[Bug] The MASTG v1.6 does not have a unique identifier for each test

OWASP / owasp-mastg

The Mobile Application Security Testing Guide (MASTG) is a comprehensive manual for mobile app security testing and reverse engineering. It describes the technical processes for verifying the controls listed in the OWASP Mobile Application Security Verification Standard (MASVS).

https://mas.owasp.org/

Creative Commons Attribution Share Alike 4.0 International

11.46k stars 2.26k forks source link

[Bug] The MASTG v1.6 does not have a unique identifier for each test #2412

Closed gand3lf closed 1 week ago

gand3lf commented 1 year ago

The tests described in the new MASTG v1.6 does not have an unique identifier associated. In other words, the only way to refer a MASTG test is through the title. Will you provide unique identifiers for the future "atomic" version of the tests?

cpholguera commented 1 year ago

Hi @gand3lf, the topic of IDs has always been a bit confusing. Let me try to summarize it for you.

The MASTG tests never had IDs. In v1.5.0 and below, you could see the title and some IDs in parentheses, something like "Testing Permissions (MSTG-PLATFORM-1)". However, despite the MSTG- prefix, these IDs were not MASTG IDs. They were MASVS IDs.

In MASVS v2, we've fixed the MASVS IDs to start with MASVS. We've also put them in separate files so you can use hard links to point to them. For example:

https://mas.owasp.org/MASVS/controls/MASVS-STORAGE-1/

https://github.com/OWASP/owasp-masvs/blob/v2.0.0/controls/MASVS-STORAGE-1.md

In MASTG v2 we'd like to introduce MASTG test IDs as a new feature so that you can refer to them individually as well.

Thanks for the feedback. It's very nice to know that the community appreciates this new feature!

gand3lf commented 1 year ago

Hi @cpholguera, thank you for the fast and complete reply. I can confirm that this feature will be really appreciated by me and some of my colleagues. We are working on a project that has the purpose to cover some MASTG tests and for us it will be a real improvement to have ID for each test. In any case, do you have an idea about the release date of the MASTG v2?

cpholguera commented 1 year ago

We do not have a specific release date, as this will be a gradual process. We'll release an RFC with a preliminary list of test titles and their corresponding profiles (formerly known as levels).

After the RFC, we'll consolidate the list and open GitHub issues.

The idea is to work with the existing MASTG tests first and split them into the corresponding items from this list. That will be version 2.0.0. After that, we'll work on the rest of the items on the list.

As you can imagine, we're going to need a lot of help. Would you and your team like to get involved?

gand3lf commented 1 year ago

Unfortunately, I'm not able to join this project since I have a lot of work to do. But I will follow the updates about this project with the hope of being able to help you in the future. Thank you for the useful info :+1:

cpholguera commented 1 week ago

Both the MASTG V1 and V2 (Beta) have unique identifies now.

V1: MASTG-TEST-0001 to MASTG-TEST-0199

V2: MASTG-TEST-0200 to MASTG-TEST-0***