Replies: 1 comment 1 reply
-
|
Hi @sydseter! This is an excellent idea, please go for it. Maybe after including the MASVS, the MASWE can follow. About the MASTG Tests: I'd only link the version 2 ones. The ones starting at MASTG-TEST-0200 and above. The V1 tests can be considered all deprecated and it makes no sense to add them to any mappings. The new tests are all reviewed and up to date. Thank you so much for this! |
Beta Was this translation helpful? Give feedback.
-
|
That's great thanks! I'll set up a suggestion from http://cornucopia.owasp.org/api/mas/cre and get in touch when it is ready. And, I'll have a look at the MASWE too |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
I would love if MASVS and MASTG was available from OpenCRE so that it is possible to link f.ex the threat cards from the OWASP Cornucopia Mobile App Edition to the MASVS and MASTG requirements and tests through OpenCRE.
See as an example what have been done for ASVS:
https://opencre.org/node/standard/ASVS/sectionId/V2.10.4
and from the OWASP Cornucopia api:
http://cornucopia.owasp.org/api/cre/webapp/en
This allow ASVS to be linked to other standards like this: https://opencre.org/cre/774-888
The purpose behind is to be able to combine the process of mobile application's security requirement analysis according to ISO 27002 8.26 (https://www.isms.online/iso-27002/control-8-26-application-security-requirements/) on application security requirements with the process of doing threat modeling according to ISO 27002 8.28 on secure coding (https://hightable.io/iso-27002/control-8-28-secure-coding/).
Let's say e.g. that you are doing threat modeling through OWASP Cornucopia, you play a card that you find applicable and it scores during the game. You add the card to your OWASP Threat Dragon model, but then you wonder, what are the application security requirements and appropriate standards and MASTG tests applicable to the threat I have identified? If all of this information was linked through OpenCRE then, by selecting the appropriate card from OWASP Threat Dragon you could also get up to date information about which MASVS requirements apply, how these relate e.g to MASTG tests and other standards you probably should look at in order to mitigate the threat.
There are also a large range of other benefits as well.
What I wonder is whether it would be ok to use e.g:
https://mas.owasp.org/MASVS/controls/MASVS-CRYPTO-1/
as a link in OpenCRE or whether you would prefer
to use:
https://github.com/OWASP/owasp-masvs/blob/v2.1.0/controls/MASVS-CRYPTO-2.md
I can ensure the MASVS requirements and MASTG tests are imported and maintained in OpenCRE.
I just want to make sure that you are ok with this and whether you have any preferences as to how you would like to see this maintained.
Process for contributing to OpenCRE is documented here: https://github.com/OWASP/OpenCRE/blob/main/docs/CONTRIBUTING.md
Beta Was this translation helpful? Give feedback.
All reactions