MASVS-ARCH Refactoring (till 28.08.22) #655
Closed
cpholguera
started this conversation in
Big MASVS Refactoring
Replies: 1 comment 1 reply
-
Hi @cpholguera, great job! If my understanding is correct, MASVS-ARCH is not really removed but rather replaced with OWASP SAMM v2.0 + NIST.SP.800-218 SSDF v1.1 right? The new MASVS-ARCH will be BLUE + GREEN? |
Beta Was this translation helpful? Give feedback.
1 reply
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hello everybody,
as part of the refactoring process we decided to publish our draft of every section of the MASVS that we (@cpholguera, @TheDauntless and @sushi2k) worked on.
This is based on the MASVS category "V1: Architecture, Design and Threat Modeling Requirements" (from the MASVS Version 1.4.2): https://github.com/OWASP/owasp-masvs/blob/v1.4.2/Document/0x06-V1-Architecture_design_and_threat_modelling_requireme.md
As the MASVS already indicates, MASVS-ARCH ("V1: Architecture, Design and Threat Modeling Requirements") is the only category that does not map to technical test cases in the OWASP MSTG. It's white box in nature and therefore it isn't usually part of pentesting engagements. Instead it's commonly addressed using surveys/questionnaires.
It focuses on:
Along with the research made as part of this refactoring we've discovered other more mature standards addressing these topics: OWASP Software Assurance Maturity Model (SAMM) and NIST.SP.800-218 Secure Software Development Framework (SSDF). These projects allow you to integrate security into the entire SDLC. Rather than try to reinvent the wheel, we have:
We plan to update the MSTG with the coverage and corresponding items from SAMM/NIST but let them handle this topic.
OWASP SAMM
OWASP SAMM perfectly aligns with the spirit of MASVS-ARCH and extends it to areas that are out of the scope of the MASVS but are essential for any software security program such as "Strategy and Metrics", "Education & Guidance" or "Incident Management" to name a few.
Legend:
NIST.SP.800-218 SSDF Mapping
NIST.SP.800-218 SSDF not only aligns with the spirit of MASVS-ARCH but also covers many areas from MASVS-CODE (especially in its PW category). It extends the MASVS to areas that are out of the scope of the MASVS but are essential for any software security program such as "Software Development Secure Environments", "Source Access Protection" or "Require manual code reviews, SAST and DAST" to name a few.
Legend:
Beta Was this translation helpful? Give feedback.
All reactions