Add MASVS to OWASP SKF - Githubissues

OWASP / owasp-masvs

The OWASP MASVS (Mobile Application Security Verification Standard) is the industry standard for mobile app security.

https://mas.owasp.org/

Creative Commons Attribution Share Alike 4.0 International

1.97k stars 424 forks source link

Add MASVS to OWASP SKF #127

Open sushi2k opened 5 years ago

sushi2k commented 5 years ago

Hi,

we are at the moment in the process of migrating the MASVS requirements including documentation into the OWASP Security Knowledge Framework (SKF). See here for a description of SKF:

https://www.owasp.org/index.php/OWASP_Security_Knowledge_Framework

Here is the issue https://github.com/blabla1337/skf-flask/issues/461 I created at SKF. Goal is to build the MASVS into SKF by this year. First we need to provide a description and solution to each requirement. Martin Marsicano already created the first draft for it:

https://docs.google.com/document/d/1P5Ab_CKxIFCaHdXZSVj7WY-F0Utk8kK-_tKwB4ExmiE/edit?ts=5b677f32

We should be able to get most of the information out of the MSTG, so if you want to contribute have a look at the test cases in MSTG first so we are also consistent with the description and solution (https://mobile-security.gitbook.io/mobile-security-testing-guide/).

Thanks and cheers,

Sven

commjoen commented 4 years ago

Update: we hope to be in touch with the SKF leaders during Global Appsec Amsterdam so we can look at solutions for this item as doing this by hand will be too much work.

mpp-anasa commented 4 years ago

I would like to help out with this effort. Is there any way I can contribute?

commjoen commented 4 years ago

Hi @mpp-anasa , there certainly is:

Please get in touch with the leaders at https://gitter.im/Security-Knowledge-Framework/Lobby
Check https://github.com/blabla1337/skf-flask/issues/461
If you run into problems of inconsistencies in the MSTG to couple material. Let us know.via git issues and/or Slack.

cpholguera commented 4 years ago

New script for parsing the MSTG/MASVS and generating the MSTG-ID links:

https://github.com/OWASP/owasp-masvs/blob/project-integration/tools/generate_mstgid_links.py


## MASVS Dict ##
{
    "MSTG-NETWORK-3": [
        "https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-endpoint-identify-verification-mstg-network-3",
        "https://github.com/OWASP/owasp-mstg/blob/master/Document/0x06g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-3-and-mstg-network-4"
    ],
    "MSTG-NETWORK-4": [
        ...
## COVERAGE ##
MSTG-RESILIENCE-4 not covered
MSTG-RESILIENCE-5 not covered
MSTG-RESILIENCE-6 not covered
...
`
``