In depth
ASVS Level 2 is the verification tier OWASP recommends for applications that handle business data, customer personally identifiable information, financial transactions below high-value thresholds, or anything that would cause material harm if breached. Practically, it is the bar most SaaS vendors, fintechs, healthtech platforms and B2B applications target when commissioning a penetration test — Level 1 is too thin to satisfy enterprise procurement, Level 3 is over-engineered for a typical commercial application.
A Level 2 engagement requires roughly 180 of the 280 ASVS controls to be verified, with manual confirmation rather than scanner-only coverage. Authentication controls require multi-factor by default for privileged accounts, password reuse must be prevented through breach-corpus checks (e.g. against the Have I Been Pwned API), session tokens must be cryptographically strong and bound to client characteristics, and brute-force protection must be enforced at the application layer rather than only at the WAF. Access control checks must verify both vertical (privilege escalation) and horizontal (tenant boundary, IDOR) controls on every authenticated endpoint. Cryptography must use algorithms and key lengths consistent with NIST SP 800-131A current guidance, with no reliance on deprecated primitives.
Level 2 also imposes real requirements on the secure SDLC. A threat model must exist for the application, dependencies must be tracked in an SBOM and triaged against the NVD, and security logging must capture authentication events, access-control failures and input-validation failures with enough fidelity to support incident response. The bar is high enough that achieving it requires sustained engineering investment, not a one-off pre-audit sprint.
For procurement teams, "ASVS Level 2 verified" on a vendor's SOC 2 report or security questionnaire is a much stronger signal than "tested against the OWASP Top 10," because ASVS Level 2 is a fixed control set whereas Top 10 coverage varies by vendor. AxVeil VAPT ships ASVS Level 2 coverage by default, with Level 3 available for regulated targets. See also VAPT vs. penetration testing.
A Level 2 engagement requires roughly 180 of the 280 ASVS controls to be verified, with manual confirmation rather than scanner-only coverage. Authentication controls require multi-factor by default for privileged accounts, password reuse must be prevented through breach-corpus checks (e.g. against the Have I Been Pwned API), session tokens must be cryptographically strong and bound to client characteristics, and brute-force protection must be enforced at the application layer rather than only at the WAF. Access control checks must verify both vertical (privilege escalation) and horizontal (tenant boundary, IDOR) controls on every authenticated endpoint. Cryptography must use algorithms and key lengths consistent with NIST SP 800-131A current guidance, with no reliance on deprecated primitives.
Level 2 also imposes real requirements on the secure SDLC. A threat model must exist for the application, dependencies must be tracked in an SBOM and triaged against the NVD, and security logging must capture authentication events, access-control failures and input-validation failures with enough fidelity to support incident response. The bar is high enough that achieving it requires sustained engineering investment, not a one-off pre-audit sprint.
For procurement teams, "ASVS Level 2 verified" on a vendor's SOC 2 report or security questionnaire is a much stronger signal than "tested against the OWASP Top 10," because ASVS Level 2 is a fixed control set whereas Top 10 coverage varies by vendor. AxVeil VAPT ships ASVS Level 2 coverage by default, with Level 3 available for regulated targets. See also VAPT vs. penetration testing.