MASVS-ARCH Refactoring (till 28.08.22)

[cpholguera]

Hello everybody,

as part of the refactoring process we decided to publish our draft of every section of the MASVS that we (@cpholguera, @TheDauntless and @sushi2k) worked on.

This is based on the MASVS category "V1: Architecture, Design and Threat Modeling Requirements" (from the MASVS Version 1.4.2): https://github.com/OWASP/owasp-masvs/blob/v1.4.2/Document/0x06-V1-Architecture_design_and_threat_modelling_requireme.md

As the MASVS already indicates, MASVS-ARCH ("V1: Architecture, Design and Threat Modeling Requirements") is the only category that does not map to technical test cases in the OWASP MSTG. It's white box in nature and therefore it isn't usually part of pentesting engagements. Instead it's commonly addressed using surveys/questionnaires.

It focuses on:

• secure SDLC is a must
• sensitive data must be clearly identified
• good security architecture
• policies and regulations compliance
• threat modelling is essential

Along with the research made as part of this refactoring we've discovered other more mature standards addressing these topics: OWASP Software Assurance Maturity Model (SAMM) and NIST.SP.800-218 Secure Software Development Framework (SSDF). These projects allow you to integrate security into the entire SDLC. Rather than try to reinvent the wheel, we have:

• Mapped MASVS-ARCH to
  • OWASP SAMM v2.0
  • NIST.SP.800-218 SSDF v1.1
• Removed MASVS-ARCH from the MASVS

We plan to update the MSTG with the coverage and corresponding items from SAMM/NIST but let them handle this topic.

OWASP SAMM

"OWASP Software Assurance Maturity Model (SAMM) is a prescriptive model, an open framework which is simple to use, fully defined, and measurable. The solution details are easy enough to follow even for non-security personnel. It helps organizations analyze their current software security practices, build a security program in defined iterations, show progressive improvements in secure practices, and define and measure security-related activities."

OWASP SAMM perfectly aligns with the spirit of MASVS-ARCH and extends it to areas that are out of the scope of the MASVS but are essential for any software security program such as "Strategy and Metrics", "Education & Guidance" or "Incident Management" to name a few.

Legend:

• Pink: OWASP SAMM Categories
• Blue: MASVS-ARCH mapping
• Green: Additional areas not covered by MASVS-ARCH

NIST.SP.800-218 SSDF Mapping

"NIST.SP.800-218 Secure Software Development Framework (SSDF) is a core set of high-level secure software development practices that can be integrated into each SDLC implementation. Following such practices should help software producers reduce the number of vulnerabilities in released software, reduce the potential impact of the exploitation of undetected or unaddressed vulnerabilities, and address the root causes of vulnerabilities to prevent future recurrences. Because the framework provides a common vocabulary for secure software development, software acquirers can also use it to foster communications with suppliers in acquisition processes and other management activities."

NIST.SP.800-218 SSDF not only aligns with the spirit of MASVS-ARCH but also covers many areas from MASVS-CODE (especially in its PW category). It extends the MASVS to areas that are out of the scope of the MASVS but are essential for any software security program such as "Software Development Secure Environments", "Source Access Protection" or "Require manual code reviews, SAST and DAST" to name a few.

Legend:

• Pink: NIST SSDF Categories
• Blue: MASVS-ARCH mapping
• Green: Additional areas not covered by MASVS-ARCH

MASVS-ARCH is open for comments till the 28th of August 2022. Please comment directly in this GitHub Discussion if you have any comments.

[razaina]

Hi @cpholguera, great job!

If my understanding is correct, MASVS-ARCH is not really removed but rather replaced with OWASP SAMM v2.0 + NIST.SP.800-218 SSDF v1.1 right?

The new MASVS-ARCH will be BLUE + GREEN?

[cpholguera]

Hi @razaina, exactly. We're removing MASVS-ARCH and replacing it with those standards. The colors are there to show you how the other standards cover the topics that used to be in MASVS-ARCH (blue) and many other important ones (green). But, of course there are more topics covered by those standards and not included in this summary diagram. We hope the diagram also helps you get started with the standards.