Skip to content

Releases: OWASP/owasp-masvs

v2.1.0

18 Jan 11:15
8e133d0
Compare
Choose a tag to compare

Introducing MASVS-PRIVACY

After collecting and processing all feedback from the MASVS-PRIVACY Proposal we're releasing the new MASVS-PRIVACY category.

The main goal of MASVS-PRIVACY is to provide a baseline for user privacy. It is not intended to cover all aspects of user privacy, especially when other standards and regulations such as ENISA or the GDPR already do that. We focus on the app itself, looking at what can be tested using information that's publicly available or found within the app through methods like static or dynamic analysis.

While some associated tests can be automated, others necessitate manual intervention due to the nuanced nature of privacy. For example, if an app collects data that it didn't mention in the app store or its privacy policy, it takes careful manual checking to spot this.

The new controls are:

  • MASVS-PRIVACY-1: The app minimizes access to sensitive data and resources.
  • MASVS-PRIVACY-2: The app prevents identification of the user.
  • MASVS-PRIVACY-3: The app is transparent about data collection and usage.
  • MASVS-PRIVACY-4: The app offers user control over their data.

CycloneDX Support

The MASVS is now available in CycloneDX format (OWASP_MASVS.cdx.json), a widely adopted standard for software bill of materials (SBOM). This format enables easier integration and automation within DevOps pipelines, improving visibility and management of mobile app security. By using CycloneDX, developers and security teams can more efficiently assess, track and comply with MASVS requirements, resulting in more secure mobile applications.

What's Changed

New Contributors

Full Changelog: v2.0.0...v2.1.0

v2.0.0

01 Apr 11:08
f2e668b
Compare
Choose a tag to compare

masvs_v2_release

What's Changed

We are thrilled to announce the release of the new version of the OWASP Mobile Application Security Verification Standard (MASVS) v2.0.0. With this update, we have set out to achieve several key objectives to ensure that MASVS remains a leading industry standard for mobile application security.

  • Keep Abstraction: we have worked hard to maintain the level of abstraction that has made MASVS so valuable in the past. We leave the details to the MASTG.
  • Simplify: we have simplified the MASVS by removing redundancies and overlaps in the security controls. This will make it easier for users to understand the standard and implement it effectively in their own projects.
  • Bring Clarity: we have worked hard to use standard terminology wherever possible, drawing on established sources such as NIST-SP 800-175B and NIST OSCAL, as well as well-known and used sources such as CWEs, Android Developer Docs, and Apple Docs.
  • Narrow Scope: we have narrowed the scope of MASVS to rely more heavily on other industry standards such as the OWASP ASVS, OWASP SAMM and NIST.SP.800-218 SSDF v1.1. This will ensure that MASVS remains relevant and up-to-date in a rapidly evolving landscape of mobile application security.

We believe that these changes will make the OWASP MASVS v2.0.0 an even more valuable resource for developers and security practitioners alike, and we are excited to see how the industry embraces these updates.

The MASVS v2.0.0 was presented at the OWASP AppSec Dublin 2023, you can watch the presentation ▶️ here.

Why are there no levels in the new MASVS controls?

The Levels you already know (L1, L2 and R) will be fully reviewed and backed up with a corrected and well-documented threat model.

Enter MAS Profiles: We are moving the levels to the MASTG tests so that we can evaluate different situations for the same control (e.g., in MASVS-STORAGE-1, it's OK to store data unencrypted in app internal storage for L1, but L2 requires data encryption). This can lead to different tests depending on the security profile of the application.

Transition Phase

The MASTG, in its current version v1.5.0, currently still supports the MASVS v1.5.0. Bringing the MASTG to v2.0.0 to be fully compatible with MASVS v2.0.0 will take some time. That's why we need to introduce a "transition phase". We're currently mapping all new proposed test cases to the new profiles (at least L1 and L2), so even if the MASTG refactoring is not complete, you'll know what to test for, and you'll be able to find most of the tests already in the MASTG.

  • Map the current MASTG tests to the new MASVS v2.0.0.
  • Assign profiles to the proposed MASTG atomic tests (at least L1, L2 and R).

Special Thanks

We thank everyone that has participated in the MASVS Refactoring. You can access all Discussion and documents for the refactoring here.

You'll notice that we have one new author in the MASVS: Jeroen Beckers

Jeroen is a mobile security lead responsible for quality assurance on mobile security projects and for R&D on all things mobile. Ever since his master's thesis on Android security, Jeroen has been interested in mobile devices and their (in)security. He loves sharing his knowledge with other people, as is demonstrated by his many talks & trainings at colleges, universities, clients and conferences.

💙 Special thanks to our MAS Advocate, NowSecure, who has once again demonstrated their commitment to the project by continuously supporting it with time/dedicated resources as well as feedback, data and content contributions.

nowsecure-logo

Changes

Full Changelog: v1.5.0...v2.0.0

v1.5.0

31 Jan 07:25
1d5904d
Compare
Choose a tag to compare

This release doesn't include any changes to the MASVS requirements. They will remain the same until the release of MASVS v2.0.0.

We'd like to thank all of our loyal contributors and welcome our new contributors.


Special thanks to Anil Baş, Haktan Emik for the Turkish translation and Panagiotis Yialouris for the Greek translation.

masvs_v1 5 0


Carlos Holguera & Sven Schleier - OWASP MAS project


NOTE: the OWASP MASVS v2.0.0 release is getting closer. Have you already given your feedback to the MASVS Release Candidate?


What's Changed

  • Add SDK and preload applicability (English version only) by @cpholguera in #678
  • Fix V8 Control Objective Statement (English version only) by @cpholguera in #646

Translations

Other Changes

New Contributors

Full Changelog: v1.4.2...v1.5.0

v1.4.2

20 Jan 14:55
2a8b582
Compare
Choose a tag to compare

What's Changed

This is a minor release which doesn't include any changes to the MASVS requirements.

Other Changes

Full Changelog: v1.4.1...v1.4.2

v1.4.1

19 Jan 22:16
4940836
Compare
Choose a tag to compare

What's Changed

This is a minor release which doesn't include any changes to the MASVS requirements.

Other Changes

Full Changelog: v1.4.0...v1.4.1

v1.4.0

14 Dec 08:37
0553324
Compare
Choose a tag to compare

What's Changed

Changes in MASVS Requirements

Other Changes

Full Changelog: v1.3.1...v1.4.0

v1.3.1

05 Dec 11:05
ed28ef7
Compare
Choose a tag to compare

This is a minor release which doesn't include any changes to the MASVS requirements.

What's Changed

  • Minor fixes and typos in pt-br and fa
  • Add Open in vscode Badge
  • Upgrade URL Checker and Linter & Fix Broken Link
  • Enable CodeQL Analysis
  • Added FUNDING form GitHub
  • Fix for semantic versioning

v1.3

13 May 05:15
Compare
Choose a tag to compare

We are proud to announce the introduction of a new document build pipeline, which is a major milestone for our project. The build pipeline is based on Pandocker and Github Actions.
This significantly reduces the time spent on creating new releases and will also be the foundation for the OWASP MSTG and will be made available for the OWASP ASVS project.

Changes

  • 4 more translations are available, which are Hindi, Farsi, Portuguese and Brazilian Portuguese
  • Added requirement MSTG-PLATFORM-11

Special Thanks

  • Jeroen Willemsen for kick-starting this initiative last year!
  • Damien Clochard and Dalibo for supporting and professionalizing the build pipeline.
  • All our Hindi, Farsi, Portuguese and Brazilian Portuguese collaborators for the excellent translation work.

v1.2

17 Mar 13:37
Compare
Choose a tag to compare

V1.2 International Release

With a little bit of delay we are happy to present version 1.2 of the MASVS!
Changes:

  • Created international version of V1.2: the MASVS is now translated into German, Spanish, French, Japanese, Korean, Russian, Simplified Chinese, and Traditional Chinese.
  • New build and release systems based on Github Actions and Docker containers resulting in better looking PDF, Mobi, Epub and Docx documents.

Pre-release 1.2RC (English only)

04 Oct 20:09
Compare
Choose a tag to compare
Pre-release

Pre-release 1.2RC (English only). See Changelog for further details.