| Track: | Owasp Projects |
|---|---|
| When: | Mon, Tue, Wed, Thu, Fri AM-1, PM-1 |
| Where: | Owasp Projects |
| Organizers | Sven Schleier Sven Schleier , Davide Cioccia Davide Cioccia |
| Participants | Carlos Holguera Carlos Holguera , Arne Zismer Arne Zismer , Clara Anel Mansilla Clara Anel Mansilla , Sven Schleier Sven Schleier , Xenofon Vassilakopoulos Xenofon Vassilakopoulos |
| Remote Participants | Ashraf Iftekhar Ashraf Iftekhar , Dougal Kennedy Dougal Kennedy , Prakash Sharma Prakash Sharma , Rohit Sangaraj Rohit Sangaraj , Sandeep Akula Sandeep Akula |
The version 1.0 fixed hyphen release of the Mobile Application Security Verification Standard (MASVS) was published earlier this year. The project is getting positive feedback from all over the world and is becoming an accepted industry best practice for mobile apps. The MASVS establishes baseline security requirements for mobile apps that are useful in many scenarios, including:
- In the SDLC - to establish security requirements to be followed by solution architects and developers;
- In mobile app penetration tests - to ensure completeness and consistency in mobile app penetration tests;
- In procurement - as a measuring stick for mobile app security, e.g. in form of questionnaire for vendors;
- Et cetera.
The MASVS is a sister project of the OWASP Mobile Security Testing Guide.
Why
Last year we were focusing on creating the security requirements for the mobile world, this year we want to automate them :-)
One of the major problems of adopting the MASVS is how to test all the security requirements during development. This is of course a problem that is applicable for every piece of software that is developed. For web applications one of the solutions to address this is using Behavior-driven Development (BDD) with Cucumber and Gherkin through BDD Security. At the moment there are no mobile app test cases available for this that
A consistent and structured approach need to be used to continously test the requirements of a mobile app while it’s being developed.
What
Automated testing of the MASVS requriements, based on the research of Davide Cioccia through combination of:
- BDD with Cucumber and Gherkin and
- Calaba.sh
Outcomes
We want to use the Open Security Summit in order to extend the existing test cases for iOS and Android and transform the MASVS requirements into Gherkin Syntax wherever possible and applicable.
The existing technical approach and test cases will be shared before the Open Security Summit via Github and will be used as basis for other test cases.
Who
The target audience for this Working Session is:
- Developers
- Security Testers
- DevSecOps Engineers
Everyone else with experienes in automation and development background and some technical know-how :-)
Setup
To be up and running during the summit the follpwoing software must be installed:
- [Docker] (https://www.docker.com/get-docker)
- [Genymotion] (https://www.genymotion.com/fun-zone/)
A complete guide on how to setup the working environment and the Docker image can be found [here] (https://github.com/david3107/oss2018-tools)
References
- BDD Mobile security testing with OWASP MASVS, OWASP MSTG and Calabash
- BDD Security
- BDD Security Github
- Calabash
Register as participant
To register as participant add Automation of MASVS with BDD to either:
- the
sessionsmetadata field from your participant's page (find your participant page and look for the edit link). - or the
participantsmetadata field from this git session page
Back to list of all Working Sessions