Import MASVS and MASTG into OpenCRE · OWASP/owasp-masvs · Discussion #745 (original) (raw)

I would love if MASVS and MASTG was available from OpenCRE so that it is possible to link f.ex the threat cards from the OWASP Cornucopia Mobile App Edition to the MASVS and MASTG requirements and tests through OpenCRE.

See as an example what have been done for ASVS:

https://opencre.org/node/standard/ASVS/sectionId/V2.10.4

and from the OWASP Cornucopia api:

http://cornucopia.owasp.org/api/cre/webapp/en

This allow ASVS to be linked to other standards like this: https://opencre.org/cre/774-888

The purpose behind is to be able to combine the process of mobile application's security requirement analysis according to ISO 27002 8.26 (https://www.isms.online/iso-27002/control-8-26-application-security-requirements/) on application security requirements with the process of doing threat modeling according to ISO 27002 8.28 on secure coding (https://hightable.io/iso-27002/control-8-28-secure-coding/).

Let's say e.g. that you are doing threat modeling through OWASP Cornucopia, you play a card that you find applicable and it scores during the game. You add the card to your OWASP Threat Dragon model, but then you wonder, what are the application security requirements and appropriate standards and MASTG tests applicable to the threat I have identified? If all of this information was linked through OpenCRE then, by selecting the appropriate card from OWASP Threat Dragon you could also get up to date information about which MASVS requirements apply, how these relate e.g to MASTG tests and other standards you probably should look at in order to mitigate the threat.

There are also a large range of other benefits as well.

What I wonder is whether it would be ok to use e.g:

https://mas.owasp.org/MASVS/controls/MASVS-CRYPTO-1/

as a link in OpenCRE or whether you would prefer

to use:

https://github.com/OWASP/owasp-masvs/blob/v2.1.0/controls/MASVS-CRYPTO-2.md

I can ensure the MASVS requirements and MASTG tests are imported and maintained in OpenCRE.
I just want to make sure that you are ok with this and whether you have any preferences as to how you would like to see this maintained.

Process for contributing to OpenCRE is documented here: https://github.com/OWASP/OpenCRE/blob/main/docs/CONTRIBUTING.md