Automation of MASVS with BDD

Track: Owasp Projects
When: Mon, Tue, Wed, Thu, Fri AM-1, PM-1
Where: Owasp Projects
Organizers Sven Schleier Sven Schleier , Davide Cioccia Davide Cioccia
Participants Carlos Holguera Carlos Holguera , Arne Zismer Arne Zismer , Clara Anel Mansilla Clara Anel Mansilla , Sven Schleier Sven Schleier , Xenofon Vassilakopoulos Xenofon Vassilakopoulos
Remote Participants Ashraf Iftekhar Ashraf Iftekhar , Dougal Kennedy Dougal Kennedy , Prakash Sharma Prakash Sharma , Rohit Sangaraj Rohit Sangaraj , Sandeep Akula Sandeep Akula

The version 1.0 fixed hyphen release of the Mobile Application Security Verification Standard (MASVS) was published earlier this year. The project is getting positive feedback from all over the world and is becoming an accepted industry best practice for mobile apps. The MASVS establishes baseline security requirements for mobile apps that are useful in many scenarios, including:

  • In the SDLC - to establish security requirements to be followed by solution architects and developers;
  • In mobile app penetration tests - to ensure completeness and consistency in mobile app penetration tests;
  • In procurement - as a measuring stick for mobile app security, e.g. in form of questionnaire for vendors;
  • Et cetera.

The MASVS is a sister project of the OWASP Mobile Security Testing Guide.


Last year we were focusing on creating the security requirements for the mobile world, this year we want to automate them :-)

One of the major problems of adopting the MASVS is how to test all the security requirements during development. This is of course a problem that is applicable for every piece of software that is developed. For web applications one of the solutions to address this is using Behavior-driven Development (BDD) with Cucumber and Gherkin through BDD Security. At the moment there are no mobile app test cases available for this that

A consistent and structured approach need to be used to continously test the requirements of a mobile app while it’s being developed.


Automated testing of the MASVS requriements, based on the research of Davide Cioccia through combination of: - BDD with Cucumber and Gherkin and -


We want to use the Open Security Summit in order to extend the existing test cases for iOS and Android and transform the MASVS requirements into Gherkin Syntax wherever possible and applicable.

The existing technical approach and test cases will be shared before the Open Security Summit via Github and will be used as basis for other test cases.


The target audience for this Working Session is:

  • Developers
  • Security Testers
  • DevSecOps Engineers

Everyone else with experienes in automation and development background and some technical know-how :-)


To be up and running during the summit the follpwoing software must be installed:

A complete guide on how to setup the working environment and the Docker image can be found here


Register as participant

To register as participant add Automation of MASVS with BDD to either:

  1. the sessions metadata field from your participant's page (find your participant page and look for the edit link).
  2. or the participants metadata field from this git session page

Back to list of all Working Sessions