Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[MASWE-0001, MASWE-0027, MASWE-0108] MAS Risks and Tests (PREVIEW DRAFT) #2518

Merged
merged 55 commits into from
Feb 14, 2024
Merged

[MASWE-0001, MASWE-0027, MASWE-0108] MAS Risks and Tests (PREVIEW DRAFT) #2518

merged 55 commits into from
Feb 14, 2024

Conversation

cpholguera
Copy link
Collaborator

@cpholguera cpholguera commented Jan 19, 2024
edited

This is a preview of the new implementation of risks and tests for the MAS project.

Guidelines

The guidelines for writing these new components are available here and are open for feedback. Be sure to read them before providing feedback to the PR.

Risks, Tests & Examples

It contains 3 new risks, including 1 test per risk and at least 1 example per test. The file structure is as follows: risks/<masvs_category>/<masvs_control_alias>/<risk_alias>/<test_alias>/example-*/

We recommend that you start the review in this order:

  1. MASVS-CRYPTO: risks/MASVS-CRYPTO/1-strong-crypto/insecure-random/risk.md
  • then navigate into the tests and examples.
  1. MASVS-PRIVACY: risks/MASVS-PRIVACY/1-data-minimization/sensitive-data-in-network-traffic/risk.md
  • then navigate into the tests and examples.
  1. MASVS-STORAGE: risks/MASVS-STORAGE/2-prevent-data-leakage/data-in-logs/risk.md

This draft also includes 2 new components: mitigations and prerequisites. Feel free to review and provide feedback on these as well.

In addition, you can review and provide feedback on the new or updated tools/techniques.

DISCLAIMER

This is a "preview draft", expect it to change daily. We will be incorporating suggestions and new changes at any time until we finalize it. Please do not open new PRs with new risks/tests, we will not accept any new components until this draft is finalized.

How to provide feedback

Closes #2591

cpholguera and others added 30 commits October 13, 2023 12:00
@cpholguera
first draft
b65abc8
@cpholguera
add mitigation
2eb330e
@cpholguera
update mitigations and risks
db1b5df
@cpholguera
fixes for Sensitive Data in Network Traffic
87693b9
@cpholguera
add new sample tests
844af15
@cpholguera
new structure for risks and tests
93b3555
@cpholguera
Add content to all risk.md files and delete unused risk files
79c2d4d
@cpholguera
remove tests folders
c6c9b12
@cpholguera
rename mitigation files
7232276
@cpholguera
remove mappings/owasp-masvs for all risks. It will be automatically g…
f12dcb7 
…enerated.
@cpholguera
remove mappings/owasp-masvs for all risks. It will be automatically g…
0fdb602 
…enerated.
@sushi2k
First draft - Risk and Test update for Android logging
30967a4
@cpholguera
fix test aliases and add missing
452a1a4
@cpholguera
Add secure random number generation and update insecure random usage …
6a5af6b 
…test. Examples and rules were separated into folders.
@cpholguera
Merge branch 'mastg-risks-and-tests' of https://github.com/OWASP/owas…
8ffffd0 
…p-mastg into mastg-risks-and-tests
@cpholguera
Remove "Modes of Introduction" section from risk.md files
a5fa9c8
@cpholguera
Update method tracing in Android techniques
25d9660
@cpholguera
Fix method trace link in test.md
42c6b3a
@cpholguera
Update CWE mappings in risk.md files to be a list of IDs
65348aa
@cpholguera
Update test type to be a list. Updated platform specific mitigations …
f30bc9c 
…links to be only in tests.
@cpholguera
Add prerequisites folder with 2 examples
d133445
@cpholguera
Refactor insecure random API test case. Link to existing prerequisite…
ca13fb0 
…s in test and minor content updates.
@cpholguera
Add content to the static analysis technique for Android apps
d93ccfd
@cpholguera
Update insecure random API link and method trace links to techniques
7c1fc10
@cpholguera
Update insecure random number generator rule in MASVS-CRYPTO
4226549
@cpholguera
Update content in insecure random test examples and add SARIF. Add su…
b7e5084 
…mmary to code samples.
@sushi2k
update with example
086d0b9
@sushi2k
Merge branch 'mastg-risks-and-tests' of https://github.com/OWASP/owas…
a638776 
…p-mastg into mastg-risks-and-tests
@sushi2k
Update test case
40be282
@sushi2k
update frida-trace
6c4abef
@cpholguera cpholguera self-assigned this Jan 19, 2024
cpholguera
cpholguera commented Jan 19, 2024
View reviewed changes
...itive-data-in-network-traffic/android-data-in-traffic-capture/example-1/send-post-request.kt
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We'll provide a very simple skeleton app with, say, a button and placeholders to copy and paste the samples so that everyone can test the apps with the exact same configuration.

@thomascannon
Copy link
Collaborator

Which pre-reqs format are we going for in test.md, YAML front matter or markdown? Both are used in the current examples:

Screenshot 2024-02-13 112654

@cpholguera cpholguera merged commit 6348acd into master Feb 14, 2024
1 of 3 checks passed
@cpholguera cpholguera deleted the mastg-risks-and-tests branch February 14, 2024 18:08
@cpholguera cpholguera mentioned this pull request Mar 1, 2024
Closed
4 tasks
@cpholguera cpholguera changed the title [PREVIEW DRAFT] MAS Risks and Tests [MASWE-0001, MASWE-0027, MASWE-0108] MAS Risks and Tests (PREVIEW DRAFT) Jul 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sushi2k sushi2k sushi2k approved these changes

Assignees

@cpholguera cpholguera

Labels
MASWE
Projects
None yet
Milestone
No milestone
3 participants
@cpholguera @thomascannon @sushi2k