3

In the OWASP Mobile Application Security Checklist there is a requirement MSTG-ARCH-7 which reads: "All security controls have a centralized implementation".

Now I'm struggling a bit by what is meant with "centralized implementation" in this respect. Of course, I would imagine that you would want to have one component with a well defined interface to take care of any security controls. However, such components may still be initialized at various locations or may use external resources to actually implement the security. It seems that the requirement precludes the latter.

The OWASP site seems to just define the requirement without any additional information. Searching the internet for a more precise explanation did not give me any results. Does anybody have good insights or references to what is meant with this requirement? Maybe it was lifted from a another OWASP field where this requirement was better explained?

schroeder
  • 123,438
  • 55
  • 284
  • 319
A security researcher
  • 31
  • 3

1 Answers1

3

In my understanding this means, that the security relevant implementations should be centralized or included as isolated plugins/libraries. This ensures, that security relevant functionalities can be easily maintained and updated. E.g. when you have your crypto methods distributed all over the app, it is much harder to keep an overview and update them accordingly, if you encounter problems with your configuration etc.

rumpel
  • 228
  • 1
  • 5