OWASP MASVS and MASTG Adoption

The OWASP MASVS and MASTG are trusted by the following platform providers and standardization, governmental and educational institutions.
Mobile Platform Providers
Google Android
​
​
Since 2021 Google has shown their support for the OWASP Mobile Security project (MASTG/MASVS) and has started providing continuous and high value feedback to the MASVS refactoring process via the App Defense Alliance (ADA) and its MASA (Mobile Application Security Assessment) program.
With MASA, Google has acknowledged the importance of leveraging a globally recognized standard for mobile app security to the mobile app ecosystem. Developers can work directly with an Authorized Lab partner to initiate a security assessment. Google will recognize developers who have had their applications independently validated against a set of MASVS Level 1 requirements and will showcase this on their Data safety section.
We thank Google, the ADA and all its members for their support and for their excellent work on protecting the mobile app ecosystem.
Certification Institutions
CREST
​
​
CREST is an international not-for-profit, membership body who quality assures its members and delivers professional certifications to the cyber security industry. CREST works with governments, regulators, academe, training partners, professional bodies and other stakeholders around the world.
In August 2022, CREST launched the OWASP Verification Standard (OVS) Programme. CREST OVS sets new standards for application security. Underpinned by OWASP's Application Security Verification Standard (ASVS) and Mobile Application Security Verification Standard (MASVS), CREST is leveraging the open-source community to build and maintain global standards to deliver a global web and mobile application security framework. This will provide assurance to the buying community that developers using CREST OVS accredited providers, always know that they are engaged with ethical and capable organisations with skilled and competent security testers by leveraging the OWASP ASVS and MASVS standards.
​CREST OVS Programme​
​CREST OVS Accreditation Process​
​CREST OVS Introductory Video​
We thank CREST for their consulation regarding the OVS programme and its support to the open-source community to build and maintain global cyber security standards.
Standardization Institutions
NIST (National Institute of Standards and Technology, United States)
​
​
The National Institute of Standards and Technology (NIST) was founded in 1901 and is now part of the U.S. Department of Commerce. NIST is one of the nation's oldest physical science laboratories. Congress established the agency to remove a major challenge to U.S. industrial competitiveness at the time — a second-rate measurement infrastructure that lagged behind the capabilities of the United Kingdom, Germany and other economic rivals.
​NIST.SP.800-163 "Vetting the Security of Mobile Applications" Revision 1, 2019​
​NIST.SP.800-218 "Secure Software Development Framework (SSDF) v1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities" v1.1, 2022​
BSI (Bundesamt für Sicherheit in der Informationstechnik, Germany)
​
​
BSI stands for "Federal Office for Information Security", it has the goal to promote IT security in Germany and is the central IT security service provider for the federal government.
​Technical Guideline BSI TR-03161 Security requirements for eHealth applications v1.0, 2020​
​Prüfvorschrift für den Produktgutachter des „ePA-Frontend des Versicherten“ und des „E-Rezept-Frontend des Versicherten v2.0, 2021​
ioXt
​
​
The mission of the ioXt Alliance is to build confidence in Internet of Things products through multi-stakeholder, international, harmonized, and standardized security and privacy requirements, product compliance programs, and public transparency of those requirements and programs.
In 2021, ioXt has extended its security principles through the Mobile Application profile, so that app developers can ensure their products are built with, and maintain, high cybersecurity standards such as the OWASP MASVS and the VPN Trust Initiative. The ioXt Mobile Application profile is a security standard that applies to any cloud connected mobile app and provides the much needed market transparency for consumer and commercial mobile app security.
​ioXt Base Profile v2.0​
Governmental Institutions
Name
Document
Year
European Payments Council
​Payment Threats and Fraud Trends Report​
2021
European Payments Council
​Mobile Initiated SEPA Credit Transfer Interoperability Implementation Guidelines, including SCT Instant (MSCT IIGs)​
2019
ENISA (European Union Agency for Cybersecurity)
​Good Practices for Security of SMART CARS​
2019
Government of India, Ministry of Electronics & Information Technology
​Adoption of Mobile AppSec Verification Standard (MASVS) Version 1.0 of OWASP​
2019
Finish Transport and Communication Agency (TRAFICOM)
​Assessment guideline for electronic identification services (Draft)​
2019
Gobierno de España INCIBE
​Ciberseguridad en Smart Toys​
2019
Educational Institutions
Name
Document
Year
Leibniz Fachhochschule Hannover, Germany
​Sicherheitsüberprüfung von mobilen iOS Apps nach OWASP (German)​
2022
University of Florida, Florida Institute for Cybersecurity Research, United States
​"SO{U}RCERER : Developer-Driven Security Testing Framework for Android Apps"​
2021
University of Adelaide, Australia and Queen Mary University of London, United Kingdom
​An Empirical Assessment of Global COVID-19 Contact Tracing Applications​
2021
School of Information Technology, Mapúa University, Philippines
​A Vulnerability Assessment on the Parental Control Mobile Applications Security: Status based on the OWASP Security Requirements​
2021
Application in Scientific Research
​STAMBA: Security Testing for Android Mobile Banking Apps​
Books
​Hands-On Security in DevOps​
Industry Case Studies
​Case Study: NowSecure Commits to Security Standards​
Would you like to contribute with your case study? Connect with us!​

Name	Document	Year
European Payments Council	Payment Threats and Fraud Trends Report	2021
European Payments Council	Mobile Initiated SEPA Credit Transfer Interoperability Implementation Guidelines, including SCT Instant (MSCT IIGs)	2019
ENISA (European Union Agency for Cybersecurity)	Good Practices for Security of SMART CARS	2019
Government of India, Ministry of Electronics & Information Technology	Adoption of Mobile AppSec Verification Standard (MASVS) Version 1.0 of OWASP	2019
Finish Transport and Communication Agency (TRAFICOM)	Assessment guideline for electronic identification services (Draft)	2019
Gobierno de España INCIBE	Ciberseguridad en Smart Toys	2019

Name	Document	Year
Leibniz Fachhochschule Hannover, Germany	Sicherheitsüberprüfung von mobilen iOS Apps nach OWASP (German)	2022
University of Florida, Florida Institute for Cybersecurity Research, United States	"SO{U}RCERER : Developer-Driven Security Testing Framework for Android Apps"	2021
University of Adelaide, Australia and Queen Mary University of London, United Kingdom	An Empirical Assessment of Global COVID-19 Contact Tracing Applications	2021
School of Information Technology, Mapúa University, Philippines	A Vulnerability Assessment on the Parental Control Mobile Applications Security: Status based on the OWASP Security Requirements	2021

Frontispiece

Acknowledgments

Last modified 4mo ago