Add MASWE-0047, MASWE-0048, MASWE-0049, MASWE-0050, MASWE-0051, MASWE-0052 #2919
Conversation
cpholguera
changed the title
| @@ -21,3 +21,29 @@ status: draft | |||
|
|
|||
| --- | |||
|
|
|||
| ## Overview | |||
|
|
|||
| Applications that do not utilize platform-provided networking APIs or well-established security libraries are susceptible to security vulnerabilities. When developers implement custom networking code or "roll their own" security mechanisms, they risk introducing flaws due to a lack of deep expertise in cryptography and network security. Platform-provided APIs and libraries, such as `NSURLSession` on iOS or `HttpsURLConnection` on Android, are designed and maintained by experts, incorporating security best practices and regular updates to address new threats and vulnerabilities. | |||
There was a problem hiding this comment.
Weakness title should be 'Proven' instead of 'Proved'. While both are correct past participles, 'proven' is typically used for the adjective case.
| - **Restrict Network Bindings**: Configure the application to bind only to specific, necessary network interfaces, avoiding the use of wildcard addresses like `INADDR_ANY`. | ||
| - **Implement Strong Access Controls**: Enforce authentication and authorization for any services exposed through open ports to ensure only authorized entities can connect. | ||
| - **Disable Debugging Services in Production**: Ensure that all development and debugging network services are disabled or removed in production builds. | ||
| - **Validate and Sanitize Inputs**: Properly validate all incoming data from network connections to prevent injection attacks and buffer overflows. |
There was a problem hiding this comment.
I would say that this is irrelevant for this specific weakness.
There was a problem hiding this comment.
Could you please explain this a bit more?
| - **Implement Strong Access Controls**: Enforce authentication and authorization for any services exposed through open ports to ensure only authorized entities can connect. | ||
| - **Disable Debugging Services in Production**: Ensure that all development and debugging network services are disabled or removed in production builds. | ||
| - **Validate and Sanitize Inputs**: Properly validate all incoming data from network connections to prevent injection attacks and buffer overflows. | ||
| - **Use Secure Communication Protocols**: Employ encryption and secure protocols (e.g., TLS/SSL) for any network communication to protect data in transit. |
There was a problem hiding this comment.
Also irrelevant for this weakness?
There was a problem hiding this comment.
Could you please explain this a bit more?
|
|
||
| --- | ||
|
|
||
| ## Overview | ||
|
|
||
| Applications that do not properly validate SSL/TLS certificates during secure communication are susceptible to man-in-the-middle attacks and other security breaches. This weakness occurs when an application accepts invalid, expired, self-signed, or untrusted certificates without appropriate verification, compromising the integrity and confidentiality of data in transit. |
There was a problem hiding this comment.
Potentially remove SSL? SSL shouldn't be used anymore.
There was a problem hiding this comment.
We could change man-in-the-middle to machine-in-the-middle which is a common new phrase for it to be gender neutral.
There was a problem hiding this comment.
I was also thinking about that, I've seen also "Manipulator-in-the-middle" a few times. At the end of the day it's a threat actor and done manually in our scenarios, so maybe manipulator instead of machine. But I guess both would work and is better than "man".
Co-authored-by: Jeroen Beckers <[email protected]>
Copilot
AI
left a comment
Copilot
AI
left a comment
There was a problem hiding this comment.
Copilot reviewed 5 out of 6 changed files in this pull request and generated 1 suggestion.
Files not reviewed (1)
- weaknesses/MASVS-NETWORK/MASWE-0050.md: Evaluated as low risk
Comments skipped due to low confidence (1)
weaknesses/MASVS-NETWORK/MASWE-0049.md:46
- The term "NSURLSession" should be "URLSession".
Utilize Platform-Provided Networking APIs: Always use the networking APIs provided by the platform, such as `NSURLSession` for iOS and `HttpsURLConnection` or `OkHttp` for Android, which handle many security concerns internally.
|
|
||
| --- | ||
|
|
||
| ## Overview | ||
|
|
||
| Applications that do not properly validate SSL/TLS certificates during secure communication are susceptible to man-in-the-middle attacks and other security breaches. This weakness occurs when an application accepts invalid, expired, self-signed, or untrusted certificates without appropriate verification, compromising the integrity and confidentiality of data in transit. |
There was a problem hiding this comment.
I was also thinking about that, I've seen also "Manipulator-in-the-middle" a few times. At the end of the day it's a threat actor and done manually in our scenarios, so maybe manipulator instead of machine. But I guess both would work and is better than "man".
Co-authored-by: Sven <[email protected]> Co-authored-by: Copilot <[email protected]> Co-authored-by: Jeroen Beckers <[email protected]>
…e-to-Machine Communication; remove content and enhance draft data
…aft sections and update status to new
… cleartext traffic; merge Platform-provided Settings (global and per-domain), incorporate non-http and remove pinning mitigation
This PR
closes #2686
closes #2688
closes #2689
closes #2690
closes #2691
closes #2692