Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New Risk - Insecure Random Usage [insecure-random] #2591

Closed
4 tasks
cpholguera opened this issue Mar 1, 2024 · 3 comments · Fixed by #2518
Closed
4 tasks

New Risk - Insecure Random Usage [insecure-random] #2591

cpholguera opened this issue Mar 1, 2024 · 3 comments · Fixed by #2518
Assignees
@cpholguera
Labels
MASTG Refactor MASVS-CRYPTO
Milestone
MASWE-CRYPTO

Comments

@cpholguera
Copy link
Collaborator

Description

Create a new risk for "Insecure Random Usage (MASVS-CRYPTO-1)" using the following information:

Using a non-cryptographically secure PRNG in a security context, such as authentication, poses significant risks. An attacker could potentially guess the generated numbers and gain access to privileged data or functionality. Predicting or regenerating random numbers can lead to encryption breaches, compromise sensitive user information, or enable user impersonation.

Create "risks/MASVS-CRYPTO/1-***-****/insecure-random/risk.md" including the following content:

---
title: Insecure Random Usage
alias: insecure-random
platform: [android, ios]
profiles: [L1, L2]
mappings:
  masvs-v1: [MSTG-CRYPTO-6]
  masvs-v2: [MASVS-CRYPTO-1]
  mastg-v1: [MASTG-TEST-0063, MASTG-TEST-0016]

---

## Overview

## Impact

## Modes of Introduction

## Mitigations

To complete the sections follow the guidelines from Writing MASTG Risks & Tests

Use at least the following references:

MASTG v1 Refactoring:

If the risk has a MASVS v1 ID, you can use it to search for related tests in the MASTG and use them as input to define your risks and associated tests.

Acceptance Criteria

  • The risk has been created in the correct directory (risks/MASVS-CRYPTO/1-***-****/insecure-random/risk.md)
  • The risk content follows the guidelines
  • At least one GitHub Issue has been created for the corresponding tests (derived from "Modes of Introduction")
  • The risk indicates the related MASTG v1 tests in its metadata.
@sk3l10x1ng
Copy link
Collaborator

@cpholguera please assign to me , i will work on it .

@cpholguera
Copy link
Collaborator Author

cpholguera commented Mar 1, 2024
edited
Loading

Hi @sk3l10x1ng I just noticed that we actually have this one already (we created it as part of #2518). It'd be nice if you could review it and propose changes and corrections if you have any.

I'll close this ticket but if you want I can assign you this one:

#2557

@cpholguera cpholguera assigned cpholguera and unassigned sk3l10x1ng Mar 1, 2024
@cpholguera cpholguera mentioned this issue Mar 1, 2024
Merged
@sk3l10x1ng
Copy link
Collaborator

sk3l10x1ng commented Mar 1, 2024
edited
Loading

Hi @sk3l10x1ng I just noticed that we actually have this one already (we created it as part of #2518). It'd be nice if you could review it and propose changes and corrections if you have any.

I'll close this ticket but if you want I can assign you this one:

#2557

could please assign #2573, i will work on this , thank you

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cpholguera cpholguera

Labels
MASTG Refactor MASVS-CRYPTO
Projects
None yet
Milestone
MASWE-CRYPTO
Development

Successfully merging a pull request may close this issue.

[MASWE-0001, MASWE-0027, MASWE-0108] MAS Risks and Tests (PREVIEW DRAFT) OWASP/owasp-mastg
2 participants
@cpholguera @sk3l10x1ng