You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Originally posted by poffo-mobisec August 2, 2024
I love the introduction of Weaknesses in mobile security. It was missing and it is brilliant. But let's go straight to the point.
Nowadays most of enterprises have standardized systems and works with CWE.
Have you considered relate each MASWE to a CWE, to ease the risk management and company integration?
I think this could give a lot of extra value to the project, allowing MASWE to be very specific on mobile weaknesses but at the same time bring compatibility with nowadays market.
THE FOLLOWING CONTENT IS AI-GENERATED, so this work would absolutlely need a check, but it gives the idea of the result:
MASWE ID
MASWE Title
Relevant CWE ID
CWE Title
MASWE-0001
Insertion of Sensitive Data into Logs
CWE-532
Insertion of Sensitive Information into Log File
MASWE-0002
Sensitive Data Stored With Insufficient Access Restrictions
CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
MASWE-0003
Sensitive Data Remains in App Backups
CWE-212
Improper Cross-boundary Removal of Sensitive Data
MASWE-0004
Unencrypted Sensitive Data Stored in Non-Volatile Memory
CWE-311
Missing Encryption of Sensitive Data
MASWE-0005
Insecure Data Storage in Shared Preferences
CWE-922
Insecure Storage of Sensitive Information
MASWE-0006
Insecure Data Storage in SQL Databases
CWE-312
Cleartext Storage of Sensitive Information
MASWE-0007
Insecure Data Storage in External Storage
CWE-922
Insecure Storage of Sensitive Information
MASWE-0008
Insecure Data Storage in Cloud Services
CWE-256
Unprotected Storage of Credentials
MASWE-0009
Insecure Data Storage in Cache
CWE-922
Insecure Storage of Sensitive Information
MASWE-0010
Insecure Data Storage in Clipboard
CWE-532
Insertion of Sensitive Information into Log File
MASWE-0011
Sensitive Data in Application Memory
CWE-226
Sensitive Information in Data Storage Element
MASWE-0012
Sensitive Data in System Logs
CWE-532
Insertion of Sensitive Information into Log File
MASWE-0013
Sensitive Data in Browser Cache
CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
MASWE-0014
Sensitive Data in WebView
CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
MASWE-0015
Sensitive Data in URL
CWE-598
Use of GET Request Method with Sensitive Query Strings
MASWE-0016
Lack of Data Protection During Transmission
CWE-319
Cleartext Transmission of Sensitive Information
MASWE-0017
Insecure Use of Cryptography
CWE-327
Use of a Broken or Risky Cryptographic Algorithm
MASWE-0018
Insecure Random Number Generation
CWE-338
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
MASWE-0019
Missing Integrity Checks on Sensitive Data
CWE-354
Improper Validation of Integrity Check Value
MASWE-0020
Missing Confidentiality Protections
CWE-311
Missing Encryption of Sensitive Data
MASWE-0021
Sensitive Data in Logs
CWE-532
Insertion of Sensitive Information into Log File
MASWE-0022
Missing Security Controls for Sensitive Data
CWE-284
Improper Access Control
MASWE-0023
Insecure Use of Hashing
CWE-327
Use of a Broken or Risky Cryptographic Algorithm
MASWE-0024
Unsecured External Communication
CWE-319
Cleartext Transmission of Sensitive Information
MASWE-0025
Insecure Data Storage in Memory
CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
MASWE-0026
Sensitive Data in Third-Party Services
CWE-295
Improper Certificate Validation
MASWE-0027
Insecure Data Transmission Using SMS
CWE-319
Cleartext Transmission of Sensitive Information
MASWE-0028
Sensitive Data in Keyboard Cache
CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
MASWE-0029
Insecure Data Storage in Keychain
CWE-312
Cleartext Storage of Sensitive Information
MASWE-0030
Insecure Data Storage in Shared Directory
CWE-922
Insecure Storage of Sensitive Information
MASWE-0031
Insecure Data Storage in Logs
CWE-532
Insertion of Sensitive Information into Log File
MASWE-0032
Insecure Data Storage in Debugging Information
CWE-532
Insertion of Sensitive Information into Log File
MASWE-0033
Insecure Data Storage in Crash Reports
CWE-532
Insertion of Sensitive Information into Log File
MASWE-0034
Insecure Data Storage in System Logs
CWE-532
Insertion of Sensitive Information into Log File
MASWE-0035
Insecure Data Storage in Third-Party Components
CWE-295
Improper Certificate Validation
MASWE-0036
Insecure Data Storage in Cloud Storage
CWE-256
Unprotected Storage of Credentials
MASWE-0037
Insecure Data Storage in App Sandboxes
CWE-922
Insecure Storage of Sensitive Information
MASWE-0038
Insecure Data Storage in Cookie Storage
CWE-315
Cleartext Storage of Sensitive Information in a Cookie
MASWE-0039
Insecure Data Storage in Web Storage
CWE-922
Insecure Storage of Sensitive Information
MASWE-0040
Insecure Data Storage in IndexedDB
CWE-922
Insecure Storage of Sensitive Information
MASWE-0041
Insecure Data Storage in LocalStorage
CWE-922
Insecure Storage of Sensitive Information
MASWE-0042
Insecure Data Storage in SessionStorage
CWE-922
Insecure Storage of Sensitive Information
MASWE-0043
Insecure Data Storage in FileSystem API
CWE-922
Insecure Storage of Sensitive Information
MASWE-0044
Insecure Data Storage in App Bundle
CWE-312
Cleartext Storage of Sensitive Information
MASWE-0045
Insecure Data Storage in Application Data
CWE-922
Insecure Storage of Sensitive Information
MASWE-0046
Insecure Data Storage in Application Code
CWE-312
Cleartext Storage of Sensitive Information
MASWE-0047
Insecure Data Storage in System Services
CWE-922
Insecure Storage of Sensitive Information
MASWE-0048
Insecure Data Storage in App Configuration
CWE-312
Cleartext Storage of Sensitive Information
MASWE-0049
Insecure Data Storage in Environment Variables
CWE-312
Cleartext Storage of Sensitive Information
MASWE-0050
Insecure Data Storage in Shared Objects
CWE-922
Insecure Storage of Sensitive Information
MASWE-0051
Insecure Data Storage in Shared Libraries
CWE-922
Insecure Storage of Sensitive Information
MASWE-0052
Insecure Data Storage in Shared Components
CWE-922
Insecure Storage of Sensitive Information
MASWE-0053
Insecure Data Storage in Shared Resources
CWE-922
Insecure Storage of Sensitive Information
MASWE-0054
Insecure Data Storage in Shared Applications
CWE-922
Insecure Storage of Sensitive Information
MASWE-0055
Insecure Data Storage in Shared Files
CWE-922
Insecure Storage of Sensitive Information
MASWE-0056
Insecure Data Storage in Shared Devices
CWE-922
Insecure Storage of Sensitive Information
MASWE-0057
Insecure Data Storage in Shared Network Storage
CWE-922
Insecure Storage of Sensitive Information
MASWE-0058
Insecure Data Storage in Shared Infrastructure
CWE-922
Insecure Storage of Sensitive Information
MASWE-0059
Insecure Data Storage in Shared Services
CWE-922
Insecure Storage of Sensitive Information
MASWE-0060
Insecure Data Storage in Shared Platforms
CWE-922
Insecure Storage of Sensitive Information
MASWE-0061
Insecure Data Storage in Shared Cloud Services
CWE-922
Insecure Storage of Sensitive Information
MASWE-0062
Insecure Data Storage in Shared Virtualization Platforms
CWE-922
Insecure Storage of Sensitive Information
MASWE-0063
Insecure Data Storage in Shared Containers
CWE-922
Insecure Storage of Sensitive Information
MASWE-0064
Insecure Data Storage in Shared Hosts
CWE-922
Insecure Storage of Sensitive Information
MASWE-0065
Insecure Data Storage in Shared Hypervisors
CWE-922
Insecure Storage of Sensitive Information
MASWE-0066
Insecure Data Storage in Shared Orchestration
CWE-922
Insecure Storage of Sensitive Information
MASWE-0067
Insecure Data Storage in Shared Configuration Management
CWE-922
Insecure Storage of Sensitive Information
MASWE-0068
Insecure Data Storage in Shared DevOps Pipelines
CWE-922
Insecure Storage of Sensitive Information
MASWE-0069
Insecure Data Storage in Shared CI/CD Tools
CWE-922
Insecure Storage of Sensitive Information
MASWE-0070
Insecure Data Storage in Shared Testing Environments
CWE-922
Insecure Storage of Sensitive Information
MASWE-0071
Insecure Data Storage in Shared Monitoring Tools
CWE-922
Insecure Storage of Sensitive Information
MASWE-0072
Insecure Data Storage in Shared Logging Services
CWE-922
Insecure Storage of Sensitive Information
MASWE-0073
Insecure Data Storage in Shared Security Tools
CWE-922
Insecure Storage of Sensitive Information
MASWE-0074
Insecure Data Storage in Shared Automation Tools
CWE-922
Insecure Storage of Sensitive Information
MASWE-0075
Insecure Data Storage in Shared Resource Management Tools
CWE-922
Insecure Storage of Sensitive Information
MASWE-0076
Dependencies with Known Vulnerabilities
CWE-1104
Use of Unmaintained Third-party Components
MASWE-0077
Running on a recent Platform Version Not Ensured
CWE-1105
Insufficient Software Version Update
MASWE-0078
Latest Platform Version Not Targeted
CWE-1105
Insufficient Software Version Update
MASWE-0079
App Runs on Jailbroken or Rooted Devices
CWE-862
Incorrect Authorization
MASWE-0080
App Runs on Emulator
CWE-325
Missing Cryptographic Step
MASWE-0081
Debugging Enabled
CWE-489
Active Debug Code
MASWE-0082
Developer Options Enabled
CWE-489
Active Debug Code
MASWE-0083
Unsafe Handling of Data From The User Interface
CWE-20
Improper Input Validation
MASWE-0084
Unsafe Handling of Data from IPC
CWE-20
Improper Input Validation
MASWE-0085
Insecure Inter-Process Communication
CWE-319
Cleartext Transmission of Sensitive Information
MASWE-0086
SQL Injection
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
MASWE-0087
Insecure Parsing and Escaping
CWE-116
Improper Encoding or Escaping of Output
MASWE-0088
Insecure Object Deserialization
CWE-502
Deserialization of Untrusted Data
MASWE-0089
Improper Certificate Validation
CWE-295
Improper Certificate Validation
MASWE-0090
Improper Use of Platform APIs
CWE-749
Exposed Dangerous Method or Function
MASWE-0091
Sensitive Data in Logs
CWE-532
Insertion of Sensitive Information into Log File
MASWE-0092
Insecure Data Storage in External Devices
CWE-922
Insecure Storage of Sensitive Information
MASWE-0093
Sensitive Data in Backup Files
CWE-212
Improper Cross-boundary Removal of Sensitive Data
MASWE-0094
Insecure Data Transmission Using Insecure Protocols
CWE-319
Cleartext Transmission of Sensitive Information
MASWE-0095
Insecure Use of Third-party Libraries
CWE-1104
Use of Unmaintained Third-party Components
MASWE-0096
Unencrypted Sensitive Data Stored in Volatile Memory
CWE-311
Missing Encryption of Sensitive Data
MASWE-0097
Insecure Data Transmission Using Push Notifications
CWE-319
Cleartext Transmission of Sensitive Information
MASWE-0098
Insecure Data Transmission Using Email
CWE-319
Cleartext Transmission of Sensitive Information
MASWE-0099
Insecure Data Transmission Using Third-party Services
CWE-319
Cleartext Transmission of Sensitive Information
MASWE-0100
Insecure Data Storage in Temporary Files
CWE-922
Insecure Storage of Sensitive Information
MASWE-0101
Insecure Data Storage in Local Databases
CWE-312
Cleartext Storage of Sensitive Information
MASWE-0102
Sensitive Data in Memory Dumps
CWE-226
Sensitive Information in Data Storage Element
MASWE-0103
Insecure Data Storage in Shared Drives
CWE-922
Insecure Storage of Sensitive Information
MASWE-0104
App Integrity Not Verified
CWE-353
Missing Support for Integrity Check
MASWE-0105
Integrity of App Resources Not Verified
CWE-353
Missing Support for Integrity Check
MASWE-0106
Official Store Verification Not Implemented
CWE-353
Missing Support for Integrity Check
MASWE-0107
Runtime Code Integrity Not Verified
CWE-353
Missing Support for Integrity Check
MASWE-0108
Sensitive Data in Network Traffic
CWE-319
Cleartext Transmission of Sensitive Information
The text was updated successfully, but these errors were encountered:
MASWE supports CWE mappings already:
https://github.com/search?q=repo%3AOWASP%2Fowasp-mastg%20%22cwe%3A%22&type=code
For example, in MASWE-0041:
Review the suggestions below and add the remaining missing mappings to the rest of the MASWE.
Discussed in #2857
Originally posted by poffo-mobisec August 2, 2024
I love the introduction of Weaknesses in mobile security. It was missing and it is brilliant. But let's go straight to the point.
Nowadays most of enterprises have standardized systems and works with CWE.
Have you considered relate each MASWE to a CWE, to ease the risk management and company integration?
I think this could give a lot of extra value to the project, allowing MASWE to be very specific on mobile weaknesses but at the same time bring compatibility with nowadays market.
THE FOLLOWING CONTENT IS AI-GENERATED, so this work would absolutlely need a check, but it gives the idea of the result:
The text was updated successfully, but these errors were encountered: