OWASP MASVS and MASTG Adoption¶
The OWASP MASVS and MASTG are trusted by the following platform providers and standardization, governmental and educational institutions.
Mobile Platform Providers¶
Google Android¶
Since 2021 Google has shown their support for the OWASP Mobile Security project (MASTG/MASVS) and has started providing continuous and high value feedback to the MASVS refactoring process via the App Defense Alliance (ADA) and its MASA (Mobile Application Security Assessment) program.
With MASA, Google has acknowledged the importance of leveraging a globally recognized standard for mobile app security to the mobile app ecosystem. Developers can work directly with an Authorized Lab partner to initiate a security assessment. Google will recognize developers who have had their applications independently validated against a set of MASVS Level 1 requirements and will showcase this on their Data safety section.
We thank Google, the ADA and all its members for their support and for their excellent work on protecting the mobile app ecosystem.
Certification Institutions¶
CREST¶
CREST is an international not-for-profit, membership body who quality assures its members and delivers professional certifications to the cyber security industry. CREST works with governments, regulators, academe, training partners, professional bodies and other stakeholders around the world.
In August 2022, CREST launched the OWASP Verification Standard (OVS) Programme. CREST OVS sets new standards for application security. Underpinned by OWASP's Application Security Verification Standard (ASVS) and Mobile Application Security Verification Standard (MASVS), CREST is leveraging the open-source community to build and maintain global standards to deliver a global web and mobile application security framework. This will provide assurance to the buying community that developers using CREST OVS accredited providers, always know that they are engaged with ethical and capable organisations with skilled and competent security testers by leveraging the OWASP ASVS and MASVS standards.
We thank CREST for their consulation regarding the OVS programme and its support to the open-source community to build and maintain global cyber security standards.
Standardization Institutions¶
NIST (National Institute of Standards and Technology, United States)¶
The National Institute of Standards and Technology (NIST) was founded in 1901 and is now part of the U.S. Department of Commerce. NIST is one of the nation's oldest physical science laboratories. Congress established the agency to remove a major challenge to U.S. industrial competitiveness at the time — a second-rate measurement infrastructure that lagged behind the capabilities of the United Kingdom, Germany and other economic rivals.
- NIST.SP.800-163 "Vetting the Security of Mobile Applications" Revision 1, 2019
- NIST.SP.800-218 "Secure Software Development Framework (SSDF) v1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities" v1.1, 2022
- NIST CSWP 33 "Product Development Cybersecurity Handbook: Concepts and Considerations for IoT Product Manufacturers" Initial Public Draft, 2024
BSI (Bundesamt für Sicherheit in der Informationstechnik, Germany)¶
BSI stands for "Federal Office for Information Security", it has the goal to promote IT security in Germany and is the central IT security service provider for the federal government.
- Technical Guideline BSI TR-03161 Security requirements for eHealth applications v1.0, 2020
- Prüfvorschrift für den Produktgutachter des „ePA-Frontend des Versicherten“ und des „E-Rezept-Frontend des Versicherten v2.0, 2021
ioXt¶
The mission of the ioXt Alliance is to build confidence in Internet of Things products through multi-stakeholder, international, harmonized, and standardized security and privacy requirements, product compliance programs, and public transparency of those requirements and programs.
In 2021, ioXt has extended its security principles through the Mobile Application profile, so that app developers can ensure their products are built with, and maintain, high cybersecurity standards such as the OWASP MASVS and the VPN Trust Initiative. The ioXt Mobile Application profile is a security standard that applies to any cloud connected mobile app and provides the much needed market transparency for consumer and commercial mobile app security.
Governmental Institutions¶
| Name | Document | Year |
|---|---|---|
| Government of Singapore, Cyber Security Agency (CSA) | Safe App Standard | 2024 |
| European Payments Council | Payment Threats and Fraud Trends Report | 2021 |
| European Payments Council | Mobile Initiated SEPA Credit Transfer Interoperability Implementation Guidelines, including SCT Instant (MSCT IIGs) | 2019 |
| ENISA (European Union Agency for Cybersecurity) | Good Practices for Security of SMART CARS | 2019 |
| Government of India, Ministry of Electronics & Information Technology | Adoption of Mobile AppSec Verification Standard (MASVS) Version 1.0 of OWASP | 2019 |
| Finish Transport and Communication Agency (TRAFICOM) | Assessment guideline for electronic identification services (Draft) | 2019 |
| Gobierno de España INCIBE | Ciberseguridad en Smart Toys | 2019 |
Educational Institutions¶
| Name | Document | Year |
|---|---|---|
| Leibniz Fachhochschule Hannover, Germany | Sicherheitsüberprüfung von mobilen iOS Apps nach OWASP (German) | 2022 |
| University of Florida, Florida Institute for Cybersecurity Research, United States | "SO{U}RCERER : Developer-Driven Security Testing Framework for Android Apps" | 2021 |
| University of Adelaide, Australia and Queen Mary University of London, United Kingdom | An Empirical Assessment of Global COVID-19 Contact Tracing Applications | 2021 |
| School of Information Technology, Mapúa University, Philippines | A Vulnerability Assessment on the Parental Control Mobile Applications Security: Status based on the OWASP Security Requirements | 2021 |
Application in Scientific Research¶
Books¶
Industry Case Studies¶
Would you like to contribute with your case study? Connect with us!
Resources¶
- A Vulnerability Assessment on the Parental Control Mobile Applications Security: Status based on the OWASP Security Requirements
- Adoption of Mobile AppSec Verification Standard (MASVS) Version 1.0 of OWASP
- Advances in Signal Processing and Intelligent Recognition Systems pp 671-683
- An Empirical Assessment of Global COVID-19 Contact Tracing Applications
- App Defense Alliance (ADA)
- Assessment guideline for electronic identification services (Draft)
- CREST OVS Accreditation Process
- CREST OVS Introductory Video
- CREST OVS Programme
- Case Study: NowSecure Commits to Security Standards
- Ciberseguridad en Smart Toys
- Connect with us!
- Good Practices for Security of SMART CARS
- Hands-On Security in DevOps in Google books
- MASA (Mobile Application Security Assessment) program
- Mobile Initiated SEPA Credit Transfer Interoperability Implementation Guidelines, including SCT Instant (MSCT IIGs)
- NIST CSWP 33 "Product Development Cybersecurity Handbook: Concepts and Considerations for IoT Product Manufacturers" Initial Public Draft, 2024
- NIST.SP.800-163 "Vetting the Security of Mobile Applications" Revision 1, 2019
- NIST.SP.800-218 "Secure Software Development Framework (SSDF) v1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities" v1.1, 2022
- National Institute of Standards and Technology (NIST)
- Payment Threats and Fraud Trends Report
- Prüfvorschrift für den Produktgutachter des „ePA-Frontend des Versicherten“ und des „E-Rezept-Frontend des Versicherten v2.0, 2021
- SO{U}RCERER : Developer-Driven Security Testing Framework for Android Apps
- Safe App Standard
- Sicherheitsüberprüfung von mobilen iOS Apps nach OWASP (German)
- Technical Guideline BSI TR-03161 Security requirements for eHealth applications v1.0, 2020
- extended its security principles through the Mobile Application profile
- ioXt Alliance
- ioXt Base Profile v2.0