MASVS-CODE Refactoring (till 26.05.22) #638
Replies: 3 comments 2 replies
-
MASVS-CODE-1:I think the details lie in how the tests are specified, and if we're considering the security impact. For instance, for checking that there are no non-production URLs, is it considered a failure if there are references to a staging environment that's only accessible via a VPN? Should specific checks be broken up between L1, L2, and Resilience? For instance, a failed check which is not adversely impacting the security of the app/data would prohibit acceptance at L2, but would allow acceptance at L1. MASVS-CODE-3:It'd be nice to see some additional guidance on what an "up-to-date platform version" is. While there is a nod to the fact that the threat model of the application should define what an acceptable recent version is, some more specific options would include:
MASVS-CODE-5:This should be much more clearly defined as Medium+ vulnerability that is actually impacting the security of the app being evaluated. |
Beta Was this translation helpful? Give feedback.
-
Potential new control:
|
Beta Was this translation helpful? Give feedback.
-
I agree with @grigorescu regarding the MASVS-CODE-3. My suggestion is to have more actionable item because its hard to define what is up-to-date platform version . For example having a blocklist for vulnerable OS versions (for android the list should have security patch levels).
Thank you 👍 |
Beta Was this translation helpful? Give feedback.
-
Hello everybody,
as part of the refactoring process we decided to publish our draft of every section of the MASVS that we (@cpholguera, @TheDauntless and @sushi2k) worked on.
This is based on the MASVS category "V7: Code Quality and Build Setting Requirements" (from the MASVS Version 1.4.2): https://github.com/OWASP/owasp-masvs/blob/v1.4.2/Document/0x12-V7-Code_quality_and_build_setting_requirements.md
Here you can find a summary of the proposed new requirements (more details below):
In the following link we include a nice visualization as a diff spreadsheet including:
MASVS-CODE Refactoring Diff
Beta Was this translation helpful? Give feedback.
All reactions