Closed sushi2k closed 4 years ago
I'm working on this
Great! What is your current status /planning on this subject @A-AFTAHI ? We want to reshape the current owasp wiki and this issue will have to be fixed in order to make everything a bit more consequent ^^.
Mobile-Sec-Project_Syn_MASVS.xlsx First analysis as done by @A-AFTAHI . Will be discussed upcoming tuesday in a call.
Great work @A-AFTAHI. Let me have a look at it. I might be able to join the call also.
Mobile-Sec-Project_Syn_MASVS-Sven.xlsx
Please find my feedback here. @commjoen let me know when you have the call. Cheers
Tuesday 19:00 dutch time :-)
Mobile-Sec-Project_Syn_MASVS-Sven_remarks_aftahi_jeroen.xlsx Updated feedback with @A-AFTAHI , will compile actionlist.
Thanks @commjoen for the Update!
Moved all actions to the top of the issue to track progress
@A-AFTAHI : does the current Excel cover both https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#Top_10_Mobile_Controls and https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#Secure_M-Development ?
The First version of the excel was only based on https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#Secure_M-Development , and since the current version is based on the first one so we have to make sure that everything in https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#Top_10_Mobile_Controls is already covered. let me check that
Okidoki. Let me know when you have somethign to review which includes that, so we can extend and start executing the actions listed at https://github.com/OWASP/owasp-masvs/issues/189#issuecomment-514479515
All MSTG actions based on https://github.com/OWASP/owasp-masvs/issues/189#issuecomment-514479515 have been created. the MASVS issues can be fixed in 1 PR.
Mobile-Sec-Project_&Mobile_Top10_Syn_MASVS-Sven_remarks_aftahi_jeroen.xlsx He is the excel file updated with my Mobile Top 10 Analysis. please take a look at it and review my interpretations.
Mobile-Sec-Project_.Mobile_Top10_Syn_MASVS-Sven_remarks_aftahi_jeroen_version 1.xlsx Please find my comments. which top 10 is this? 2013? because 2016 has different items i believe (https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10)
You're right! in 2016 there are different items. well my analysis was based on the TOP 10 in the link initially suggested by @sushi2k https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#Top_10_Mobile_Controls
Can you do both please? Just add a few rows and we are fine :-)
Mobile-Sec-Project_.Mobile_Top10_Syn_MASVS-Sven_remarks_aftahi_jeroen_version.2.xlsx Here is an updated version of the excel with mobile Top 10 2016 analysis covered!
Thank you very much! Will review tomorrow :)
Executed all actions till step 16. Let's make sure we make issues out of each of the steps to take and then close this issue.
So https://github.com/OWASP/ASVS/issues/664 came back "won't fix". @sushi2k , @TheDauntless , @cpholguera , @A-AFTAHI : what do we do with this? Because having an RD makes sense to me. For now I have set up https://owasp.slack.com/archives/C04T40NND/p1565798928215600 as a discussion within OWASP.
Why not put a L1 requirement into V1:
A responsible disclosure policy exists that defines a communication channel to communicate identified vulnerabilities.
In the MSTG we could make a short test case, similar to https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#testing-the-device-access-security-policy-mstg-storage-11.
We could then reference and describe, e.g. https://securitytxt.org/. The security.txt is not a standard yet, but something that is very easy to implement and get's quite some acceptance (at least in the bug bounty community).
I know you don't wan't to have it in the MASVS, but it's part of a application security strategy/program (like threat modeling, which we also have as a requirement).
Otherwise we could describe responsible disclosure in the MSTG and just leverage on this requirement in the MASVS:
| 1.10 | MSTG‑ARCH‑10 | Security is addressed within all parts of the software development lifecycle. | | ✓ |
Responsible Disclosure is then one way for a feedback loop for the SDLC? I know it's a bit far fetched, but then we at least don't need to touch the MASVS.
You're right... If no one moves, we should be frontrunner. We could include http://disclose.io/ in the MSTG
As @TheDauntless would say: let's put it in a separate issue 👍
All issues have been created or set. We are ready to close this. Thanks @A-AFTAHI for the long haul analysis!
Check the requirements listed here and verify if covered or should be added to MASVS:
Local offline authentication of a user towards the mobile app should leverage the APIs offered by the mobile operating system.
. Covered in #274Actionlist based on top 10 mobile controls:
Actionlist based on Mobile top 10 2016: