nerdexam
(ISC)2

CISSP · Question #467

Why should Open Web Application Security Project (OWASP) Application Security Verification standards (ASVS) Level 1 be considered a MINIMUM level of protection for any web application?

The correct answer is B. Opportunistic attackers will look for any easily exploitable vulnerable applications.. OWASP ASVS Level 1 represents the minimum security baseline because it addresses the most basic, easily exploitable vulnerabilities that opportunistic attackers actively seek out in any web application.

Submitted by tyler.j· Mar 5, 2026Software Development Security

Question

Why should Open Web Application Security Project (OWASP) Application Security Verification standards (ASVS) Level 1 be considered a MINIMUM level of protection for any web application?

Options

  • AASVS Level 1 ensures that applications are invulnerable to OWASP top 10 threats.
  • BOpportunistic attackers will look for any easily exploitable vulnerable applications.
  • CMost regulatory bodies consider ASVS Level 1 as a baseline set of controls for applications.
  • DSecuring applications at ASVS Level 1 provides adequate protection for sensitive data.

How the community answered

(41 responses)
  • A
    12% (5)
  • B
    80% (33)
  • C
    5% (2)
  • D
    2% (1)

Why each option

OWASP ASVS Level 1 represents the minimum security baseline because it addresses the most basic, easily exploitable vulnerabilities that opportunistic attackers actively seek out in any web application.

AASVS Level 1 ensures that applications are invulnerable to OWASP top 10 threats.

ASVS Level 1 does not guarantee invulnerability to all OWASP Top 10 threats; it provides a foundational set of controls but higher levels (L2, L3) are required for comprehensive protection against more sophisticated attacks.

BOpportunistic attackers will look for any easily exploitable vulnerable applications.Correct

ASVS Level 1 is designed to defend against low-effort, automated, and opportunistic attacks where threat actors scan broadly for easily exploitable weaknesses rather than targeting specific organizations. Because opportunistic attackers require minimal effort and resources, even basic applications without sensitive data remain at risk if they fall below this baseline. OWASP explicitly states Level 1 is the bare minimum all applications should strive for, precisely because it counters this common, indiscriminate attack pattern.

CMost regulatory bodies consider ASVS Level 1 as a baseline set of controls for applications.

OWASP ASVS is an industry framework, not a regulatory standard, and most regulatory bodies (such as PCI DSS or HIPAA) define their own baseline controls independently rather than mandating ASVS Level 1 specifically.

DSecuring applications at ASVS Level 1 provides adequate protection for sensitive data.

ASVS Level 1 is explicitly considered insufficient for applications handling sensitive or high-value data; OWASP recommends Level 2 or Level 3 for applications with sensitive data requirements, making Level 1 inadequate for such scenarios.

Concept tested: OWASP ASVS Level 1 minimum baseline rationale

Source: https://owasp.org/www-project-application-security-verification-standard/

Topics

#OWASP ASVS#application security#web application security#security standards

Community Discussion

No community discussion yet for this question.

Full CISSP Practice