threats. Jordan Bulletproof Penetration Testing Manager Follow Jordan on Linkedin
Only CREST-accredited companies and penetration testers can perform OVS security testing. CREST member companies must pass rigorous assessments, and individual employees must be highly skilled in application security testing. So if you’re looking for a high-assurance security test for your web or mobile apps, CREST OVS testing from Bulletproof is a safe bet.
CREST OVS app assessments were created for organisations who need enhanced levels of security testing for their web and mobile applications. It provides a greater levels assurances for security-mature organisations.
CREST OVS assessments are specifically aligned to OWASP’s ASVS for web apps and MASVS for mobile applications. By formalising the delivery of ASVS/MASVS, CREST has created a high-assurance security test for organisations who need to go beyond traditional penetration testing.
Delivering a CREST OVS security assessment is similar to a traditional penetration test. In addition to information about URLs, user roles, API backends, a CREST OVS security assessment can require technical documentation, network and data flows, source code, time with development and operational teams, and much more.
Bulletproof took the time to understand our penetration testing objectives, which showed in the results. The pen test was delivered on our tight timeframe and the threat management platform made it easy for us to remediate the penetration test results quickly and effectively.
With OSCP & CREST certified expert pen testers and 7+ years in the industry, Bulletproof penetration testing services have a proven track record of finding flaws and helping businesses stay ahead of the hackers.
One of our expert CREST OVS consultants will get back to you as soon as possible.
Rated 5 stars on Google
We’ve always been very impressed with the cyber security services Bulletproof provide us. Their professional approach, knowledge and flexibility have ensured they have become a key trusted partner in our supply chain.