You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If we'd have common mitigations defined we could always refer back to specific MASTG Mitigation which would have a certain ID and suggest those on pentest reports.
When testing for a specific MASVS ID, we'd perform one or more MASTG tests (also have ID) and suggest a mitigation (also clearly identified with an ID) or at least a mitigation based on / related to a MSTG one.
Example for "Testing MASVS-NETWORK-1", mitigations include:
M1009 | Encrypt Network Traffic (obvious)
M1013 | Application Developer Guidance (not that obvious for many but could be included)
As of now we offer mitigation sometimes and each time a new one (merged in the text, each time new text). We could reduce work by having a list of mitigations and extending it if needed. Many tests will need the same one such as "Application Developer Guidance" or "User Guidance".
We should evaluate the feasibility of this for the MASTG. If it's feasible and relatively easy to implement we could do it. For now it's just an idea/proposal.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
If we'd have common mitigations defined we could always refer back to specific MASTG Mitigation which would have a certain ID and suggest those on pentest reports.
We could get some ideas from here (note that these are mobile device specific and we need app specific): https://attack.mitre.org/mitigations/mobile/
When testing for a specific MASVS ID, we'd perform one or more MASTG tests (also have ID) and suggest a mitigation (also clearly identified with an ID) or at least a mitigation based on / related to a MSTG one.
Example for "Testing MASVS-NETWORK-1", mitigations include:
As of now we offer mitigation sometimes and each time a new one (merged in the text, each time new text). We could reduce work by having a list of mitigations and extending it if needed. Many tests will need the same one such as "Application Developer Guidance" or "User Guidance".
Beta Was this translation helpful? Give feedback.
All reactions