Skip to content

v1.8.0

Choose a tag to compare

@cpholguera cpholguera released this 24 Jun 08:34
dee0701

v1.8.0 Release Notes

This release spans October 2023 – December 2024 and lays the groundwork for MASTG v2: new component types (MASWE Weaknesses, MASTG Demos, MASTG Best Practices), a cross-reference system linking all MAS components, the first wave of v1→v2 test ports (by Guardsquare), and MASVS v2.1.0 with the new MASVS-PRIVACY category.

The period opened with a major standards milestone: the MASVS-PRIVACY proposal in October 2023, introducing four new privacy controls (MASVS-PRIVACY-1 through -4) and the MAS-P profile for holistic privacy assessment alongside security. After community review, MASVS v2.1.0 shipped in January 2024 with MASVS-PRIVACY formally included and CycloneDX/SBOM support added, enabling easier integration into DevSecOps pipelines.

External adoption continued to grow: in February 2024, the Cyber Security Agency of Singapore (CSA) published its "Safe App Standard", a national guideline for mobile app security based directly on the OWASP MASVS, covering MASVS-AUTH, MASVS-STORAGE, and MASVS-RESILIENCE.

The architectural highlight of the release came in July 2024 with the public introduction of MASWE — the Mobile App Security Weakness Enumeration. MASWE fills the gap between the high-level MASVS controls and the low-level MASTG tests, completing the full chain: MASVS control → MASWE weakness → MASTG test → MASTG demo. This release also introduced the MAS Test Apps (Android and iOS), purpose-built skeleton apps that embed code samples directly to make every demo reproducible and verifiable on a real device.

🏔️ OWASP Project Summit 2024

In November 2024, we hosted the OWASP Project Summit, where NowSecure led the mobile app security track. This five-day event brought together experts from various companies to discuss the future of mobile security, share insights, and collaborate on innovative solutions. During the summit, approximately 40 pull requests were created, and countless discussions were held. Special thanks to Jeroen Beckers (@TheDauntless) and especially to Guardsquare, who contributed the majority of PRs: Dennis Titze (@titze), Jan Seredynski (@serek8), Nuno Antunes (@nmsa), and Pascal Jungblut (@pascalj), with reviews by @cpholguera and @TheDauntless. This was a key moment for the MASTG v2 porting effort.


📢 News


🆕 New MASTG v2 Components

🐛 MASWE — MAS Weaknesses

Note: MASWE started in this repo but was later moved to OWASP/maswe as a separate project (see v1.9.0 release notes).

A new component type linking MASVS controls to testable weaknesses. First entries added this release:

🎬 MASTG Demos

A new component type providing concrete, reproducible test demonstrations with real app binaries:

🛡️ MASTG Best Practices

A new component type providing actionable remediation guidance (previously called "Mitigations"):


🧪 MASTG Tests

v1 → v2 Ports (by @Guardsquare)

First wave of tests ported to the new v2 format with structured metadata, demos and evaluation criteria:

New v2 Tests

Updates & Fixes

Deprecations

  • Add deprecation notes and status for MASTG v1 tests by @cpholguera#3089
  • Remove MASTG-TEST-0074 (coverage duplicated by other tests) by @cpholguera#2556

✨ MASTG Techniques


🪄 MASTG Tools

New tools:

New apps:

Updates:


🏗️ Site & Infrastructure


🐞 Errata Corrections


🎉 New Donators


New Contributors


Full Changelog: v1.7.0...v1.8.0