Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Where can I find detailed explanations of the MASVS-IDs? #690

Open
faithfracture opened this issue Feb 3, 2023 · 1 comment
Open

Where can I find detailed explanations of the MASVS-IDs? #690

faithfracture opened this issue Feb 3, 2023 · 1 comment

Comments

@faithfracture
Copy link

I am having trouble, especially with the new MASVS checklist, finding what exactly is expected to be verified for each MASVS-ID. In the previous checklist there were MANY clickable links that would redirect to relevant documentation. The new checklist does have some of these, but a lot are missing. Also, many of the MASVS-IDs don't correlate to anything searchable on the OWASP website. MTSG-ARCH-11, as one example (of many).

How can I determine what exactly MTSG-ARCH-11 is referring to? The "Detailed Verification Requirement" (for MTSG-ARCH-11 it is "A responsible disclosure policy is in place and effectively applied.") is vague, at best (disclosure of what? What needs to be disclosed? Applied where and in what way?).

A person with intimate familiarity with the MATSG and MASVS might be able to read a description and know "oh, that's from this part of the MATSG", but that isn't very helpful for someone new to the process. If I am to train a new employee on how to perform a security audit of our mobile apps they shouldn't have to first become intimately familiar with the MTSG before being able to do so. It would be much more helpful with the checklist contained (more) helpful links (say, from each MASVS-ID to some relevant part of the MASTG/MASVS).

Did I miss something in the new checklist? Am I missing something on the main OWASM MAS website?
@sushi2k
Copy link
Collaborator

sushi2k commented Feb 6, 2023

Hi @faithfracture. Thanks for reaching out. The requirement you are referring to is a long lasting issue of the whole domain "V1: Architecture, Design and Threat Modeling Requirements". Almost all of the requirements in this domain cannot be verified during a normal penetration test, but are to be considered more as building security in from the start and are usually bigger than just the mobile app and are addressing the SDLC or security as a whole in an enterprise. This domain is also proposed to be removed in the new V2.0 of the MASVS.

For V1 you will therefore not find any technical descriptions in the MASTG as there is not much to test from pentester perspective.

For all other categories you will find test cases in the MASTG and they are also linked in the checklists, https://github.com/OWASP/owasp-mastg/releases

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@faithfracture @sushi2k