Developed by CREST, in consultation with the Open Worldwide Application Security Project (OWASP), the CREST OVS (OWASP Verification Standard) is a brand-new framework which provides a scalable and consistent approach to web and mobile application security standards. CREST OVS brings together some of the brightest minds in AppSec to improve global application security standards. The framework will provide exciting opportunities for CREST members to engage with the buying community and with governments and regulators around the world that are looking to raise application security standards.
Introduction
CREST OVS sets new standards for application security. Both CREST and OWASP are not-for-profit organisations with a shared vision to improve global app security and standards. Underpinned by OWASP’s Application Security Verification Standard (ASVS) and Mobile Application Security Verification Standard (MASVS), CREST is leveraging the open-source community to build and maintain global standards to deliver a global web and mobile application security framework. This will provide assurance to the buying community that developers using CREST OVS accredited providers, always know that they are engaged with ethical and capable organisations with skilled and competent security testers by leveraging the OWASP ASVS and MASVS standards.
Background
Organisations around the world are faced with the challenge of an expanding attack surface as a result of increased connectivity, digitisation, cloud migration and API integration. Increasing sums of money are being spent to try to mitigate the rapidly evolving risks to businesses, however the services are unregulated, vary in quality and consistency and present a risk to the buying community. There is a growing move towards legislation and regulation in an attempt to set standards which tend to be domestically or regionally focused. The result is an expanding patchwork of frameworks and regulations imposed on international supply chains and cross-border trade.
OVS aims to provide the clarity, consistency and assurance for app security with a framework designed to promote the standards as defined by industry professionals.
The opportunity to shape global industry standards
Recognising the need for this, a number of like-minded, not-for-profit bodies joined with CREST and OWASP in early 2022 to found Nonprofit Cyber. This body promotes a shared vision of increased collaboration to improve global cyber security. The initial idea for OVS grew from the Nonprofit cyber coalition.
OVS will provide the platform for service providers to shape the global standards for the industry. With the collaboration of non-profit organisations like CREST and OWASP working to improve standards and reduce the information gap, industry can respond with agility and pace.
An overview of CREST OVS
CREST OVS accredits companies that provide app security testing services to the application development industry.
Existing CREST accredited penetration testing companies are encouraged to apply now for OVS accreditation. This involves audit against the ASVS and MASVS and companies can receive accreditation for CREST OVS App, CREST OVS Mobile or both.
Non-member companies need to be accredited to the penetration testing discipline before applying for CREST OVS accreditation.
As part of the accreditation process, companies must also identify suitably skilled and competent individuals in app security testing and register them on the CREST Skilled Persons Register.
If approved, the member company becomes a CREST OVS Accredited Provider.
The accreditation is designed to give CREST members a significant advantage in the app security testing market serving the likes of industry giants that run application marketplaces as well as myriad app developers that are focused on specific industries.
For more detail on the CREST OVS Program and the accreditation process please click on the links on the right.
Find out more about CREST OVS
In consultation with