URM is one of the first companies in the UK to be awarded accreditation to the CREST OWASP Verification Standard (OVS )  to deliver both Level 1 and Level 2 Application Security Verification Standard (ASVS) and Mobile Application Security Verification Standard (MASVS) assessments for Web and mobile applications.

What is CREST?

The Council Registered Ethical Security Testers (CREST) is an international not-for-profit, membership body representing the global cyber security industry.  Its goal is to help create a secure digital world by providing quality assurance for its members and delivering professional certifications to the cyber security industry.  Almost 300 member companies, across the World are required to undergo a rigorous quality assurance process and employ competent professionals.  The end result is that organisations buying cyber security services from CREST members do so with confidence.

What is CREST OVS ?

CREST OVS is a framework, developed by the Council in consultation with Open Web Application Security Project (OWASP), which is designed to provide assurance to buyers they will receive quality-assured testing services for their business and products.

What does it mean to be a CREST OVS accredited company?

Members who have achieved the CREST OVS accreditation have demonstrated the capability to deliver web and mobile application assessments in line with the OWASP ASVS and the MASVS.  At the time of publishing this page, URM is one of only 5 companies in the UK to have obtained this accreditation.

What are the benefits of performing a CREST OVS assessment?

The benefits for the app development community:

  • Get access to quality-assured web security testing services for your businesses and products
  • Clear signposting to assured web security providers in a crowded marketplace
  • Standardised, clear and concise web security reports
  • Enhanced market profile by using respected, internationally recognised, web security assurance standard
  • Increased consumer confidence
  • Facilitates engagement with app store providers and other industry consumers
  • Improved opportunities to reach industry-specific markets, for instance in technology, financial services and healthcare

The benefits for organisations that rely on secure apps for their business:

  • Access to app developers who have used web security companies to test their apps to an internationally recognised standard
  • Added quality assurance when buying services from app developers
  • Potential insurance benefits by using a web developer whose apps have been tested by a CREST OVS-accredited company
  • Clearer signposting to reputable app developers who have used CREST-accredited web security services
  • Marketing benefits for organisations that insist on OVS testing for app development across their supply chains.

What’s the difference between a standard web/mobile application penetration test and a CREST OVS Web/mobile security assessment?

Typically, a standard penetration test will assess the security of the web or mobile application only from an unauthenticated or authenticated threat actor’s perspective.  In general, the tester will not have access to the source code, to the underlying infrastructure or cloud environment, or to detailed documentation such as architecture diagrams.  Any involvement from the organisation requesting the penetration test is also limited during an assessment once the necessary approvals and access to the applications have been provided.

A CREST OVS assessment covers these ‘pen testable’ elements, but will also provide a more comprehensive and holistic analysis of the security of the applications and the organisation’s development processes.  It does this by conducting interviews with the development team, reviewing existing threat models, reviewing the source code or the applications and of relevant third party libraries.  It also includes a review of documentation such as policies, procedures, architecture diagrams and an analysis of backend systems that are normally not accessed during a black box penetration test, e.g., the underlying operating systems, databases, storage disks and logging servers.

Is a CREST OVS assessment the right one for your organisation?

Due to the nature of the testing, CREST OVS assessments at level 2 or 3 are suitable for organisations that require a higher security standard such as organisations operating in the financial or healthcare industry.  CREST OVS assessments at Level 1 are suitable for any organisation that considers themselves mature in terms of secure software development practices and would like to demonstrate this high level of commitment to application security to their clients.  However, if you have not performed standard penetration tests against your applications, or if you have strict budget constraints, a standard penetration test by a trusted provider, such as URM, may provide a more cost-effective solution for your organisation.

How to request a quote for a CREST OVS web or mobile application assessment or a standard web or mobile application penetration test?

Contact us through the below form:

Download FREE Penetration Testing White Paper

The Role of Penetration Testing in Preventing Ransomware Attacks

Latest update:
28 Mar

URM’s blog discusses how to prevent and mitigate the damage done by ransomware attacks, and how penetration testing can help your organisation avoid them.

Read more
Thumbnail of the Blog Illustration
Penetration Testing
What Do You Do After a Security Incident?

URM’s blog discusses the testing, assessments, exercises and reviews you can conduct following a cyber security incident to strengthen your security posture.

Read more
Thumbnail of the Blog Illustration
Penetration Testing
Alternative Approaches to Penetration Testing

Are you getting the best value out of your penetration testing? URM’s blog discusses alternative approaches to penetration testing.

Read more
Thumbnail of the Blog Illustration
Penetration Testing
What Role does Penetration Testing Play in Preventing Unauthorised Access?

The consequences of unauthorised access are varied. Apart from financial losses, there is a loss of customer confidence. Can penetration testing prevent this?

Read more
This was a great exercise for the business to go through as some gaps were found and URM provided valuable information on remediation.
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.