owasp-masvs icon indicating copy to clipboard operation
owasp-masvs copied to clipboard

Published 20 hours ago verified publisher icon OWASP

Add MASVS to OWASP SKF

Open sushi2k opened this issue 6 years ago • 4 comments

Hi,

we are at the moment in the process of migrating the MASVS requirements including documentation into the OWASP Security Knowledge Framework (SKF). See here for a description of SKF:

https://www.owasp.org/index.php/OWASP_Security_Knowledge_Framework

Here is the issue https://github.com/blabla1337/skf-flask/issues/461 I created at SKF. Goal is to build the MASVS into SKF by this year. First we need to provide a description and solution to each requirement. Martin Marsicano already created the first draft for it:

https://docs.google.com/document/d/1P5Ab_CKxIFCaHdXZSVj7WY-F0Utk8kK-_tKwB4ExmiE/edit?ts=5b677f32

We should be able to get most of the information out of the MSTG, so if you want to contribute have a look at the test cases in MSTG first so we are also consistent with the description and solution (https://mobile-security.gitbook.io/mobile-security-testing-guide/).

Thanks and cheers,

Sven

sushi2k avatar Aug 05 '18 23:08 sushi2k

Update: we hope to be in touch with the SKF leaders during Global Appsec Amsterdam so we can look at solutions for this item as doing this by hand will be too much work.

commjoen avatar Sep 02 '19 18:09 commjoen

I would like to help out with this effort. Is there any way I can contribute?

mpp-anasa avatar Sep 27 '19 15:09 mpp-anasa

Hi @mpp-anasa , there certainly is:

  • Please get in touch with the leaders at https://gitter.im/Security-Knowledge-Framework/Lobby
  • Check https://github.com/blabla1337/skf-flask/issues/461
  • If you run into problems of inconsistencies in the MSTG to couple material. Let us know.via git issues and/or Slack.

commjoen avatar Sep 27 '19 19:09 commjoen

New script for parsing the MSTG/MASVS and generating the MSTG-ID links:

https://github.com/OWASP/owasp-masvs/blob/project-integration/tools/generate_mstgid_links.py

## MASVS Dict ##
{
    "MSTG-NETWORK-3": [
        "https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-endpoint-identify-verification-mstg-network-3",
        "https://github.com/OWASP/owasp-mstg/blob/master/Document/0x06g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-3-and-mstg-network-4"
    ],
    "MSTG-NETWORK-4": [
        ...
## COVERAGE ##
MSTG-RESILIENCE-4 not covered
MSTG-RESILIENCE-5 not covered
MSTG-RESILIENCE-6 not covered
...
`
``

cpholguera avatar Dec 18 '19 12:12 cpholguera