Closed faithfracture closed 4 months ago
Hi @faithfracture. Thanks for reaching out. The requirement you are referring to is a long lasting issue of the whole domain "V1: Architecture, Design and Threat Modeling Requirements". Almost all of the requirements in this domain cannot be verified during a normal penetration test, but are to be considered more as building security in from the start and are usually bigger than just the mobile app and are addressing the SDLC or security as a whole in an enterprise. This domain is also proposed to be removed in the new V2.0 of the MASVS.
For V1 you will therefore not find any technical descriptions in the MASTG as there is not much to test from pentester perspective.
For all other categories you will find test cases in the MASTG and they are also linked in the checklists, https://github.com/OWASP/owasp-mastg/releases
I am having trouble, especially with the new MASVS checklist, finding what exactly is expected to be verified for each MASVS-ID. In the previous checklist there were MANY clickable links that would redirect to relevant documentation. The new checklist does have some of these, but a lot are missing. Also, many of the MASVS-IDs don't correlate to anything searchable on the OWASP website. MTSG-ARCH-11, as one example (of many).
How can I determine what exactly MTSG-ARCH-11 is referring to? The "Detailed Verification Requirement" (for MTSG-ARCH-11 it is "A responsible disclosure policy is in place and effectively applied.") is vague, at best (disclosure of what? What needs to be disclosed? Applied where and in what way?).
A person with intimate familiarity with the MATSG and MASVS might be able to read a description and know "oh, that's from this part of the MATSG", but that isn't very helpful for someone new to the process. If I am to train a new employee on how to perform a security audit of our mobile apps they shouldn't have to first become intimately familiar with the MTSG before being able to do so. It would be much more helpful with the checklist contained (more) helpful links (say, from each MASVS-ID to some relevant part of the MASTG/MASVS).
Did I miss something in the new checklist? Am I missing something on the main OWASM MAS website?