From 95dc651bf950eb87ac0bea615dae0ba771235639 Mon Sep 17 00:00:00 2001 From: Jon Gadsden Date: Thu, 5 Dec 2024 10:14:55 +0000 Subject: [PATCH] provide contents for MASWE page --- _data/draft.yaml | 2 +- _data/release.yaml | 2 +- draft/07-implementation/04-maswe.md | 38 ++++++++++++++++++++++++----- 3 files changed, 34 insertions(+), 8 deletions(-) diff --git a/_data/draft.yaml b/_data/draft.yaml index 9aa10b62..f29e4ad1 100644 --- a/_data/draft.yaml +++ b/_data/draft.yaml @@ -145,7 +145,7 @@ docs: - title: '5.3.3 OWASP Secure Headers Project' url: implementation/secure_libraries/secure_headers -- title: '5.4 [Mobile application weakness enumeration' +- title: '5.4 Mobile application weakness enumeration' url: implementation/mas_weakness_enumeration - title: '6. Verification' diff --git a/_data/release.yaml b/_data/release.yaml index a36a11eb..4537eba0 100644 --- a/_data/release.yaml +++ b/_data/release.yaml @@ -145,7 +145,7 @@ docs: - title: '5.3.3 OWASP Secure Headers Project' url: implementation/secure_libraries/secure_headers -- title: '5.4 [Mobile application weakness enumeration' +- title: '5.4 Mobile application weakness enumeration' url: implementation/mas_weakness_enumeration - title: '6. Verification' diff --git a/draft/07-implementation/04-maswe.md b/draft/07-implementation/04-maswe.md index 14b8f517..bab9bf78 100644 --- a/draft/07-implementation/04-maswe.md +++ b/draft/07-implementation/04-maswe.md @@ -29,13 +29,15 @@ permalink: /draft/implementation/mas_weakness_enumeration/ The OWASP [Mobile Application Security][masproject] (MAS) flagship project provides industry standards for mobile application security. -The OWASP MASWE project ... +The OWASP [MASWE][maswe] project is one of the tools provided by MAS, +and provides a list of weaknesses that have been found in various mobile applications. #### What is the MASWE? -The MAS Weakness Enumeration ... +The MAS [Weakness Enumeration][maswe] lists weaknesses, and therefore potential vulnerabilities, +that have been found in various mobile applications over time. -The MASWE is split out into weakness categories that match the MASVS verification categories: +The MASWE is split out into weakness categories that correspond to the [MASVS][masvs] verification categories: * [MASVS-STORAGE](https://mas.owasp.org/MASWE/MASVS-STORAGE/MASWE-0001/) sensitive data storage * [MASVS-CRYPTO](https://mas.owasp.org/MASWE/MASVS-CRYPTO/MASWE-0009/) cryptography best practices @@ -48,14 +50,36 @@ The MASWE is split out into weakness categories that match the MASVS verificatio #### Why use it? +Although the MASWE is a relatively new project from 2024, it already provides a common language +when discussing and categorizing weaknesses found in mobile applications. +It also provides a list of potential vulnerabilities that should be considered during the design lifecycle +and when creating or revising security requirements for mobile applications. + +The MASWE is a valuable list of what can go wrong with mobile applications along with the activities of malicious actors. + #### How to use it +The Common Weakness Enumeration ([CWE][cwe]), published by Mitre, can be used by security architects +so they are aware of what weaknesses and potential vulnerabilities that could be present in an application. +Development teams can use the CWE as a reference to these weaknesses and to help understanding of any mitigations. +These are just two examples of how the CWE is widely used. + +In a similar way the MASWE can be used in the development of mobile applications : + +* inform development teams of specific weaknesses +* identification of security requirements +* used as a training aid +* provide categorization of weaknesses + +This list is just a starting point; there are many uses for the MASWE. + #### References * Mobile Application Security ([MAS][masproject]) project -* MAS [Checklist][masc] -* MAS Testing Guide ([MASTG][mastg]) +* MAS Weakness Enumeration ([MASWE][maswe]) +* Mitre Common Weakness Enumeration ([CWE][cwe]) * MAS Verification Standard ([MASVS][masvs]) +* MAS [Checklist][masc] * MAS Testing Guide ([MASTG][mastg]) ---- @@ -63,11 +87,13 @@ The MASWE is split out into weakness categories that match the MASVS verificatio The OWASP Developer Guide is a community effort; if there is something that needs changing then [submit an issue][issue0704] or [edit on GitHub][edit0704]. +[cwe]: https://cwe.mitre.org/ [edit0704]: https://github.com/OWASP/www-project-developer-guide/blob/main/draft/07-implementation/04-maswe.md -[issue0704]: https://github.com/OWASP/www-project-developer-guide/issues/new?labels=enhancement&template=request.md&title=Update:%2006-design/07-implementation/04-maswe +[issue0704]: https://github.com/OWASP/www-project-developer-guide/issues/new?labels=enhancement&template=request.md&title=Update:%2007-implementation/04-maswe [masproject]: https://owasp.org/www-project-mobile-app-security/ [masc]: https://mas.owasp.org/checklists/ [mastg]: https://mas.owasp.org/MASTG/ +[maswe]: https://mas.owasp.org/MASWE/ [masvs]: https://mas.owasp.org/MASVS/ \newpage