MASVS-AUTH Refactoring (till 24.07.22)

[cpholguera]

Hello everybody,

as part of the refactoring process we decided to publish our draft of every section of the MASVS that we (@cpholguera, @TheDauntless and @sushi2k) worked on.

This is based on the MASVS category "V4: Authentication and Session Management Requirements" (from the MASVS Version 1.4.2): https://github.com/OWASP/owasp-masvs/blob/v1.4.2/Document/0x09-V4-Authentication_and_Session_Management_Requirements.md

Note: the refactoring of MASVS-AUTH required a slightly different process than the other MASVS categories. First we tried to redesign the whole category from scratch focusing on the app (client-side). To do that we've "extracted" the common security best practices for client side. Then we realized that we could actually map our previous controls (or parts of them) in many cases changing the perspective.

We completely removed the remote endpoint specific parts since that is the task of the ASVS/WSTG and put a reference accordingly. This way you can focus on the things that you can actually verify on the (client) mobile app side.

Here you can find a summary of the proposed new requirements (more details below):

In the following link we include a nice visualization as a diff spreadsheet including:

• Reason for removal/change.
• Idea behind the new requirement/formulation.
• More context thanks to related Test Cases.
• Filter in column F1 to see
  • the previous version only
  • the new version only
  • or the diff

MASVS-AUTH is open for comments till the 24th of July 2022. Please comment directly in the Google Spreadsheet (you can comment on each of the cells) or in this GitHub Discussion.

MASVS-AUTH Refactoring Diff

[andyacer]

I'm really excited about these changes. I think it greatly simplifies and distills the AUTH requirements. These issues can directly translate into pass/fail findings for mobile apps, which I think is what this standard should focus on. I'm also very glad to see the local authentication requirement.

Regarding Local Authentication - many popular applications today such as Facebook, Snapchat, and Gmail don't implement a local authentication requirement. Under this new standard, these apps would be considered to be failing an L1 MASVS security requirement, right? I'm not implying that there's something right or wrong about that, just wanted to make sure I'm understanding the situation correctly.

[cpholguera]

Thank you @andyacer for the nice feedback. That's exactly it, and not only for this control but for many others. In this case if local authentication is not properly implemented the control will fail. If it isn't implemented at all it will also fail or at least it should have been marked as "not applicable" by the person doing the assessment. And that must always come together with a proper reasoning. Maybe the threat model of the app doesn't require that.

In any case, the fact that X is not in place will be surfaced. We believe that having less and simpler controls will help on having a better overview of the overall security of the target app.

And for a more fine-grained overview you'll also have the MSTG tests which will tell you about the specifics of any particular MASVS control.