Information Security Asked by A security researcher on December 10, 2021
In the OWASP Mobile Application Security Checklist there is a requirement MSTG-ARCH-7 which reads: "All security controls have a centralized implementation".
Now I’m struggling a bit by what is meant with "centralized implementation" in this respect. Of course, I would imagine that you would want to have one component with a well defined interface to take care of any security controls. However, such components may still be initialized at various locations or may use external resources to actually implement the security. It seems that the requirement precludes the latter.
The OWASP site seems to just define the requirement without any additional information. Searching the internet for a more precise explanation did not give me any results. Does anybody have good insights or references to what is meant with this requirement? Maybe it was lifted from a another OWASP field where this requirement was better explained?
In my understanding this means, that the security relevant implementations should be centralized or included as isolated plugins/libraries. This ensures, that security relevant functionalities can be easily maintained and updated. E.g. when you have your crypto methods distributed all over the app, it is much harder to keep an overview and update them accordingly, if you encounter problems with your configuration etc.
Answered by rumpel on December 10, 2021
Get help from others!
Recent Answers
Recent Questions
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP