ASVS vs MASVS levels

[roelstorms]

Hi,

My organisations wants to use (M)ASVS for new developments. We would require a project to adhere to ASVS level 1 mostly. For mobile applications, we would prefer to use MASVS as it is more specific. However, MASVS has no level 1 that corresponds to ASVS level 1. It seems like MASVS grouped ASVS level 1 and 2 together into MASVS level 1.

For example:
MASVS:

MSTG-ARCH-2 Security controls are never enforced only on the client side, but on the respective remote endpoints. (Level 1)

ASVS:

1.5.3 Verify that input validation is enforced on a trusted service layer. (C5) (Level 2)

If we would require a web app to comply with ASVS level 1 and a mobile app with MASVS level 1, they would have a more strict set of requirements for the mobile applications.

My proposal is to introduce a level 1 in MASVS which is aligned with ASVS. ASVS also explains that level 1 controls are fully testable using a black box approach.

[cpholguera]

Hi @roelstorms, we're very sorry about the late response! We cannot promise anything for now but, to let you know, we're considering your proposal as part of the new MASVS refactoring.

Thanks a lot for posting your idea, we'll keep you informed!

[ian-gavurin]

I'd just add that I've used ASVS for a while, and coming to MASVS for the first time, my immediate thought was "don't these align in some way", followed by "have I been using the wrong one"?

Something explaining the relationship between the two would also be helpful.

[cpholguera]

Hi @ian-gavurin, we'll consider that when refactoring. Thanks for the feedback!