Open commjoen opened 5 years ago
Can be derived at | **4.10** | MSTG‑AUTH‑10 | Sensitive transactions require step-up authentication. | | ✓ |
, but misses actual non-repudation: see https://github.com/OWASP/owasp-masvs/issues/286
As OWASP/owasp-masvs#286 is closed: let's have a look at protected confirmation if it makes sense to be part of somethig; otherwise close.
Actually maybe we can relate here to:
| **4.10** | MSTG‑AUTH‑10 | Sensitive transactions require step-up authentication. | | ✓ |
and change it to be:
| **4.10** | MSTG‑AUTH‑10 | Sensitive transactions are properly confirmed at the client side (using at least security features offered by the OS) and authenticated at the remote endpoint (step-up authentication). | | ✓ |
or shorter:
| **4.10** | MSTG‑AUTH‑10 | Sensitive transactions are properly secured between the client and the remote endpoint. | | ✓ |
In the MSTG explain:
A new security feature
Android Protected Confirmation
has arrived to Android P. This can help with non-repudiation and alike. Time to start a write up about it and see how we can best relate this to the (M)ASVS.. https://developer.android.com/preview/features/security We can update local authentication and then see how we can formalize the reasoning for non-repudiation in both the masvs and mstg. Note: we will need an issue at the MASVS in which non-repudiation is covered for med/high risk transactions/actions. (including privacy, financial, etc.)