Mobile AppSec Verification Standard (MASVS)

[sushi2k]

Hey guys,

I am the project leader for the MASVS and I found about the SKF project only a few weeks back and it's amazing. Thanks for creating and sharing it under the umbrella of OWASP.

I saw that the requirements of the MASVS are already available in the checklist directory (skf-flask/skf/markdown/checklists/masvs) and can also be listed and accessed in the Checklist function of SKF.

Do you guys already have it on the roadmap to also add the MASVS when creating a project? At the moment only ASVS is available. Would be happy to assist for this also, for example for the questions in "Pre developement settings" or "Configure this sprint" as they would need to be adjusted for mobile.

Thanks and cheers,

Sven

[blabla1337]

Hi Sven,

Aah nice to meet you and great work with the MASVS, its one of our favourite projects together with ASVS ;)

Correct we and also @martinmarsicano did already put some bits of the MASVS also in SKF but we still need to work it out a bit more. Yeah the idea is to do the same as we have done with the ASVS. This means that we will create Knowledge base items and create also a MASVS process with the questions. For this I need to modify the API a bit but it's planned to be done this year and have the whole MASVS incorporated in SKF.

Well all the help is welcome of course and it would speed up the work a lot. We could use help with correct questions that are around +/- 20 and will cover all the MASVS controls. So it's a challenge to come up with good questions that can do this :)

Can you maybe create a draft for this that we could use to work with?

Also thanks for the reach out and your kind words!

Kind regards, Glenn

[martinmarsicano]

Hi all,

I just created a Google Document for completing MASVS requirements information (description and solution): https://drive.google.com/open?id=1P5Ab_CKxIFCaHdXZSVj7WY-F0Utk8kK-_tKwB4ExmiE The document is closed to OWASP.org members, anyone else that wants to help must provide an email address, so we can give him access (I make us three file admins). It would be great if you two publish it on each project chat (Sven on OMTG's slack, and Glenn on SKF's Gitter).

After that I can put it on the corresponding files and then can think on the questions part.

Greetings Martín

[sushi2k]

Hi Glenn,

that's great to hear. Then let's make it happen :-)

Hi Martin,

that's great. I have access to the document. I will start this week to get the first few items in and also publish it in our Slack channel.

Thanks for the initial draft!

[commjoen]

Hi guys! How are things going? Do you require any assistance?

[blabla1337]

Hi Jeroen,

Well we started the document but as you can see it requires a lot of more work before we can also include the MASVS checklist into the SKF framework. Normally we have for every security requirement / control a detailed Knowledge base item that explains the attack vector / problem in the description and in the solution part the approach and guidance for the developer how to proceed with this requirement / control.

If you would like to chip in please as we really miss at the moment the Mobile secure requirements part in SKF.

Let me know if you have questions or anything I can do for you. Please join our Gitter channel to have a chat with one of us :)

https://gitter.im/Security-Knowledge-Framework/Lobby

Kind regards, Glenn

[commjoen]

Hi Glenn, right now, we strive for covering the MASVS by means of the MSTG in terms of what needs to be validated/improved. Possible risks/attack vectors are being covered by the ongoing mobile risk project at https://github.com/OWASP/Mobile-Threatmodel, we hope to see that flourish soon 👍 . Is there a possibility to use OWASP Slack? I am often not at gitter/miss/forget about any notifications there, which means i often try to move to a more centralized way of chatting, sorry about that ....)

With kind regards, Jeroen

[commjoen]

Hi guys! Great chat today, thanks! Please let us know what we might have to do to make the test-cases more consistent so it becomes easier to link to them from the SKF. MASVS 1.1.4 should be a stable ground in terms of requirements for now.

With kind regards, Jereon

[blabla1337]

MASVS is implemented into the SKF project a while ago, will close this ticket