OWASP MASVS

What is OWASP MASVS?

The Open Web Application Security Project (OWASP) is a non-profit international organization dedicated to improving the security of web applications. All of OWASP’s resources are freely accessible and easy to find on their website, enabling any company to enhance and develop the security and protection of their very own web and mobile applications.

The Mobile Application Security Verification Standard (MASVS) is an OWASP project that serves as a standard for mobile application security. MASVS can be utilized by developers and mobile software engineers attempting to develop secure mobile apps, along with security testers trying to verify the consistency and completeness of test results. 

Quick Facts About OWASP MASVS:

  • The latest MASVS version is v1.3, which was recently released in May 2021.
  • The standard includes two strict security verification levels (L1 and L2), along with a list of reverse engineering resiliency requirements (MASVS-R) that can be adapted to an app-specific threat model.
  • All mobile apps (L1) and apps that handle highly sensitive data (L2) will benefit greatly from employing MASVS-L1 and MASVS-L2, which feature generic security requirements. 
  • If preventing client-side threats is a design goal, MASVS-R provides additional protective controls that can be incorporated. 

What Are the Requirements for MASVS?

The detailed security requirements are divided into eight categories (V1 to V8) based on technical objective / scope. They are as follows:

  • V1: Architecture Design and Threat Modelling Requirements
  • V2: Data Storage and Privacy Requirements
  • V3: Cryptography Requirements
  • V4: Authentication and Session Management Requirements
  • V5: Network Communication Requirements
  • V6: Platform Interaction Requirements
  • V7: Code Quality and Build Setting Requirements
  • V8: Resilience Requirements

V1 through V7 defines requirements for MASVS-L1 and MASVS-L2. MASVS-R is a separate criteria. Control requirements are dependent on each business use-case.

Verification Levels Explained

MASVS-L1: Standard Security

Achieving MASVS-L1 demonstrates a mobile app’s adherence to mobile application security best practices. It satisfies the key requirements in terms of handling sensitive data, code quality, and interaction with the mobile environment. There should be an established testing process to assess the security controls. This level is relevant for all mobile applications.

MASVS-L2: Defense-in-Depth

MASVS-L2 includes extensive security controls that go beyond the basic requirements. To implement MASVS-L2, a threat model must be in place, and security must be an integral part of the app’s architecture and design. The right MASVS-L2 controls should have been selected according to the threat model and successfully implemented. This level is applicable for apps that manage highly sensitive data, such as mobile banking apps.

MASVS-R: Resiliency Against Reverse Engineering and Tampering

MASVS-R means the app has cutting-edge security, and is also resilient against sophisticated client-side attacks, including reverse engineering, modding or tampering, or extracting sensitive code or data. This app either employs hardware security features or powerful and verifiable software protection techniques. MASVS-R is appropriate for applications that handle highly sensitive data and may serve as a means of safeguarding intellectual property or tamper-proofing an app.

Recommended Use

Apps can be evaluated through MASVS L1 or L2 according to the prior risk assessment and overall level of security called for. 

L1 is appropriate for all mobile apps, while L2 is generally applicable to apps that handle more sensitive data and/or functionality. 

MASVS-R (or sections of it) can be utilized to prove resiliency against various threats, such as repackaging or extraction of sensitive data, along with proper security verification.

Why Should You Be MASVS Compliant?

Application security reduces risk, improves operational efficiency, increases trust between a business and its users, and addresses compliance requirements. Public security breaches and compliance violations severely tarnish a company’s reputation and cause potential users to be wary of trusting the organization’s services.

The MASVS can be utilized to maintain a level of trust in mobile app security. The requirements were established with the following objectives in mind:

  • Use as a metric: Defines a security standard against which application owners and developers can measure existing mobile apps
  • Use as guidance: Offers guidelines and direction throughout all phases of mobile app testing and development
  • Use during procurement: Establishes the foundation of mobile app security verification

SABSA and TOGAF, the two leading security architecture frameworks, are lacking vital information that is required to complete mobile application security architecture reviews. MASVS can close those gaps by allowing security architects to select improved controls for issues common to mobile apps.

How to Achieve Compliance?

Organizations working towards MASVS compliance must decide which verification level is appropriate for them and determine the best course of action to achieve compliance.

Centraleyes offers step-by-step guidance to fully comply with every relevant requirement through its cutting-edge platform. The platform provides a built-in MASVS questionnaire that aligns all of the requirements into the three different levels detailed in the previous paragraphs, empowering organizations to select their desired level of compliance and complete the relevant MASVS assessment. 

Once the data is collected, it is then automatically presented on the Centraleyes dashboard which quantifies and visualizes the organization’s cyber risk and compliance levels. The data is also presented on an AI, automated remediation planner that creates and prioritizes remediation tickets, making it easy to run various automated workflows to close the gaps. 

The Centraleyes platform provides customized technical and non-technical reports, enabling everyone to see the full picture and track the progress, remaining risks, and level of compliance to MASVS. 

Furthermore, by automating vendor management and offering vendor questionnaire models that map to the MASVS Framework and other best practices, Centraleyes significantly reduces the amount of time your company spends managing third-party security, assisting you in monitoring and tracking the security posture of your vendors over time.

Centraleyes saves you time and resources in mobile application security management while increasing security and resilience.

Read more:
https://owasp.org/www-project-mobile-security-testing-guide/
owasp-mstg/0x04b-Mobile-App-Security-Testing.md at 1.1.3-excel · OWASP/owasp-mstg · GitHub
https://mobile-security.gitbook.io/masvs/0x03-using_the_masvs
https://www.encripto.no/2018/04/mobile-app-sec-verification-standard/

Related Content

Insider Risk Mitigation

What is Insider Risk Mitigation (IRMPE)? In September 2021, the US Cybersecurity and Infrastructure Security Agency…

Ransomware Readiness Assessment

What is the Ransomware Readiness Assessment? The Ransomware Readiness Assessment (RRA) was released by the US…

FINRA

What is FINRA? FINRA, the Financial Industry Regulatory Authority, is a non-profit self regulatory organization that…