Add NTLM authentication to MSTG-CRYPTO-3

[AndreMCCarvalho]

Hey guys,

I was reading your documentation and noticed that Microsoft NTLM authentication is not present in your MSTG-CRYPTO-3. NTLM is known to be an outdated authentication protocol that uses insecure encryption algorithms. I feel like it could belong into the MSTG-CRYPTO-3 category.

Best regards,
Andre

[cpholguera]

Hi @AndreMCCarvalho,

that could be a good fit for testing authentication. We could include tests for "Testing for insecure algorithms".

https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04e-Testing-Authentication-and-Session-Management.md

But we really have to discuss this since testing authentication is more on the side of the OWASP ASVS.

https://github.com/OWASP/ASVS

Thanks for the feedback, we'll consider it for the upcoming refactoring of the MASVS-AUTH category.