Applying OWASP’s Mobile App Security Guidance With Confidence
The Open Web Application Security Project ® (OWASP) works to improve software security through its community-led, open-source software projects. The organisation hosts local and global conferences, and it has hundreds of chapters and tens of thousands of members around the world. Zimperium is an honorable benefactor of one of the organisation’s flagship projects, the OWASP Mobile Application Security (MAS) project.
The project developed the MASVS (Mobile Application Security Verification Standard) which contains practical guidance for security teams and application architects, developers, and testers. The standard defines the qualities of a secure mobile app, providing a security model and specific requirements that need to be addressed. The project also delivered the OWASP MASTG (Mobile Application Security Testing Guide), which includes recommendations and testing procedures to verify that MASVS requirements are being addressed, as well as a handy dandy checklist bringing everything together.
The MASVS offers coverage of several different areas:
- Data Storage and Privacy (MASVS-STORAGE)
- Cryptography (MASVS-CRYPTO)
- Authentication and Authorisation (MASVS-AUTH)
- Network Communication (MASVS-NETWORK)
- Interaction with the Mobile Platform (MASVS-PLATFORM)
- Code Quality and Exploit Mitigation (MASVS-CODE)
- Anti-Tampering and Anti-Reversing (MASVS-RESILIENCE)
How Zimperium Helps Developers Meet OWASP MASVS
Mobile application risks start in development and persist throughout the app’s entire lifecycle, including when running on an end-user device. Zimperium’s Mobile Application Protection Suite (MAPS) enables teams to establish robust security across this lifecycle.
The MAPS platform consists of four security solutions, and it features a centralised dashboard that enables teams to view threat trajectory data, so they can more intelligently create, manage and enact critical response policies. MAPS is the only unified mobile security suite that combines centralised visibility with comprehensive in-app protection, helping organisations to meet OWASP’s mobile app security requirements.
This whitepaper takes you through each of the MASVS areas in detail and discusses how mobile application developers and security engineers should be aware of the risks to OS security controls. Today, compromises and security breaches can happen for various reasons, including zero-day vulnerabilities and unpatched devices. Implementing a layered security model will secure the mobile application and its assets, even when it’s running in an untrusted or attacker-controlled environment.