OWASP Security Standards Adopted by Major Platforms - Learning from Google, Microsoft, Salesforce, and Slack
We introduce cases where major platforms have adopted OWASP as a security review standard for web application development.
OWASP (Open Web Application Security Project) is an international nonprofit organization aimed at improving software and web application security. Established in 2001, it is characterized by providing open knowledge and tools that anyone can freely use. Security experts and developers from around the world participate as volunteers, publishing guidelines, testing tools, educational materials, and more. OWASP maintains a neutral stance independent of specific products or vendors, compiling the latest threats and countermeasures, making it widely utilized as a standard guideline for companies and organizations strengthening their security posture.
OWASP Top 10 is a list of the top 10 representative security risks in web applications, updated and published by OWASP every few years. This is one of the most widely referenced documents in the security industry, clearly indicating the vulnerabilities that developers and companies should address first. For example, it includes SQL injection, authentication flaws, and exposure of sensitive data, selected based on actual attack cases in order of importance. The Top 10 is not merely a checklist but should be used as a starting point for risk understanding and improvement activities, serving as an essential reference for advancing secure development and operations.
OWASP ASVS (Application Security Verification Standard) is an international standard for systematically conducting security verification of web applications and services. While the Top 10 is a “classification list of vulnerabilities,” ASVS organizes more specific security requirements by level. For example, Level 1 requires basic security measures, while Levels 2 and 3 are applied to systems requiring higher security assurance. ASVS is often used as a standard for security requirement definition during development, code reviews, and penetration testing, providing a powerful framework for organizations to objectively demonstrate security quality.
Security Assessment - Google Cloud Platform Console Help explains as follows:
Security Assessment
To maintain the security of Google user’s data, apps that request access to restricted scopes need to undergo an annual security assessment. This assessment verifies that the app can securely handle data and delete user data upon request. Upon successfully passing the security assessment, the app will be awarded a “Letter of validation” (LOV) from the security assessor, indicating its ability to handle data securely.
To improve and standardize our security assessment process, we implemented the App Defense Alliance and the Cloud App Security Assessment framework (CASA).
Key features of the security assessment framework:
- Standardized requirements based on the OWASP’s app Security Verification Standard (ASVS) allowing more automated testing and faster remediation.
Microsoft 365 Certification framework overview - Microsoft 365 App Certification | Microsoft Learn explains as follows:
Penetration testing requirements Penetration testing reports will be reviewed to ensure there are no vulnerabilities that meet the following automatic failure criteria outlined in the controls below.
Criteria Type | Penetration test controls |
---|---|
General criteria | Web application penetration testing MUST include all vulnerability classes; for example, the most current OWASP Top 10 or SANS Top 25 CWE. The recommendation is that this is detailed within the penetration testing report otherwise it will be difficult to demonstrate. |
Secure software development/deployment | Provide policies and procedures that support secure software development and include industry standards and/or best practices for secure coding. Such as Open Web Application Security Project (OWASP) Top 10 or SysAdmin, Audit, Network and Security (SANS) Top 25 Common Weakness Enumeration (CWE). |
Security Review Resources | ISVforce Guide | Salesforce Developers mentions OWASP in the following article:
Security Review Resources
These resources can help you prepare for the AppExchange security review.
Slack App Security Review | Slack explains as follows:
Things to consider while building your application:
-Be mindful of the OWASP Top 10 Vulnerabilities when creating your web application
Why do so many platforms adopt OWASP as their standard? There are three main reasons:
As these examples clearly show, OWASP compliance is no longer someone else’s problem for modern application developers. Specifically, the following initiatives are required:
The fact that giant platforms like Google, Microsoft, Salesforce, and Slack have adopted OWASP as their security review standard demonstrates that OWASP serves as the security baseline for modern web application development.
We want to incorporate OWASP’s thinking into our daily development processes and deliver safe and reliable applications to users.
That’s all from the Gemba.