New weaknesses regarding 3rd party libs #11
Conversation
|
As discussed: it relates in a way but the New weaknesses could be something like "Dependencies Known to be Malicious". It could leverage the SBOM (from the dev side or from binary analysis) and consult a malware DB. |
Updated title and description for clarity and specificity regarding malicious libraries leaking sensitive data. Adjusted profiles and added mention of SBOM checks.
|
@cpholguera and @sushi2k I rewrote these WE placeholders. I rewrote WE-xxxB to given feedback. Let me know if should consolidate WE-xxxA with some other WE, so far I didn't something relevant, therefore I suggest we add it. Check updated description above |
There was a problem hiding this comment.
As discussed in our previous call, this can be removed. The fact that the responsible component is an SDK vs the main app binary is typically not relevant at the MASWE level. This is very intentional, otherwise we'd have to duplicate most of the weaknesses.
This weakness should be covering for this topic:
https://mas.owasp.org/MASWE/MASVS-PRIVACY/MASWE-0112/
Title and content may be updated (on a separate PR) to reflect both collection and sharing.
| masvs-v2: [MASVS-PLATFORM-3, MASVS-STORAGE-2] | ||
| cwe: [200, 359] | ||
| draft: | ||
| description: Embedded third-party libraries known to be malicious can leak sensitive data to external services. These libraries have access to e.g. ApplicationContext on Android or the full app memory on iOS. This gives them access to read data stored on the disk or in memory and thus could act as an insider threat within the app's process and boundaries. Apply supply chain security best practices to ensure the integrity of embedded libraries such as SBOM checks. |
There was a problem hiding this comment.
The fact that the library/SDK is malicious should be irrelevant as weaknesses are generic. The focus here should be put on the fact that the app includes libraries/SDKs already known to be malicious. Regardless of what exactly they do. Those "bad" things they do should be all covered by other weaknesses.
| platform: [android, ios] | ||
| profiles: [L1,L2] | ||
| mappings: | ||
| masvs-v2: [MASVS-PLATFORM-3, MASVS-STORAGE-2] |
Co-authored-by: Carlos Holguera <perezholguera@gmail.com>
2 participants
Description
Adds 2 new WE placeholders regarding 3rd party libraries. I could not find any similar WE.
Explanation: this weakness uses the same logic there is in WE-53, WE-54, WE-55. See https://mas.owasp.org/MASWE/#q:sensitive%20data%20leaked
This currently focuses on P but can be rescoped.