Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cloud Storage #60

Closed
muellerberndt opened this issue Jan 16, 2017 · 6 comments
Closed

Cloud Storage #60

muellerberndt opened this issue Jan 16, 2017 · 6 comments

Comments

@muellerberndt
Copy link
Collaborator

Hi guys,

Here's an issue for discussion - see also MASVS issue #75.

OMTG-DATAST-003: Test for Sensitive Data in Cloud Storage

This only talks about backup to the cloud via the default OS facilities. However the requirement in the MASVS is "No sensitive data is synced with cloud storage", which pertains to any form of cloud storage. We should probably do two things:

  1. Make the requirement more specific in the MASVS. It doesn't make sense to forbid all kinds of cloud storage? Are we talking about third-party clouds like AWS, or about what exactly?

  2. Adapt the test case in the MSTG to fit the revised requirement.

There's a couple of other requirements that we need to review, please have a look at the remaining feedback in MASVS issue #75. as well @sushi2k @litsnarf
@muellerberndt muellerberndt mentioned this issue Jan 16, 2017
Closed
@sushi2k
Copy link
Collaborator

sushi2k commented Jan 18, 2017

When I was adding this requirement to the MASVS I was only thinking about syncing data on the OS level, meaning backups to the Google/iOS cloud and I still think that this should be a test case on it's own.

We could simply add one work to the requirement to make it more clear:

2.3 No sensitive data is synced with platform cloud storage.

I would not extend this test case to all other kind of clouds, as they are needed by the App to work properly and it's also more secure to store sensitive data in the cloud as on the local device. Also checking the communication for sensitive data for 3rd parties, through usage of libraries is also covered in:

2.4 No sensitive data is sent to third parties.

If you guys agree, I would also not change the test case in the MSTG.

I will have a detailed look in Issue 75 latest next week. Thanks

@muellerberndt
Copy link
Collaborator Author

As far as I can see in the test case this only pertains to backup to cloud storage (through platform mechanisms). Isn't this then already covered by 2.9 - "No sensitive data is included in backups"? The test case also appears to check only for the allowBackup="true" attribute?

@sushi2k
Copy link
Collaborator

sushi2k commented Jan 26, 2017

You are right. I will merge this. Makes no sense to have two separate test cases for this.

@muellerberndt
Copy link
Collaborator Author

Alright, so we only need the "backup" requirement then? So I'll remove this entirely from the MASVS.

@sushi2k
Copy link
Collaborator

sushi2k commented Jan 28, 2017

Ok

@sushi2k
Copy link
Collaborator

sushi2k commented Feb 1, 2017

Will update the MSTG test cases soon so they are aligned with MASVS. Will close this now.

@sushi2k sushi2k closed this as completed Feb 1, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@muellerberndt @sushi2k