How the Latest MASVS and MSTG Specs Enhance Mobile Penetration Testing

Explore the latest OWASP Mobile Application Security Verification Standard (MASVS) and Mobile Security Testing Guide (MSTG) specifications in this 44-minute conference talk. Dive into the pervasive nature of mobile risk and the unique security challenges posed by mobile platforms. Learn how to effectively leverage OWASP mobile projects, understand the mobile attack surface, and navigate changes in platform interaction and data storage. Discover best practices for testing network security, authentication, and session management on mobile devices. Gain insights into setting security policies, distinguishing between security and privacy concerns, and integrating security into your software development lifecycle. Explore a curated list of open-source tools and utilize the Mobile AppSec Testing Checklist to enhance your mobile application security testing approach.

Intro
Mobile Powers the World, But Mobile Risk is Pervasive
Mobile Security Challenges by the Numbers
Web & Mobile are Fundamentally Different
Understand the Mobile Attack Surface
Understand the Anatomy of a Mobile Attack
Get started on the right path
Leverage OWASP Mobile Project
Use all Your Senses
Learn the Mobile Attack Surface
Changes in MASVS - Platform Interaction
Sensitive data leaks like an overfilled drink
Changes in MASVS - Data Storage
Don't cringe at client-side security controls
Test network on mobile
Don't water down auth & session mgmt
The order matters: Test first, then resilience
Framework for Setting Policy
Don't mix up Security & Privacy, Not the Same
The flavor palate varies widely
Buy a dev a drink, and they might buy you one too
Tony's Mobile Top Ten Recipe
Summary Recommendations
A Sampling of OSS Tools
Leverage Mobile AppSec Testing Checklist
Build Security Into Your SDLC