2020-4-24 Open Web Application Security Project (OWASP)

英文
中文

The Open Web Application Security Project (OWASP) is a nonprofit foundation that works to improve the security of software. Through community-led open source software projects, hundreds of local chapters worldwide, tens of thousands of members, and leading educational and training conferences, the OWASP Foundation is the source for developers and technologists to secure the web.

OWASP是一个开源的、非盈利的全球性安全组织，致力于应用软件的安全研究。我们的使命是使应用软件更加安全，使企业和组织能够对应用安全风险做出更清晰的决策。目前OWASP全球拥有250个分部近7万名会员，共同推动了安全标准、安全测试工具、安全指导手册等应用安全技术的发展。

【移动应用安全性检测】
英文
中文

Our Vision

“Define the industry standard for mobile application security.”

We are writing a security standard for mobile apps and a comprehensive testing guide that covers the processes, techniques, and tools used during a mobile app security test, as well as an exhaustive set of test cases that enables testers to deliver consistent and complete results.

Main Deliverables

Mobile Security Testing Guide–测试案例 (MSTG)
MSTG手册-在线
MSTG英文手册-github
MSTG英文手册-CSDN

The MSTG is a comprehensive manual for mobile app security testing and reverse engineering for iOS and Android mobile security testers with the following content:

• Mobile platform internals
• Security testing in the mobile app development lifecycle
• Basic static and dynamic security testing
• Mobile app reverse engineering and tampering
• Assessing software protections
• Detailed test cases that map to the requirements in the MASVS.

OWASP MSTG是用于测试移动应用程序安全性的手册。它描述了验证MASVS中列出的相关安全准则的技术过程。MSTG提供了一个测试案例的列表，每个测试案例都映射到MASVS中的一个安全准则。相比MASVS对于安全准则的通用性和一般性的描述，MSTG提供了基于不同移动操作系统的详细建议以及测试流程。

MASVS–标准

Mobile App Security Requirements and Verification

The OWASP Mobile Application Security Verification Standard (MASVS) is, as the name implies, a standard for mobile app security. It can be used by mobile software architects and developers seeking to develop secure mobile applications, as well as security testers to ensure completeness and consistency of test results.

MASVS中文版在线
MASVS中文版1.2pdf-github
MASVS中文版1.2pdf-csdn
MASVS文英版1.2pdf-csdn

1-MASVS的总体目标

是为移动应用程序安全提供基础需求（MASVS-L1），同时包括了额外的纵深防御措施（MASVS-L2） 和针对移动应用程序客户端威胁的保护（MASVS-R）。MASVS旨在实现以下目标：

• 罗列出移动应用安全开发的需求以供软件架构师和开发人员使用;
• 提供可用于移动应用安全测试的行业标准;
• 阐明软件保护机制在移动安全中的作用，并提供验证其有效性的要求;
• 提出针对不同用例的安全级别的具体建议。

Verification Levels in Detail 安全验证等级

• MASVS-L1: Standard Security标准安全等级

A mobile app that achieves MASVS-L1 adheres to mobile application security best practices. It fulfills basic requirements in terms of code quality, handling of sensitive data, and interaction with the mobile environment. A testing process must be in place to verify the security controls. This level is appropriate for all mobile applications.

实现MASVS-L1的移动应用程序需要遵循移动应用程序安全的最佳实践方法。它包含了代码的质量，敏感数据的处理以及与移动环境交互的基本安全准则。此外，MASVS-L1必须有一个测试流程来验证安全管控。MASVS-L1适用于所有的移动应用程序。

• MASVS-L2: Defense-in-Depth

MASVS-L2 introduces advanced security controls that go beyond the standard requirements. To fulfill MASVS-L2, a threat model must exist, and security must be an integral part of the app’s architecture and design. Based on the threat model, the right MASVS-L2 contro