[MASWE-0103] - RASP Techniques Not Implemented #3074
Conversation
|
Hi all, We would like to contribute to the RASP weakness section. Since related weaknesses, such as root/jailbreak detection and integrity, are addressed in separate units, this test is designed to focus on verifying core RASP operations. It aims to assess how well the RASP fulfills its responsibilities (e.g., reactions, threat telemetry data collection, bypass-resiliency, etc.). A key component highly required for this test is a (written) security policy enforced by the app developer. This policy should outline all expected reactions, security processes, and features that the RASP solution should provide. Given the wide variation in use cases and RASP setups, the test is structured to be adaptable to different RASP implementations. While designed to be RASP-product agnostic, for the demo, we mocked freeRASP integration, a well-established solution deployed on over 500 million devices, to show common components and demonstrate how to test simple flows. It's important to note that different RASP products come with unique setups, so evaluation routines will vary significantly. Best Regards |
There was a problem hiding this comment.
This demo seems to focus on demonstrating how to implement a specific RASP solution, rather than a demo to achieve the test. If I am a developer who has a RASP solution for my application and I am testing it, I think I would need a demo that focuses on how I can demonstrate/confirm that RASP is implemented for my app. For this reason, I think this demo does not relate well to the Test.
It is also not typical for the OWASP demos to endorse tools (exceptions of course and preference for open-source utilities that are helpful in performing a given test).
|
|
||
| ### Sample | ||
|
|
||
| The following code snippet demonstrates the implementation of the freeRASP security library SDK. freeRASP periodically scans the device for threats, monitors its state, and gathers data to generate detailed threat reports. Threats are detected and communicated to the app via listeners. In this example, the root detection scenario is simulated. |
There was a problem hiding this comment.
This demo seems to focus on demonstrating how to implement a specific RASP solution, rather than a demo to achieve the test. If I am a developer who has a RASP solution for my application and I am testing it, I think I would need a demo that focuses on how I can demonstrate/confirm that RASP is implemented for my app. For this reason, I think this demo does not relate well to the Test.
It is also not typical for the OWASP demos to endorse tools (exceptions of course and preference for open-source utilities that are helpful in performing a given test).
There was a problem hiding this comment.
"This demo seems to focus on demonstrating how to implement a specific RASP solution, rather than a demo to achieve the test."
I think the test can be used to assess majority of mobile app RASPs. At the same time the test tries to avoid duplicating other resiliency MASWEs (root detection, integrity verification, etc. are separated issues). I like that the demo is a minimal example utilizing the RASP that is free to use and has a public docs - easier to maintain in the future. It would be great to add more other RASPs in the future if possible. Do you have an experience with other RASPs that could be added?
"If I am a developer who has a RASP solution for my application and I am testing it, I think I would need a demo that focuses on how I can demonstrate/confirm that RASP is implemented for my app. For this reason, I think this demo does not relate well to the Test."
This is inherently dependent on the RASP product itself and the individual configuration / expected features / reaction etc. I think this works well as an example / guideline that could be extended in the future.
"It is also not typical for the OWASP demos to endorse tools (exceptions of course and preference for open-source utilities that are helpful in performing a given test)."
In this case we could make an exception for obvious reasons.
There was a problem hiding this comment.
This demo seems to focus on demonstrating how to implement a specific RASP solution, rather than a demo to achieve the test. If I am a developer who has a RASP solution for my application and I am testing it, I think I would need a demo that focuses on how I can demonstrate/confirm that RASP is implemented for my app. For this reason, I think this demo does not relate well to the Test.
It is also not typical for the OWASP demos to endorse tools (exceptions of course and preference for open-source utilities that are helpful in performing a given test).
| By conducting this test, we ensure that the app is capable of defending against runtime attacks and maintaining its integrity even in compromised environments. If RASP techniques are not implemented or are improperly configured, the app may be vulnerable to various security threats, including data breaches, unauthorised access, and malicious modifications. | ||
|
|
||
| ## Steps | ||
| 1. Ensure that all security checks and protection mechanisms expected from RASP are present and enabled with the application. To test the RASP policy that the app enforces, a written copy of the policy must be provided. The policy should define available checks and their enforcement. For example: |
There was a problem hiding this comment.
I would advocate for requiring an up-front test step that requires the determination of "in scope" RASP checks, I don't know if it needs to be captured as a written policy per se. Could simply be a statement of, prior to evaluating RASP checks ensure the test scope is defined based on your organizations required, or designed/implemented RASP checks, as the RASP configuration strategy may differ from organization-to-organization.
Alternatively, you could always rely on testing for all RASP checks related to the weakness, and failing the test, and leaving it to the organization to annotate why a failed test is acceptable based on their desired RASP configuration approach.
This PR closes #2773