-
-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[MASWE-0103] - RASP Techniques Not Implemented #3074
Conversation
Hi all, We would like to contribute to the RASP weakness section. Since related weaknesses, such as root/jailbreak detection and integrity, are addressed in separate units, this test is designed to focus on verifying core RASP operations. It aims to assess how well the RASP fulfills its responsibilities (e.g., reactions, threat telemetry data collection, bypass-resiliency, etc.). A key component highly required for this test is a (written) security policy enforced by the app developer. This policy should outline all expected reactions, security processes, and features that the RASP solution should provide. Given the wide variation in use cases and RASP setups, the test is structured to be adaptable to different RASP implementations. While designed to be RASP-product agnostic, for the demo, we mocked freeRASP integration, a well-established solution deployed on over 500 million devices, to show common components and demonstrate how to test simple flows. It's important to note that different RASP products come with unique setups, so evaluation routines will vary significantly. Best Regards |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This demo seems to focus on demonstrating how to implement a specific RASP solution, rather than a demo to achieve the test. If I am a developer who has a RASP solution for my application and I am testing it, I think I would need a demo that focuses on how I can demonstrate/confirm that RASP is implemented for my app. For this reason, I think this demo does not relate well to the Test.
It is also not typical for the OWASP demos to endorse tools (exceptions of course and preference for open-source utilities that are helpful in performing a given test).
|
||
### Sample | ||
|
||
The following code snippet demonstrates the implementation of the freeRASP security library SDK. freeRASP periodically scans the device for threats, monitors its state, and gathers data to generate detailed threat reports. Threats are detected and communicated to the app via listeners. In this example, the root detection scenario is simulated. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This demo seems to focus on demonstrating how to implement a specific RASP solution, rather than a demo to achieve the test. If I am a developer who has a RASP solution for my application and I am testing it, I think I would need a demo that focuses on how I can demonstrate/confirm that RASP is implemented for my app. For this reason, I think this demo does not relate well to the Test.
It is also not typical for the OWASP demos to endorse tools (exceptions of course and preference for open-source utilities that are helpful in performing a given test).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"This demo seems to focus on demonstrating how to implement a specific RASP solution, rather than a demo to achieve the test."
I think the test can be used to assess majority of mobile app RASPs. At the same time the test tries to avoid duplicating other resiliency MASWEs (root detection, integrity verification, etc. are separated issues). I like that the demo is a minimal example utilizing the RASP that is free to use and has a public docs - easier to maintain in the future. It would be great to add more other RASPs in the future if possible. Do you have an experience with other RASPs that could be added?
"If I am a developer who has a RASP solution for my application and I am testing it, I think I would need a demo that focuses on how I can demonstrate/confirm that RASP is implemented for my app. For this reason, I think this demo does not relate well to the Test."
This is inherently dependent on the RASP product itself and the individual configuration / expected features / reaction etc. I think this works well as an example / guideline that could be extended in the future.
"It is also not typical for the OWASP demos to endorse tools (exceptions of course and preference for open-source utilities that are helpful in performing a given test)."
In this case we could make an exception for obvious reasons.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This demo seems to focus on demonstrating how to implement a specific RASP solution, rather than a demo to achieve the test. If I am a developer who has a RASP solution for my application and I am testing it, I think I would need a demo that focuses on how I can demonstrate/confirm that RASP is implemented for my app. For this reason, I think this demo does not relate well to the Test.
It is also not typical for the OWASP demos to endorse tools (exceptions of course and preference for open-source utilities that are helpful in performing a given test).
By conducting this test, we ensure that the app is capable of defending against runtime attacks and maintaining its integrity even in compromised environments. If RASP techniques are not implemented or are improperly configured, the app may be vulnerable to various security threats, including data breaches, unauthorised access, and malicious modifications. | ||
|
||
## Steps | ||
1. Ensure that all security checks and protection mechanisms expected from RASP are present and enabled with the application. To test the RASP policy that the app enforces, a written copy of the policy must be provided. The policy should define available checks and their enforcement. For example: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would advocate for requiring an up-front test step that requires the determination of "in scope" RASP checks, I don't know if it needs to be captured as a written policy per se. Could simply be a statement of, prior to evaluating RASP checks ensure the test scope is defined based on your organizations required, or designed/implemented RASP checks, as the RASP configuration strategy may differ from organization-to-organization.
Alternatively, you could always rely on testing for all RASP checks related to the weakness, and failing the test, and leaving it to the organization to annotate why a failed test is acceptable based on their desired RASP configuration approach.
Thanks for opening this PR @martinzigrai, @SirionRazzer. We discussed this topic internally and decided to close the PR as we realized that MASWE-0103 is not something we actually want to consider a "weakness" currently. We also can’t reference or use non-open source RASP implementations in the MASTG and our focus remains in verifying each RESILIENCE weakness separately:
We would like to encourage you to continue working on this topic by incorporating this content (with the appropriate modifications) into https://mas.owasp.org/MASTG/0x04c-Tampering-and-Reverse-Engineering/ and adding the corresponding sub-sections for each topic: root/jailbreak detection, emulator detection, etc. After that, update and ensure alignment of this content with:
Meaning: these chapters have the same sections as 0x04c (and links to 0x04c) and explain each detection in the context of the target platform, while 0x04c addresses the topic from a generic / high-level perspective. Thanks to this work:
The fact that the application not only detects but also reacts (e.g. by terminating) should be explained at each weakness or in the theory chapter. We’ll consider later if we want this to be part of a test or demo. About New DemosFor any new demos you create, please use any existing and fully open source framework (where anyone can manually inspect how the checks are performed). For example, for Android you have https://github.com/securevale/android-rasp, which includes the actual checks in the repo: https://github.com/securevale/android-rasp/blob/master/native/src/common/files.rs#L124 Or you can create custom code to do root detection, etc., for example: Please keep an eye out for open PRs that may already address some of these topics, e.g. Main Focus Area to ContributeWe also encourage you to contribute to these issues, which are the current focus of the project and should be treated with high priority. |
Hi @cpholguera , Thank you for the feedback and the suggested follow-up action plan. I’m curious to understand the reasoning behind the removal of this weakness, as its inclusion appeared to align with current trends in government and enterprise mobile security policies, which broadly request these techniques. Nevertheless, I’m eager to continue exploring this topic and will focus on the high-priority items outlined in the milestone. Additionally, I would like to join the sync meetings if possible to stay aligned and contribute further. |
This PR closes #2773