Explore a new framework for automating OWASP Mobile Security Testing Guide (MSTG) and Mobile Application Security Verification Standard (MASVS) in CI/CD pipelines. Learn how to address mobile security challenges in Agile and DevOps environments by implementing automated, repeatable security tests for each release. Discover techniques for detecting vulnerabilities early, improving developer understanding of security, and allowing penetration testers to focus on more sophisticated attack patterns. Examine the combination of existing penetration testing frameworks, UI automation, and Behavior-Driven Development (BDD) to create comprehensive security tests covering areas like encrypted PII, input validation, cryptography, and network security. Gain practical insights on writing, executing, and integrating these tests into CI/CD pipelines, and learn how to retrieve test results and trigger automatic tests when manual penetration tests uncover flaws.
A New Framework to Automate MSTG and MASVS in Your CI/CD Pipeline
Overview
Syllabus
Intro
Why does mobile security matter?
Agile SDLC: where and when to detect vulnerabilities?
Why do mistakes happen?
Mobile Security challenges
Introduce security integration tests
Biggest problem with tests
Solution: BDD
BDD explained: features and steps
Why BDD in security? Communication
Cucumber: the king of BDD
Translate the OWASP MSTG in BDD
Automate the UI
Execute security tests
Get Feedback
Full process in the SDLC
Setup
Target: OWASP MSTG Hacking Playground
OWASP MSTG: Testing Logs for Sensitive Data
BDD: Testing Logs for Sensitive Data
OWASP MSTG: Testing Local Storage for Sensitive Data
BDD: Testing Local Storage for Sensitive Data
Reporting
Integration in CI/CD
Benefits
References
Taught by
OWASP Foundation
