Accredited Third-Party Certification for Web Application, SaaS and API Security

Application security certification is a formal, third-party attestation that a software product (a web application, SaaS platform, or API) has been independently evaluated against a defined set of security criteria and meets those criteria. When the evaluation is conducted by a body accredited under ISO/IEC 17065 — the international standard for product certification bodies — the resulting certificate is publicly listed, independently verifiable, and recognised across borders through international accreditation arrangements. Guardian SecureApp™ is one such certification, accredited by UAF and based on OWASP standards.

A Vulnerability Assessment and Penetration Testing (VAPT) report is a private, point-in-time technical assessment that lists findings and remediation recommendations. A certification, in contrast, is a formal third-party attestation issued by an accredited certification body under a documented scheme — with a defined scope of evaluation, a defined certification decision process, ongoing surveillance to confirm continued conformity, public listing in a directory, and recognition through the international accreditation infrastructure. A VAPT report supports certification (by providing technical evaluation evidence) but is not itself a certification, and on its own it does not satisfy procurement, regulatory or contractual requirements that ask specifically for an accredited certification.

Guardian Assessment Pvt. Ltd. is accredited by United Accreditation Foundation Inc. (UAF), an internationally operating accreditation body headquartered in Virginia Beach, USA. The accreditation is under ISO/IEC 17065:2012 for product certification, accreditation number 52605385601, valid from 06 May 2026 to 05 May 2030. UAF is a member of the IAF and a signatory to the IAF MLA; the scope of UAF’s IAF MLA recognition by accreditation type can be verified at www.iaf.nu.

Guardian SecureApp™ certifies three product categories: web applications (Module A), SaaS / multi-tenant platforms (Module B), and APIs / microservices (Module C). Evaluations are conducted against the OWASP Application Security Verification Standard (ASVS), the OWASP Top 10, and the OWASP API Security Top 10, at three assurance levels — Level 1 (Basic), Level 2 (Advanced), and Level 3 (High-Risk / Critical). The procedural integrity of the scheme is governed by ISO/IEC 17065:2012, supplemented by UAF accreditation requirements and IAF mandatory documents.

ISO/IEC 27001 certifies an organisation’s Information Security Management System (ISMS) — how the organisation as a whole governs and manages information security across people, processes and technology. Guardian SecureApp™ certifies a specific software product against application security criteria. They are complementary, not substitutes: an ISO 27001-certified organisation can still ship a vulnerable product, and a Guardian SecureApp™-certified product can be developed by an organisation that is not 27001-certified. Mature buyers increasingly ask for both — 27001 for organisational assurance, and Guardian SecureApp™ for product-level assurance.

OWASP ASVS itself is an open standard, not a regulatory mandate, but it is widely cited and recognised across regulated sectors as the international benchmark for application security controls. When OWASP ASVS evaluation is conducted by an accredited certification body under ISO/IEC 17065, the resulting certificate carries the procedural recognition of the international accreditation infrastructure. Specific regulatory acceptability depends on the regulator and jurisdiction; we are happy to discuss your specific regulatory driver during scoping.

A typical Level 2 single-product engagement completes in 6–10 weeks from formal application to certificate issuance. Level 1 engagements are shorter (4–7 weeks), and Level 3 engagements typically run 10–16 weeks. The largest variable in the timeline is applicant responsiveness during the findings closure phase — products with prepared documentation and rapid remediation cycles complete faster than products that are not yet ready for evaluation.

Yes. Most evaluation activities can be conducted remotely (using ICT) in accordance with IAF MD 4:2025. We use secure remote access for documentation review, technical evaluation, source code review and stakeholder interviews. Some Level 3 engagements may benefit from limited on-site presence; this is determined at scoping based on the product, the deployment model and the evaluation activities.

Certificates are issued by Guardian Assessment Pvt. Ltd. and signed by an authorised Guardian signatory designated under our Certification Decision authority. The signatory is independent of the personnel who conducted the evaluation, in line with ISO/IEC 17065 Clause 7.6.

Critical and High-severity findings must be addressed for the certification to be granted. Guardian does not provide remediation advice — that would compromise our impartiality — but our findings reports are detailed and reference the relevant OWASP control where applicable, so your engineering team or any third party you engage can scope remediation. Once findings are addressed, we re-verify and proceed to the certification decision.

No — evaluator allocation is Guardian’s responsibility. However, you may declare a conflict of interest with a specific named individual (for example, a former employee), and we will honour reasonable, documented exclusion requests. Every evaluator is screened for conflicts of interest before each engagement.

Surveillance is a periodic, scheduled re-evaluation activity to confirm that a certified product continues to meet the certification criteria. It is lighter than initial certification (it is not a full re-evaluation) but rigorous enough to detect drift, regression or material changes that affect certification status. Significant changes to the product — major releases, architecture changes, breach incidents — also trigger surveillance activity outside the scheduled cycle.

You may withdraw at any time by written notice. Fees for work already performed are payable per the Certification Agreement; any prepaid fee allocated to work not yet performed is refunded. Withdrawn certificates (where one had been issued) are re-classified as withdrawn in the public directory; voluntarily cancelled applications (before any certificate was issued) do not appear in the directory at all.

Yes — for the certified product, in accordance with our Use of Mark Policy and UAF-GEN-CAB-02. The mark may be displayed on the product’s about page, in marketing collateral, in proposals, on packaging and across digital channels, but only in respect of the certified product, version and scope. Misuse — for example, claiming certification on a different product, an uncertified version, or beyond the certified scope — may result in suspension or withdrawal of the certificate.

Yes. Guardian conducts independent VAPT engagements outside the certification process, where a client wants a technical assessment without the full certification machinery. Stand-alone VAPT delivers a findings report; remediation, fix-support and post-VAPT advisory are not part of Guardian’s services. A stand-alone VAPT can later be used as input to a certification engagement, subject to scope and timing.

A Management System Certification Body (operating under ISO/IEC 17021-1) certifies management systems — for example, ISMS under ISO/IEC 27001 or QMS under ISO 9001. A Product Certification Body (operating under ISO/IEC 17065) certifies products, processes and services — including software products. Guardian is a Product Certification Body, accredited by UAF under ISO/IEC 17065. The two accreditation types are governed by different ISO standards, different IAF MLA scopes, and apply to different classes of certifications.

A normative document is the published reference against which conformity is evaluated. For Guardian SecureApp™, the principal normative documents are OWASP ASVS, OWASP Top 10, OWASP API Security Top 10 (for technical evaluation), ISO/IEC 17065 (for procedural integrity) and our own scheme document GSA-PR-01 (which translates the technical and procedural requirements into the rules of the Guardian SecureApp™ scheme).

ISO/IEC 17065 Clause 4.2 requires certification bodies to be impartial. A body that consults on a product cannot subsequently certify the same product without auditing its own work — a ‘self-review threat’ that disqualifies the body from issuing valid certificates. Guardian’s strict separation between certification and any form of advisory is what allows us to issue certificates that hold up under scrutiny.

Aggregate evaluator competence (qualifications, certifications, years of experience, scheme-specific training) is described in our scheme materials, but individual evaluator identities are not disclosed before allocation. After allocation, evaluators identify themselves to applicant points of contact for the purpose of the engagement. This balances applicant transparency with operational security and impartiality protection.

Updates to OWASP standards are reviewed by Guardian’s Technical Review Panel and, where adopted, are reflected in scheme document revisions. Existing certificates remain valid for their original cycle; recertification engagements use the current version of the scheme criteria at the time of recertification. Material changes to the standards are communicated to certified clients with appropriate transition guidance.

Our official documentation, evaluation reports and certificates are issued in English. Stakeholder interviews can be conducted in English or, where applicable, in Hindi for Indian engagements. Source documentation in other languages is acceptable provided the applicant supplies accurate English translations of key materials (architecture diagrams, threat models, policy documents).

Complaints and appeals are submitted through our Complaints & Appeals procedure at /complaints-appeals or by email to appeals@guardiansecureapp.com. Complaints are investigated independently of any personnel concerned with the underlying matter; appeals against certification decisions are heard by an independent Appeals Panel. Both processes are documented, time-bound and reportable to the Impartiality Committee.