Audit Methodology

Our review process is grounded in industry-recognized frameworks. Every finding is mapped to specific standards, scored consistently, and reported with actionable remediation guidance.

01 OWASP Application Security Verification Standard (ASVS)

ASVS provides a comprehensive checklist of security requirements organized by verification level. We audit against Level 2 (standard) by default, covering architecture, authentication, session management, access control, validation, cryptography, error handling, data protection, communications, and configuration.

Reference: owasp.org/www-project-application-security-verification-standard

02 OWASP Web Security Testing Guide (WSTG)

WSTG defines the testing procedures we follow. Each test case maps to specific ASVS requirements and provides reproducible steps for identifying vulnerabilities in information gathering, configuration, identity management, authentication, authorization, session management, input validation, error handling, cryptography, business logic, and client-side testing.

Reference: owasp.org/www-project-web-security-testing-guide

03 Common Weakness Enumeration (CWE)

Every identified weakness is classified using CWE identifiers. This provides a common language for the type of vulnerability found, enabling precise communication and tracking across remediation cycles.

Reference: cwe.mitre.org

04 Common Vulnerability Scoring System (CVSS)

Findings are scored using CVSS v3.1 or v4.0 to provide consistent, objective severity ratings. The score considers attack vector, complexity, privileges required, user interaction, scope, and impact on confidentiality, integrity, and availability.

Reference: first.org/cvss