Skip to main content
availability

Package: Invicti AppSec Core (on-demand)

Configure ASVS level

ASVS (Application Security Verification Standard) is an OWASP standard that defines a set of security controls required to build secure applications. In Invicti AppSec, ASVS tracking is enabled for a target once a business criticality level is assigned.

Business criticality and ASVS level mapping

The business criticality you assign to a target determines which ASVS level applies:

Business criticalityASVS level
High or CriticalASVS Level 3
MediumASVS Level 2
LowASVS Level 1
None or Calculate automaticallyASVS not enabled

Higher ASVS levels include a broader and more stringent set of security controls. Controls that are not applicable to the selected level are automatically removed from the ASVS checklist.

Set business criticality to enable ASVS

To enable ASVS tracking for a target:

  1. Select Targets from the left-side menu.
  2. Locate the target and click the pencil icon to open the Target info dialog.
  3. In the Business criticality field, select a level (Low, Medium, High, or Critical).
  4. Click Save.

ASVS is now enabled for the target. The ASVS compliance chart on the target dashboard will begin tracking control status.

note

Selecting Calculate automatically does not enable ASVS. A specific criticality level must be set.

ASVS sync for vulnerabilities

When configuring your target, you can enable ASVS vulnerability sync. When enabled, Invicti AppSec automatically synchronizes the ASVS control status based on vulnerabilities discovered for this target:

  • If a vulnerability with a matching CWE ID is found, the corresponding ASVS control is automatically marked as Not Valid.
  • The control remains Not Valid until one of the following occurs:
    • The related vulnerability is marked as Won't Fix or False Positive
    • The vulnerability is fixed and transitions to Closed in a subsequent scan

Control validation

For controls that are not automatically updated, you can manually set the status:

  • Valid: the control is implemented and passing
  • Not Valid: the control is not met
caution

Automatically validated controls (those linked to a CWE ID with a matching open vulnerability) cannot be manually overridden until the underlying vulnerability is resolved or suppressed.

Dashboard visualization

The ASVS compliance chart on the target dashboard displays the ratio of Valid controls to the total Applicable controls (Valid + Not Valid) per ASVS category. Use this chart to identify areas where the target falls short of the required security verification level.

Need help?

Invicti Support team is ready to provide you with technical help. Go to Help Center

Last updated on
Was this page useful?