Releases: OWASP/owasp-masvs
v2.1.0
Introducing MASVS-PRIVACY
After collecting and processing all feedback from the MASVS-PRIVACY Proposal we're releasing the new MASVS-PRIVACY category.
The main goal of MASVS-PRIVACY is to provide a baseline for user privacy. It is not intended to cover all aspects of user privacy, especially when other standards and regulations such as ENISA or the GDPR already do that. We focus on the app itself, looking at what can be tested using information that's publicly available or found within the app through methods like static or dynamic analysis.
While some associated tests can be automated, others necessitate manual intervention due to the nuanced nature of privacy. For example, if an app collects data that it didn't mention in the app store or its privacy policy, it takes careful manual checking to spot this.
The new controls are:
- MASVS-PRIVACY-1: The app minimizes access to sensitive data and resources.
- MASVS-PRIVACY-2: The app prevents identification of the user.
- MASVS-PRIVACY-3: The app is transparent about data collection and usage.
- MASVS-PRIVACY-4: The app offers user control over their data.
CycloneDX Support
The MASVS is now available in CycloneDX format (OWASP_MASVS.cdx.json), a widely adopted standard for software bill of materials (SBOM). This format enables easier integration and automation within DevOps pipelines, improving visibility and management of mobile app security. By using CycloneDX, developers and security teams can more efficiently assess, track and comply with MASVS requirements, resulting in more secure mobile applications.
What's Changed
- Added POC script that generates CycloneDX standards doc of MASVS by @stevespringett in #715
- Update to CycloneDX v1.6 standards support by @stevespringett in #717
- Add MASVS-PRIVACY by @cpholguera @sushi2k @TheDauntless in #720
New Contributors
- @stevespringett made their first contribution in #715
Full Changelog: v2.0.0...v2.1.0
Contributors
Assets 6
v2.0.0
What's Changed
We are thrilled to announce the release of the new version of the OWASP Mobile Application Security Verification Standard (MASVS) v2.0.0. With this update, we have set out to achieve several key objectives to ensure that MASVS remains a leading industry standard for mobile application security.
- Keep Abstraction: we have worked hard to maintain the level of abstraction that has made MASVS so valuable in the past. We leave the details to the MASTG.
- Simplify: we have simplified the MASVS by removing redundancies and overlaps in the security controls. This will make it easier for users to understand the standard and implement it effectively in their own projects.
- Bring Clarity: we have worked hard to use standard terminology wherever possible, drawing on established sources such as NIST-SP 800-175B and NIST OSCAL, as well as well-known and used sources such as CWEs, Android Developer Docs, and Apple Docs.
- Narrow Scope: we have narrowed the scope of MASVS to rely more heavily on other industry standards such as the OWASP ASVS, OWASP SAMM and NIST.SP.800-218 SSDF v1.1. This will ensure that MASVS remains relevant and up-to-date in a rapidly evolving landscape of mobile application security.
We believe that these changes will make the OWASP MASVS v2.0.0 an even more valuable resource for developers and security practitioners alike, and we are excited to see how the industry embraces these updates.
The MASVS v2.0.0 was presented at the OWASP AppSec Dublin 2023, you can watch the presentation
Why are there no levels in the new MASVS controls?
The Levels you already know (L1, L2 and R) will be fully reviewed and backed up with a corrected and well-documented threat model.
Enter MAS Profiles: We are moving the levels to the MASTG tests so that we can evaluate different situations for the same control (e.g., in MASVS-STORAGE-1, it's OK to store data unencrypted in app internal storage for L1, but L2 requires data encryption). This can lead to different tests depending on the security profile of the application.
Transition Phase
The MASTG, in its current version v1.5.0, currently still supports the MASVS v1.5.0. Bringing the MASTG to v2.0.0 to be fully compatible with MASVS v2.0.0 will take some time. That's why we need to introduce a "transition phase". We're currently mapping all new proposed test cases to the new profiles (at least L1 and L2), so even if the MASTG refactoring is not complete, you'll know what to test for, and you'll be able to find most of the tests already in the MASTG.
- Map the current MASTG tests to the new MASVS v2.0.0.
- Assign profiles to the proposed MASTG atomic tests (at least L1, L2 and R).
Special Thanks
We thank everyone that has participated in the MASVS Refactoring. You can access all Discussion and documents for the refactoring here.
You'll notice that we have one new author in the MASVS: Jeroen Beckers
Jeroen is a mobile security lead responsible for quality assurance on mobile security projects and for R&D on all things mobile. Ever since his master's thesis on Android security, Jeroen has been interested in mobile devices and their (in)security. He loves sharing his knowledge with other people, as is demonstrated by his many talks & trainings at colleges, universities, clients and conferences.
💙 Special thanks to our MAS Advocate, NowSecure, who has once again demonstrated their commitment to the project by continuously supporting it with time/dedicated resources as well as feedback, data and content contributions.
Changes
- Upgrading to v2.0.0 by @cpholguera @sushi2k @TheDauntless in #697
Full Changelog: v1.5.0...v2.0.0
v1.5.0
This release doesn't include any changes to the MASVS requirements. They will remain the same until the release of MASVS v2.0.0.
We'd like to thank all of our loyal contributors and welcome our new contributors.
Special thanks to Anil Baş, Haktan Emik for the Turkish translation and Panagiotis Yialouris for the Greek translation.
Carlos Holguera & Sven Schleier - OWASP MAS project
NOTE: the OWASP MASVS v2.0.0 release is getting closer. Have you already given your feedback to the MASVS Release Candidate?
What's Changed
- Add SDK and preload applicability (English version only) by @cpholguera in #678
- Fix V8 Control Objective Statement (English version only) by @cpholguera in #646
Translations
- NEW Greek Translation by @panosylr in #642
- NEW Turkish translation by @haktanemik in #561
- Fixes for the Russian Translation by @CthUlhUzzz in #620
- Improve Spanish translation by @Sulfkain in #645
- Improve Spanish Translation by @antoniojturel in #658
Other Changes
- Improve README UX by @cpholguera in #626
- Add GitHub Action for codespell by @cpholguera in #629
- Add Trusted By section by @cpholguera in #648
- Add MAS Advocates by @cpholguera in #651
- Update twitter handle by @cpholguera in #659
- Update to MAS and MASTG by @cpholguera in #660
- Rename MSTG to MASTG & link to New Website by @cpholguera in #662
- Fix pandocker build for all languages by @cpholguera in #674
New Contributors
- @CthUlhUzzz made their first contribution in #620
- @Sulfkain made their first contribution in #645
- @antoniojturel made their first contribution in #658
- @panosylr made their first contribution in #642
- @haktanemik made their first contribution in #561
Full Changelog: v1.4.2...v1.5.0
v1.4.2
What's Changed
This is a minor release which doesn't include any changes to the MASVS requirements.
Other Changes
- Fix export script to handle all future languages by @cpholguera in #617
Full Changelog: v1.4.1...v1.4.2
Contributors
Assets 44
v1.4.1
What's Changed
This is a minor release which doesn't include any changes to the MASVS requirements.
Other Changes
- Add YAML export option by @cpholguera in #594
- Use GitHub Actions Reusable Workflows by @cpholguera in #595
- Upgrade all workflows to actions/checkout@v2 by @cpholguera in #608
Full Changelog: v1.4.0...v1.4.1
Contributors
Assets 44
v1.4.0
What's Changed
Changes in MASVS Requirements
- MSTG-STORAGE-12 is now L1 and L2 by @cpholguera in #586
Other Changes
- Run sed in docker & fix pictures & pagebreaks by @cpholguera in #584
- Enhance Release Process with more Automation by @cpholguera in #588
Full Changelog: v1.3.1...v1.4.0
v1.3.1
This is a minor release which doesn't include any changes to the MASVS requirements.
What's Changed
- Minor fixes and typos in pt-br and fa
- Add Open in vscode Badge
- Upgrade URL Checker and Linter & Fix Broken Link
- Enable CodeQL Analysis
- Added FUNDING form GitHub
- Fix for semantic versioning
v1.3
We are proud to announce the introduction of a new document build pipeline, which is a major milestone for our project. The build pipeline is based on Pandocker and Github Actions.
This significantly reduces the time spent on creating new releases and will also be the foundation for the OWASP MSTG and will be made available for the OWASP ASVS project.
Changes
- 4 more translations are available, which are Hindi, Farsi, Portuguese and Brazilian Portuguese
- Added requirement MSTG-PLATFORM-11
Special Thanks
- Jeroen Willemsen for kick-starting this initiative last year!
- Damien Clochard and Dalibo for supporting and professionalizing the build pipeline.
- All our Hindi, Farsi, Portuguese and Brazilian Portuguese collaborators for the excellent translation work.
v1.2
V1.2 International Release
With a little bit of delay we are happy to present version 1.2 of the MASVS!
Changes:
- Created international version of V1.2: the MASVS is now translated into German, Spanish, French, Japanese, Korean, Russian, Simplified Chinese, and Traditional Chinese.
- New build and release systems based on Github Actions and Docker containers resulting in better looking PDF, Mobi, Epub and Docx documents.
Pre-release 1.2RC (English only)
Pre-release 1.2RC (English only). See Changelog for further details.