Protect your customer data and your reputation with our state-of-the-art security
Secure valuable gaming revenue streams & maintain user trust with our Unity integration
Secure your e-commerce revenue & safeguard data by layering mobile app protection
In July 2021, members of the OWASP foundation announced a plan to refactor and update the OWASP Mobile Application Security Verification Standard (Big MASVS Refactoring). There were a number of driving factors, primarily around challenges related to controls and removing redundancies. We couldn’t agree more.
In August 2021, we launched AppSweep, a free, developer-oriented mobile application security testing tool. Our philosophy on findings in AppSweep is to ensure they are relevant, actionable, and presented with clear recommendations on how to fix them.
Our philosophy aligns with some of the stated goals of the MASVS v2 refactoring effort, in particular, the concept of ensuring actionability.
“Make controls more specific so that they can be linked to very concrete and actionable MSTG test cases.”
We recently made some updates to AppSweep to add support for additional findings that provide coverage for the OWASP MSTG (Mobile Security Testing Guide) security requirements. We also added a new filterable view of findings to make it easier for users to identify how the findings we report relate to the OWASP MASVS categories.
All eight of the MASVS categories are represented within AppSweep, and you can easily drill down to see the relevant findings within each category. Those categories include:
To ensure AppSweep meets your needs, we implemented explicit tests that cover many of the OWASP MSTG security requirements. This also provides you with greater insight into what findings you can expect to see. There are several examples that can be seen in our PIVAA demo app.
We will continue to update AppSweep as the MASVS refactoring goes on, so you can be sure it’s up to date with the latest efforts of OWASP.
When implementing the OWASP MSTG testing requirements, you can choose between in-house testing or using a third party. Additionally, testing can be performed manually or can be automated using specialized tools. We strongly believe that robust mobile app security testing is most beneficial when it is performed in-house and leverages as much repeatable automation as possible.
We built AppSweep with frequent automated testing in mind. Not only are the results actionable and developer-friendly, but we ensured that scans can be performed quickly as part of every CI/CD build. We also developed key integrations to popular CI/CD tools so you can automate scans for your entire team.
Additionally, as part of your scans, you can track the commit hash associated with a particular build to more easily identify when new security issues were introduced into your app.
Though there are certainly benefits to supplementing your testing strategy with external assessments and pen testing, using automation to ensure you're prepared for those assessments will significantly reduce the discovery of late breaking issues.