OWASP Developer Guide

MAS

MAS logo

11.1.3 MAS gap analysis

The OWASP Mobile Application Security (MAS) flagship project provides industry standards for mobile application security.

The OWASP MAS project provides the Mobile Application Security Verification Standard (MASVS) for mobile applications that can be used as a guide for security gap analysis. The MAS project covers the processes, techniques, and tools used for security testing a mobile application, as well as a set of test cases that enables testers to deliver consistent and complete results.

What is MASVS?

The OWASP MASVS is the industry standard for mobile app security. It can be used by mobile software architects and developers seeking to develop secure mobile applications, as well as security testers to ensure completeness and consistency of test results.

The MAS project has several uses; when it comes to security gap analysis then the MASVS contains a list of security controls for mobile applications that are expected to be present / implemented.

The security controls are split into several categories:

Why use MASVS?

The OWASP MASVS provides a list of industry-standard security controls for secure mobile applications. If the application does not implement any of the controls then this could become a compliance issue, given that MASVS is the industry standard for mobile applications, so any omissions need to be justified.

How to use MASVS

The MASVS provides a list of expected security controls for mobile applications, and can be used to identify missing or inadequate controls during gap analysis. These controls can then be tested using the MAS Testing Guide.

The MASVS provides a starting point for a security gap evaluation for any existing controls as well as new ones. The MASVS can be accessed online and links followed for each security controls; the mobile application can then be inspected for compliance with the relevant controls.

References


The OWASP Developer Guide is a community effort; if there is something that needs changing then submit an issue or edit on GitHub.