Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Additional CWE mappings to MASWE #2858

Open
cpholguera opened this issue Aug 2, 2024 Discussed in #2857 · 1 comment
Open

Add Additional CWE mappings to MASWE #2858

cpholguera opened this issue Aug 2, 2024 Discussed in #2857 · 1 comment
Assignees

Comments

@cpholguera
Copy link
Collaborator

MASWE supports CWE mappings already:

https://github.com/search?q=repo%3AOWASP%2Fowasp-mastg%20%22cwe%3A%22&type=code

For example, in MASWE-0041:

mappings:
  masvs-v1: [MSTG-AUTH-1]
  masvs-v2: [MASVS-AUTH-2]
  cwe: [603, 307, 287]

Review the suggestions below and add the remaining missing mappings to the rest of the MASWE.

Discussed in #2857

Originally posted by poffo-mobisec August 2, 2024
I love the introduction of Weaknesses in mobile security. It was missing and it is brilliant. But let's go straight to the point.

Nowadays most of enterprises have standardized systems and works with CWE.
Have you considered relate each MASWE to a CWE, to ease the risk management and company integration?

I think this could give a lot of extra value to the project, allowing MASWE to be very specific on mobile weaknesses but at the same time bring compatibility with nowadays market.

THE FOLLOWING CONTENT IS AI-GENERATED, so this work would absolutlely need a check, but it gives the idea of the result:

MASWE ID MASWE Title Relevant CWE ID CWE Title
MASWE-0001 Insertion of Sensitive Data into Logs CWE-532 Insertion of Sensitive Information into Log File
MASWE-0002 Sensitive Data Stored With Insufficient Access Restrictions CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
MASWE-0003 Sensitive Data Remains in App Backups CWE-212 Improper Cross-boundary Removal of Sensitive Data
MASWE-0004 Unencrypted Sensitive Data Stored in Non-Volatile Memory CWE-311 Missing Encryption of Sensitive Data
MASWE-0005 Insecure Data Storage in Shared Preferences CWE-922 Insecure Storage of Sensitive Information
MASWE-0006 Insecure Data Storage in SQL Databases CWE-312 Cleartext Storage of Sensitive Information
MASWE-0007 Insecure Data Storage in External Storage CWE-922 Insecure Storage of Sensitive Information
MASWE-0008 Insecure Data Storage in Cloud Services CWE-256 Unprotected Storage of Credentials
MASWE-0009 Insecure Data Storage in Cache CWE-922 Insecure Storage of Sensitive Information
MASWE-0010 Insecure Data Storage in Clipboard CWE-532 Insertion of Sensitive Information into Log File
MASWE-0011 Sensitive Data in Application Memory CWE-226 Sensitive Information in Data Storage Element
MASWE-0012 Sensitive Data in System Logs CWE-532 Insertion of Sensitive Information into Log File
MASWE-0013 Sensitive Data in Browser Cache CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
MASWE-0014 Sensitive Data in WebView CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
MASWE-0015 Sensitive Data in URL CWE-598 Use of GET Request Method with Sensitive Query Strings
MASWE-0016 Lack of Data Protection During Transmission CWE-319 Cleartext Transmission of Sensitive Information
MASWE-0017 Insecure Use of Cryptography CWE-327 Use of a Broken or Risky Cryptographic Algorithm
MASWE-0018 Insecure Random Number Generation CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
MASWE-0019 Missing Integrity Checks on Sensitive Data CWE-354 Improper Validation of Integrity Check Value
MASWE-0020 Missing Confidentiality Protections CWE-311 Missing Encryption of Sensitive Data
MASWE-0021 Sensitive Data in Logs CWE-532 Insertion of Sensitive Information into Log File
MASWE-0022 Missing Security Controls for Sensitive Data CWE-284 Improper Access Control
MASWE-0023 Insecure Use of Hashing CWE-327 Use of a Broken or Risky Cryptographic Algorithm
MASWE-0024 Unsecured External Communication CWE-319 Cleartext Transmission of Sensitive Information
MASWE-0025 Insecure Data Storage in Memory CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
MASWE-0026 Sensitive Data in Third-Party Services CWE-295 Improper Certificate Validation
MASWE-0027 Insecure Data Transmission Using SMS CWE-319 Cleartext Transmission of Sensitive Information
MASWE-0028 Sensitive Data in Keyboard Cache CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
MASWE-0029 Insecure Data Storage in Keychain CWE-312 Cleartext Storage of Sensitive Information
MASWE-0030 Insecure Data Storage in Shared Directory CWE-922 Insecure Storage of Sensitive Information
MASWE-0031 Insecure Data Storage in Logs CWE-532 Insertion of Sensitive Information into Log File
MASWE-0032 Insecure Data Storage in Debugging Information CWE-532 Insertion of Sensitive Information into Log File
MASWE-0033 Insecure Data Storage in Crash Reports CWE-532 Insertion of Sensitive Information into Log File
MASWE-0034 Insecure Data Storage in System Logs CWE-532 Insertion of Sensitive Information into Log File
MASWE-0035 Insecure Data Storage in Third-Party Components CWE-295 Improper Certificate Validation
MASWE-0036 Insecure Data Storage in Cloud Storage CWE-256 Unprotected Storage of Credentials
MASWE-0037 Insecure Data Storage in App Sandboxes CWE-922 Insecure Storage of Sensitive Information
MASWE-0038 Insecure Data Storage in Cookie Storage CWE-315 Cleartext Storage of Sensitive Information in a Cookie
MASWE-0039 Insecure Data Storage in Web Storage CWE-922 Insecure Storage of Sensitive Information
MASWE-0040 Insecure Data Storage in IndexedDB CWE-922 Insecure Storage of Sensitive Information
MASWE-0041 Insecure Data Storage in LocalStorage CWE-922 Insecure Storage of Sensitive Information
MASWE-0042 Insecure Data Storage in SessionStorage CWE-922 Insecure Storage of Sensitive Information
MASWE-0043 Insecure Data Storage in FileSystem API CWE-922 Insecure Storage of Sensitive Information
MASWE-0044 Insecure Data Storage in App Bundle CWE-312 Cleartext Storage of Sensitive Information
MASWE-0045 Insecure Data Storage in Application Data CWE-922 Insecure Storage of Sensitive Information
MASWE-0046 Insecure Data Storage in Application Code CWE-312 Cleartext Storage of Sensitive Information
MASWE-0047 Insecure Data Storage in System Services CWE-922 Insecure Storage of Sensitive Information
MASWE-0048 Insecure Data Storage in App Configuration CWE-312 Cleartext Storage of Sensitive Information
MASWE-0049 Insecure Data Storage in Environment Variables CWE-312 Cleartext Storage of Sensitive Information
MASWE-0050 Insecure Data Storage in Shared Objects CWE-922 Insecure Storage of Sensitive Information
MASWE-0051 Insecure Data Storage in Shared Libraries CWE-922 Insecure Storage of Sensitive Information
MASWE-0052 Insecure Data Storage in Shared Components CWE-922 Insecure Storage of Sensitive Information
MASWE-0053 Insecure Data Storage in Shared Resources CWE-922 Insecure Storage of Sensitive Information
MASWE-0054 Insecure Data Storage in Shared Applications CWE-922 Insecure Storage of Sensitive Information
MASWE-0055 Insecure Data Storage in Shared Files CWE-922 Insecure Storage of Sensitive Information
MASWE-0056 Insecure Data Storage in Shared Devices CWE-922 Insecure Storage of Sensitive Information
MASWE-0057 Insecure Data Storage in Shared Network Storage CWE-922 Insecure Storage of Sensitive Information
MASWE-0058 Insecure Data Storage in Shared Infrastructure CWE-922 Insecure Storage of Sensitive Information
MASWE-0059 Insecure Data Storage in Shared Services CWE-922 Insecure Storage of Sensitive Information
MASWE-0060 Insecure Data Storage in Shared Platforms CWE-922 Insecure Storage of Sensitive Information
MASWE-0061 Insecure Data Storage in Shared Cloud Services CWE-922 Insecure Storage of Sensitive Information
MASWE-0062 Insecure Data Storage in Shared Virtualization Platforms CWE-922 Insecure Storage of Sensitive Information
MASWE-0063 Insecure Data Storage in Shared Containers CWE-922 Insecure Storage of Sensitive Information
MASWE-0064 Insecure Data Storage in Shared Hosts CWE-922 Insecure Storage of Sensitive Information
MASWE-0065 Insecure Data Storage in Shared Hypervisors CWE-922 Insecure Storage of Sensitive Information
MASWE-0066 Insecure Data Storage in Shared Orchestration CWE-922 Insecure Storage of Sensitive Information
MASWE-0067 Insecure Data Storage in Shared Configuration Management CWE-922 Insecure Storage of Sensitive Information
MASWE-0068 Insecure Data Storage in Shared DevOps Pipelines CWE-922 Insecure Storage of Sensitive Information
MASWE-0069 Insecure Data Storage in Shared CI/CD Tools CWE-922 Insecure Storage of Sensitive Information
MASWE-0070 Insecure Data Storage in Shared Testing Environments CWE-922 Insecure Storage of Sensitive Information
MASWE-0071 Insecure Data Storage in Shared Monitoring Tools CWE-922 Insecure Storage of Sensitive Information
MASWE-0072 Insecure Data Storage in Shared Logging Services CWE-922 Insecure Storage of Sensitive Information
MASWE-0073 Insecure Data Storage in Shared Security Tools CWE-922 Insecure Storage of Sensitive Information
MASWE-0074 Insecure Data Storage in Shared Automation Tools CWE-922 Insecure Storage of Sensitive Information
MASWE-0075 Insecure Data Storage in Shared Resource Management Tools CWE-922 Insecure Storage of Sensitive Information
MASWE-0076 Dependencies with Known Vulnerabilities CWE-1104 Use of Unmaintained Third-party Components
MASWE-0077 Running on a recent Platform Version Not Ensured CWE-1105 Insufficient Software Version Update
MASWE-0078 Latest Platform Version Not Targeted CWE-1105 Insufficient Software Version Update
MASWE-0079 App Runs on Jailbroken or Rooted Devices CWE-862 Incorrect Authorization
MASWE-0080 App Runs on Emulator CWE-325 Missing Cryptographic Step
MASWE-0081 Debugging Enabled CWE-489 Active Debug Code
MASWE-0082 Developer Options Enabled CWE-489 Active Debug Code
MASWE-0083 Unsafe Handling of Data From The User Interface CWE-20 Improper Input Validation
MASWE-0084 Unsafe Handling of Data from IPC CWE-20 Improper Input Validation
MASWE-0085 Insecure Inter-Process Communication CWE-319 Cleartext Transmission of Sensitive Information
MASWE-0086 SQL Injection CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
MASWE-0087 Insecure Parsing and Escaping CWE-116 Improper Encoding or Escaping of Output
MASWE-0088 Insecure Object Deserialization CWE-502 Deserialization of Untrusted Data
MASWE-0089 Improper Certificate Validation CWE-295 Improper Certificate Validation
MASWE-0090 Improper Use of Platform APIs CWE-749 Exposed Dangerous Method or Function
MASWE-0091 Sensitive Data in Logs CWE-532 Insertion of Sensitive Information into Log File
MASWE-0092 Insecure Data Storage in External Devices CWE-922 Insecure Storage of Sensitive Information
MASWE-0093 Sensitive Data in Backup Files CWE-212 Improper Cross-boundary Removal of Sensitive Data
MASWE-0094 Insecure Data Transmission Using Insecure Protocols CWE-319 Cleartext Transmission of Sensitive Information
MASWE-0095 Insecure Use of Third-party Libraries CWE-1104 Use of Unmaintained Third-party Components
MASWE-0096 Unencrypted Sensitive Data Stored in Volatile Memory CWE-311 Missing Encryption of Sensitive Data
MASWE-0097 Insecure Data Transmission Using Push Notifications CWE-319 Cleartext Transmission of Sensitive Information
MASWE-0098 Insecure Data Transmission Using Email CWE-319 Cleartext Transmission of Sensitive Information
MASWE-0099 Insecure Data Transmission Using Third-party Services CWE-319 Cleartext Transmission of Sensitive Information
MASWE-0100 Insecure Data Storage in Temporary Files CWE-922 Insecure Storage of Sensitive Information
MASWE-0101 Insecure Data Storage in Local Databases CWE-312 Cleartext Storage of Sensitive Information
MASWE-0102 Sensitive Data in Memory Dumps CWE-226 Sensitive Information in Data Storage Element
MASWE-0103 Insecure Data Storage in Shared Drives CWE-922 Insecure Storage of Sensitive Information
MASWE-0104 App Integrity Not Verified CWE-353 Missing Support for Integrity Check
MASWE-0105 Integrity of App Resources Not Verified CWE-353 Missing Support for Integrity Check
MASWE-0106 Official Store Verification Not Implemented CWE-353 Missing Support for Integrity Check
MASWE-0107 Runtime Code Integrity Not Verified CWE-353 Missing Support for Integrity Check
MASWE-0108 Sensitive Data in Network Traffic CWE-319 Cleartext Transmission of Sensitive Information
@cpholguera
Copy link
Collaborator Author

Assigned to @poffo-mobisec. Expected: September 2024

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants