MSTG-NETWORK-3: Certificate checks sufficient?

[daMatz]

The requirement for MSTG-NETWORK-3 is:

The app verifies the X.509 certificate of the remote endpoint when the secure channel is established. Only certificates signed by a trusted CA are accepted.

Is this sufficient as a requirement for this topic?
What about additional checks like:

• certificate validation check
• certificate revocation check
• signature check
• certificate chain check

[TheDauntless]

That's a valid point, and we should think about rephrasing this. I would love to say 'let the OS do it for you', but with all the third party frameworks that's probably not clear/secure enough.

[cpholguera]

You are right, there are more checks that can be done, see:

https://cwe.mitre.org/data/definitions/295.html

However, we have to keep the abstraction level of the MASVS and leave the details for the MSTG. This is already being considered in the MSTG (search for MSTG-NETWORK-3 and you'll find the mentioned checks as part of the test case).

Still, we should reformulate this to reflect that abstraction a bit better.