Closed muellerberndt closed 7 years ago
When I was adding this requirement to the MASVS I was only thinking about syncing data on the OS level, meaning backups to the Google/iOS cloud and I still think that this should be a test case on it's own.
We could simply add one work to the requirement to make it more clear:
2.3 No sensitive data is synced with platform cloud storage.
I would not extend this test case to all other kind of clouds, as they are needed by the App to work properly and it's also more secure to store sensitive data in the cloud as on the local device. Also checking the communication for sensitive data for 3rd parties, through usage of libraries is also covered in:
2.4 No sensitive data is sent to third parties.
If you guys agree, I would also not change the test case in the MSTG.
I will have a detailed look in Issue 75 latest next week. Thanks
As far as I can see in the test case this only pertains to backup to cloud storage (through platform mechanisms). Isn't this then already covered by 2.9 - "No sensitive data is included in backups"? The test case also appears to check only for the allowBackup="true" attribute?
You are right. I will merge this. Makes no sense to have two separate test cases for this.
Alright, so we only need the "backup" requirement then? So I'll remove this entirely from the MASVS.
Ok
Will update the MSTG test cases soon so they are aligned with MASVS. Will close this now.
Hi guys,
Here's an issue for discussion - see also MASVS issue #75.
OMTG-DATAST-003: Test for Sensitive Data in Cloud Storage
This only talks about backup to the cloud via the default OS facilities. However the requirement in the MASVS is "No sensitive data is synced with cloud storage", which pertains to any form of cloud storage. We should probably do two things:
Make the requirement more specific in the MASVS. It doesn't make sense to forbid all kinds of cloud storage? Are we talking about third-party clouds like AWS, or about what exactly?
Adapt the test case in the MSTG to fit the revised requirement.
There's a couple of other requirements that we need to review, please have a look at the remaining feedback in MASVS issue #75. as well @sushi2k @litsnarf