Regions icon
Membership icon
Certification icon

CREST OVS FAQs

What is CREST OVS?

CREST OVS is a new accreditation that will have a series of new assessment criteria.

OVS stands for the OWASP Verification Standard.

The aim of CREST OVS is to set the standard for application security and provide increased levels assurance for application security assessments.

The programme requirements are aligned to the OWASP Application Security Verification Standard (ASVS) and the Mobile Application Security Verification Standard (MASVS).

CREST member companies are audited against the programme requirements. Members must be accredited to the CREST Penetration Testing Discipline. Members must also register employees suitably skilled in app security with us and these individuals must sign our Code of Conduct.

 

How does CREST OVS benefit CREST member companies?

The main benefit for CREST OVS Accredited Providers is that they gain enhanced business opportunities in an app development market worth an estimated $200 billion annually, and growing.

Specific benefits include:

  • Ability to engage with the Google supply chain
  • Sales leads for organisations that have restricted apps in the Google Play store
  • Sales leads for organisations that have restricted access in to Google Cloud services
  • Sales leads from other organisations in both Technology and Financial services
  • The ability to demonstrate to the wider buying community that they have sufficiently skilled and competent individuals to deliver assessments related to Levels 1 & 2 of OWASP’s ASVS and MASVS
  • Access to the CREST OVS logo, to use in their marketing
  • Enhanced visibility to the app development buying community via the CREST website
  • Invitation to participate in a series of closed community workshops with Google as they continue to focus on securing the wider ecosystem

How does CREST OVS benefit buyers?

The main benefit to the app development buying community is that it signposts and gives them access to quality-assured app security testing services for their businesses and products.

Specific benefits include:

  • Standardised, clear and concise web security reports
  • Enhanced market profile by using respected internationally-recognised web security assurance standard
  • Increased consumer confidence
  • Facilitates engagement with app store providers and other industry consumers
  • Improved opportunities to sell apps to other organisations in industries such as technology and financial services

How can CREST OVS positively affect the security posture of my organisation?

Both the web development community and their clients benefit from the enhanced level of assurance provided by the CREST OVS Programme.

Web development companies can market their services and products as tested by CREST OVS Accredited Providers helping them stand out in the marketplace.

Clients buying web development services can be assured that their apps are created by developers who have employed CREST OVS Accredited Providers to test the security of their applications.

For both the web developers and their clients there may be insurance benefits by aligning themselves with an internationally-recognised verification standard.

 

What are the eligibility requirements for CREST OVS?

To apply for CREST OVS organisations must:

  • Be accredited to the CREST Penetration Testing Discipline
  • Have completed the CREST Skilled Persons Register for their organisation
  • Ensure that team members have signed the CREST Code of Conduct

How long does the accreditation process take?

Having submitted an application via the CREST Member Portal, eligible members will receive immediate confirmation of receipt of the submission.

We aim to provide our first response to a new submission as soon as possible, but please be aware this could take 4 to 6 weeks.

Final approval of CREST OVS Accreditation is dependent on the feedback provided to members in our initial and subsequent responses to the submission, and on the member’s actions in response to feedback.

What does accreditation cost?

The CREST OVS Programme is a new accreditation that will have a series of new assessment criteria.

The programme will be charged at £2,000 ($2,500) per annum in addition to an organisation’s normal accreditation fees.  The fees will go toward running and maintaining the programme and a portion of the payment will be shared with OWASP who maintain the ASVS and MASVS components.

Click here for further details.

Who are OWASP?

OWASP (Open Web Application Security Project) is a not-for-profit foundation that works to improve the security of software.

OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. All OWASP projects, tools, documents, forums, and chapters are free and open to anyone interested in improving application security.

CREST and OWASP have a shared vision of improving global app security standards

OWASP maintains the Application Security Verification Standard (ASVS) and Mobile Application Security Verification Standard (MASVS) to which the CREST OVS Programme is aligned.

What is OWASP ASVS?

The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development.

The primary aim of the OWASP Application Security Verification Standard (ASVS) Project is to normalise the range in the coverage and level of rigor available in the market when it comes to performing web application security verification using a commercially-workable open standard.

This standard can be used to establish a level of confidence in the security of web applications.

What is OWASP MASVS

The OWASP MASVS is a standard for mobile app security.

It can be used by mobile software architects and developers seeking to develop secure mobile applications, as well as security testers to ensure completeness and consistency of test results.