From 64a46d6ed95be371b0337e0868f8ca7ae7db2491 Mon Sep 17 00:00:00 2001 From: Carlos Holguera Date: Thu, 18 Jan 2024 11:32:32 +0100 Subject: [PATCH] other additions and corrections --- Document/03-Using_the_MASVS.md | 5 +++-- Document/04-Assessment_and_Certification.md | 7 +++++-- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/Document/03-Using_the_MASVS.md b/Document/03-Using_the_MASVS.md index 747fff4e0..087e67850 100644 --- a/Document/03-Using_the_MASVS.md +++ b/Document/03-Using_the_MASVS.md @@ -19,12 +19,13 @@ The standard is divided into various groups that represent the most critical are - **MASVS-PLATFORM:** Secure interaction with the underlying mobile platform and other installed apps. - **MASVS-CODE:** Security best practices for data processing and keeping the app up-to-date. - **MASVS-RESILIENCE:** Resilience to reverse engineering and tampering attempts. +- **MASVS-PRIVACY:** Privacy controls to protect user privacy. Each of these control groups contains individual controls labeled **MASVS-XXXXX-Y**, which provide specific guidance on the particular security measures that need to be implemented to meet the standard. -## Mobile Application Security Profiles +## MAS Testing Profiles -The MAS project has traditionally provided three verification levels (L1, L2 and R), which were revisited during the MASVS refactoring in 2023, and have been reworked as "security testing profiles" and moved over to the OWASP MASTG. These profiles are now aligned with the [NIST OSCAL (Open Security Controls Assessment Language)](https://pages.nist.gov/OSCAL/) standard, which is a comprehensive catalog of security controls that can be used to secure information systems. +The MAS project has traditionally provided three verification levels (L1, L2 and R), which were revisited during the MASVS refactoring in 2023, and have been reworked as ["MAS Testing Profiles"](https://docs.google.com/document/d/1paz7dxKXHzAC9MN7Mnln1JiZwBNyg7Gs364AJ6KudEs/edit?usp=sharing) and moved over to the OWASP MASTG. These profiles are now aligned with the [NIST OSCAL (Open Security Controls Assessment Language)](https://pages.nist.gov/OSCAL/) standard, which is a comprehensive catalog of security controls that can be used to secure information systems. By aligning with OSCAL, the MASVS provides a more flexible and comprehensive approach to security testing. OSCAL provides a standard format for security control information, which allows for easier sharing and reuse of security controls across different systems and organizations. This allows for a more efficient use of resources and a more targeted approach to mobile app security testing. diff --git a/Document/04-Assessment_and_Certification.md b/Document/04-Assessment_and_Certification.md index c8a81ea13..75ef9db8c 100644 --- a/Document/04-Assessment_and_Certification.md +++ b/Document/04-Assessment_and_Certification.md @@ -18,9 +18,12 @@ A certifying organization must include in any report the scope of the verificati ### Using the OWASP Mobile Application Security Testing Guide (MASTG) -The OWASP MASTG is a manual for testing the security of mobile apps. It describes the technical processes for verifying the controls listed in the MASVS. The MASTG includes a list of test cases, each of which map to a control in the MASVS. While the MASVS controls are high-level and generic, the MASTG provides in-depth recommendations and testing procedures on a per-mobile-OS basis. +The [OWASP MASTG](https://mas.owasp.org/MASTG/) is a manual for testing the security of mobile apps. It describes the technical processes for verifying the controls listed in the MASVS. The MASTG includes a list of test cases, each of which map to a control in the MASVS. While the MASVS controls are high-level and generic, the MASTG provides in-depth recommendations and testing procedures on a per-mobile-OS basis. -Testing the app's remote endpoints is not covered in the MASTG. The [OWASP Web Security Testing Guide (WSTG)](https://owasp.org/www-project-web-security-testing-guide/) is a comprehensive guide with detailed technical explanation and guidance for testing the security of web applications and web services holistically and can be used in addition to other relevant resources to complement the mobile app security testing exercise. +Testing the app's remote endpoints is not covered in the MASTG. For example: + +- **Remote Endpoints**: The [OWASP Web Security Testing Guide (WSTG)](https://owasp.org/www-project-web-security-testing-guide/) is a comprehensive guide with detailed technical explanation and guidance for testing the security of web applications and web services holistically and can be used in addition to other relevant resources to complement the mobile app security testing exercise. +- **Internet of Things (IoT)**: The [OWASP IoT Security Testing Guide (ISTG)](https://owasp.org/owasp-istg/) provides a comprehensive methodology for penetration tests in the IoT field offering flexibility to adapt innovations and developments on the IoT market while still ensuring comparability of test results. The guide provides an understanding of communication between manufacturers and operators of IoT devices as well as penetration testing teams that's facilitated by establishing a common terminology. ### The Role of Automated Security Testing Tools