Mobile application security professionals following best practices for OWASP Mobile Application Security Testing now have a new resource to enhance their efficiency. As part of a series of updates to the OWASP MASVS and OWASP MASTG, the OWASP Mobile Application Security Project recently released a new fully automated version of its OWASP Mobile Application Security Checklist with a streamlined design. The checklist eases the compliance process for meeting industry-standard requirements from early planning and development to mobile application security testing.
Mobile pen testing requires properly documenting your work and the OWASP Software Assurance Maturity Model (SAMM) and NIST both emphasize the importance of checklists. “Checklists are an essential resource in security testing,” says Carlos Holguera, a NowSecure mobile security researcher and co-leader of the OWASP Mobile Application Security Project. “If you’re conducting a pen test and cannot dive as deeply as you’d like due to time constraints or app complexity, you can expect to miss a few potential security issues. But failing to validate the controls listed on a checklist is inexcusable.”
Checklists are an essential resource in security testing. – Carlos Holguera, NowSecure
Abundant OWASP Mobile Resources
OWASP, an international non-profit organization, focuses on improving application security by giving developers and security teams the resources they need to build secure software. The foundation’s Mobile Security Project classifies mobile security risks and provides developmental controls to reduce their impact or likelihood of exploitation. (Consult the NowSecure resource, An Essential Guide to the OWASP Mobile Application Security Project, for advice about building and running a risk-based mobile application security program.)
The OWASP Mobile Application Security Project offers a trifecta of complementary resources for mobile application security: the OWASP Mobile Application Verification Standards (MASVS), the OWASP Mobile Application Security Testing Guide (MASTG) and the OWASP Mobile Application Security Testing Checklist. The three work together to promote strong mobile application security.
The MASVS outlines the definitive standard for mobile app security. Mobile app owners, architects and developers consult the MASVS to build security by design and security professionals rely on the MASVS to establish a security baseline for all mobile apps and test them consistently.
The MASVS covers eight domains that address the mobile attack surface:
- V1: Architecture, Design and Threat Modeling
- V2: Data Storage and Privacy
- V3: Cryptography
- V4: Authentication and Session Management
- V5: Network Communication
- V6: Environmental Interaction
- V7: Code Quality and Build Setting
- V8: Resiliency Against Reverse Engineering
The OWASP Mobile Application Security Testing Guide (MASTG) provides mobile application security analysts with a reference guide for mobile pen testing. The manual details Android and iOS mobile application security testing based on MASVS.
And the OWASP Mobile Application Security Checklist ties together the MASVS and the MASTG. The spreadsheet enables mobile pen testers to discard MASVS requirements that aren’t part of the application threat model, mark items with a pass or fail status and references the relevant sections of the MASTG to guide Android and iOS testing.
Zooming In On the OWASP Mobile Security Checklist
The revamped OWASP Mobile Application Security Checklist offers several enhancements. Chief among them are automation to replace a spreadsheet that previously had to be manually generated and an attractive design that reflects OWASP’s evolution and is easier to use.
“Working with Excel is not fun, but working with an ugly Excel spreadsheet is demotivating,” jokes Holguera. However, he notes that the facelift is more than simply graphics. “It reflects all the new things from the project including cleanliness, structure, reflection of Android and iOS and the interconnection of MASVS and MSTG,” he explains.
Additional features include:
- Supports 13 languages
- Unifies all MASVS categories into a single sheet
- Traceable via exact MASVS and MSTG versions and commit IDs
- Always up to date with the latest MSTG and MASVS versions
- Enables user to add more columns or sheets as needed
The above enhancements all streamline the reporting needed to demonstrate thorough mobile pen testing and gauge OWASP MASVS standards compliance. Going forward, Holguera says that automation may enable OWASP to add more elements offering useful insights. He anticipates that after the current MASVS refactoring is complete, the MSTG will also be refactored to enable the checklists to extend mapping to include more specific MSTG tests to aid compliance. OWASP invites you to submit feedback and ideas regarding the checklists to the project’s GitHub Discussions section.
At NowSecure Connect 2021, Holguera and fellow OWASP Mobile Application Security Project Co-leader Sven Schleier of F-Secure offered a preview of some of the group’s ongoing work to refactor MASVS and more closely align MASVS and MASTG resources to advance mobile application security testing practices. You can watch the on-demand session replay by registering here.
“We at the OWASP Mobile Application Security Project are continuously improving our standard and underlying processes to offer you new ways to interact with the MASVS and the MASTG to make your compliance efforts as efficient as possible,” says Holguera. He invites you to monitor and participate in current refactoring efforts.
NowSecure Supports OWASP
NowSecure proudly supports the OWASP Mobile Application Security Project by dedicating staff to the evolution of the standards specification. The NowSecure team continues to make substantial contributions to OWASP MASVS and MASTG and also serves as an OWASP God Mode sponsor.
