Merge pull request #4 from ninedter/master

Merge from origin 2018.11.15

Document-zhtw/0x04-Assessment_and_Certification.md

@@ -10,11 +10,11 @@ OWASP是一個中立無廠商偏好的非營利組織。OWASP本身並不會認
 
 ## 行動應用程式認證指南
 
-The recommended way of verifying compliance of a mobile app with the MASVS is by performing an "open book" review, meaning that the testers are granted access to key resources such as architects and developers of the app, project documentation, source code, and authenticated access to endpoints, including access to at least one user account for each role.
+推薦使用行動應用資訊安全驗證標準(MASVS)來驗證行動應用程式的方法是採用“開書(open book)”的方式。也就是說測試人員會被給予存取關鍵資源(如：誰是應用程式的開發者和架構師、專案文件、原始程式碼，以及對端點<伺服器、應用程式>存取的合法授權帳號<至少每個不同權限各有一個帳號>)的權限。 
 
-It is important to note that the MASVS only covers security of the (client-side) mobile app and the network communication between the app and its remote endpoint(s), as well as a few basic and generic requirements related to user authentication and session management. It does not contain specific requirements for the remote services (e.g. web services) associated with the app, safe for a limited set of generic requirements pertaining to authentication and session management. However, MASVS V1 specifies that remote services must be covered by the overall threat model, and be verified against appropriate standards, such as the OWASP ASVS.
+請注意MASVS只包含了對應用程式用戶端(client-side)、應用程式與其遠端端點的網路通訊，以及一些對使用者驗證和會話(session)管理的通用基本準則。MASVS不包含對與應用程式相關連的遠端服務(如：Web服務)的個別準則，安全地只使用部分對使用者驗證和會話(session)管理的通用準則的方法。然而，MASVS V1要求遠端服務必須被包括在整體威脅模型，並且以適用的標準來驗證遠端服務，例如OWASP ASVS。
 
-A certifying organization must include in any report the scope of the verification (particularly if a key component is out of scope), a summary of verification findings, including passed and failed tests, with clear indications of how to resolve the failed tests. Keeping detailed work papers, screenshots or movies, scripts to reliably and repeatedly exploit an issue, and electronic records of testing, such as intercepting proxy logs and associated notes such as a cleanup list, is considered standard industry practice. It is not sufficient to simply run a tool and report on the failures; this does not provide sufficient evidence that all issues at a certifying level have been tested and tested thoroughly. In case of dispute, there should be sufficient supportive evidence to demonstrate that every verified requirement has indeed been tested.
+提供認證的機構必須要在所有的報告中，闡明以下幾點：認證的範圍(尤其如果有重要程式模塊不在認證範圍中)、認證結果總結(包含通過和失敗的測試項目)並清楚的解釋如何改進未通過的項目。業界的標準做法也同時要求保持詳細的工作記錄、螢幕截屏或影片、可以重複有效地執行弱點入侵的腳本和測試的電子紀錄(如：擷取下來的代理伺服器記錄檔和相關的筆記(如：待清理清單<cleanup list>))。只是簡單的執行工具和報告發現的問題是不足夠的，因為這樣無法提供足夠的證據說明所有的認證相關的問題/準則都已經被完整地測試。為了防止爭議，認證機構必須提供充足的支持證據來證明所有需驗證的項目都已經確實地被測試過。
 
 ### OWASP 移動安全檢測操作指南 (MSTG)
 
@@ -28,20 +28,20 @@ OWASP MSTG是測試行動應用程式安全的指導手冊。它描述了驗證
 
 ### 詳解安全架構開發指南
 
-One of the more common uses for the Mobile Application Security Verification Standard is as a resource for security architects. The two major security architecture frameworks, SABSA or TOGAF, are missing a great deal of information that is necessary to complete mobile application security architecture reviews. MASVS can be used to fill in those gaps by allowing security architects to choose better controls for issues common to mobile apps.
+常見的行動應用資訊安全驗證標準(MASVS)使用方式是把MASVS當成是安全架構師的參考資料。目前兩個主要的安全架構框架：SABSA或TOGAF，都缺少了很多完成行動應用程式安全架構檢查所必需的資訊。MASVS透過提供這些缺失的必需資訊來幫助安全架構師在常見的行動應用程式議題上，選擇更好的安全控管機制。
 
-### As a Replacement for Off-the-shelf Secure Coding Checklists
+### 取代現成的安全程式設計檢查表(Secure Coding Checklists)
 
-Many organizations can benefit from adopting the MASVS, by choosing one of the two levels, or by forking MASVS and changing what is required for each application's risk level in a domain-specific way. We encourage this type of forking as long as traceability is maintained, so that if an app has passed requirement 4.1, this means the same thing for forked copies as the standard evolves.
+許多組織都可以透過套用MASVS而受益，藉由選擇兩個安全等級之一或以MASVS為基準(fork)，發展出因應各個應用程式的風險等級需求的行業特殊準則。我們鼓勵這樣以MASVS為基準的再發展(fork)，只要可以維持其可追溯性。如此一來，當一個應用程式已經通過了準則4.1，也就意味著隨著標準演進，此應用程式通過了再發展版本的準則4.1。
 
 ### 基本安全性檢測與方式
 
-A good mobile app security testing methodology should cover all requirements listed in the MASVS. The OWASP Mobile Security Testing Guide (MSTG) describes black-box and white-box test cases for each verification requirement.
+好的行動應用程式安全檢測方法應該包含所有MASVS列舉的準則。OWASP 移動安全檢測操作指南(MSTG)描述了黑箱測試和白箱測試對每一個需檢測準則的測試方案。
 
 ### 自動化單元與和測試指南
 
-The MASVS is designed to be highly testable, with the sole exception of architectural requirements. Automated unit, integration and acceptance testing based on the MASVS requirements can be integrated in the continuous development lifecycle. This not only increases developer security awareness, but also improves the overall quality of the resulting apps, and reduces the amount of findings during security testing in the pre-release phase.
+MASVS被設計為擁有高度可測試性，除了架構上的需求以外，自動化單元、整合測試和驗收測試基於MASVS準則，可以被整合到程式持續開發生命周期(continuous development lifecycle)中。這不僅增強了開發人員的資安意識，也增進了應用程式的整體品質，更減少了在程式發布前階段，資訊安全測試的工作量(因為有提前做了整體自動化測試，可以減少後續發現重複或明顯問題的機會)。
 
 ### 安全性開發培訓課程
 
-MASVS can also be used to define characteristics of secure mobile apps. Many "secure coding" courses are simply ethical hacking courses with a light smear of coding tips. This does not help developers. Instead, secure development courses can use the MASVS, with a strong focus on the proactive controls documented in the MASVS, rather than e.g. the Top 10 code security issues.
+MASVS也可以被用來定義安全行動應用程式的特性。很多“安全開發”課程，其實只是道德駭客課程，再加上一點點程式開發的小提示。這樣的課程並不能很好的幫助開發人員。因此，安全開發課程可以使用MASVS，並且主要專注在MASVS中列舉的預先防護的資安控管機制，而不是其他MASVS的資安議題(例如：十大程式安全問題)。

Document-zhtw/0x12-V7-Code_quality_and_build_setting_requirements.md

@@ -1,33 +1,30 @@
-# V7: Code Quality and Build Setting Requirements
+# V7: 程式碼品質與建立設定要求
 
-## Control Objective
+## 控管目的
+此控管目的是確保實作編碼時將遵照應用程式開發基本安全性，且基本(免費)安全性功能是藉由啟用編譯器所提供。
 
-The goal of this control is to ensure that basic security coding practices are followed in developing the app, and that "free" security features offered by the compiler are activated.
-
-## Security Verification Requirements
-
-| # | Description | L1 | L2 |
+## 安全性驗證要求
+| # | 說明 | L1 | L2 |
 | --- | --- | --- | --- |
-| **7.1** | The app is signed and provisioned with a valid certificate, of which the private key is properly protected. | ✓ | ✓ |
-| **7.2** | The app has been built in release mode, with settings appropriate for a release build (e.g. non-debuggable). | ✓ | ✓ |
-| **7.3** | Debugging symbols have been removed from native binaries. | ✓ | ✓ |
-| **7.4** | Debugging code has been removed, and the app does not log verbose errors or debugging messages. | ✓ | ✓ |
-| **7.5** | All third party components used by the mobile app, such as libraries and frameworks, are identified, and checked for known vulnerabilities. | ✓ | ✓ |
-| **7.6** | The app catches and handles possible exceptions.| ✓ | ✓ |
-| **7.7** | Error handling logic in security controls denies access by default. | ✓ | ✓ |
-| **7.8** | In unmanaged code, memory is allocated, freed and used securely.  | ✓ | ✓ |
-| **7.9** | Free security features offered by the toolchain, such as byte-code minification, stack protection, PIE support and automatic reference counting, are activated. | ✓ | ✓ |
-
-## References
-
-The OWASP Mobile Security Testing Guide provides detailed instructions for verifying the requirements listed in this section.
+| **7.1** | 應用程式經由有效的憑證所提供所簽章，其私鑰是受到適當保護的 | ✓ | ✓ |
+| **7.2** | 應用程式已在發佈模式建置，其設定適用於發佈版本(不可除錯的)| ✓ | ✓ |
+| **7.3** | 除錯標記已從原生二元碼中移除 | ✓ | ✓ |
+| **7.4** | 除錯程式碼已移除，應用程式將不紀錄詳細錯誤或偵錯訊息| ✓ | ✓ |
+| **7.5** | 所有行動應用程式使用的第三方套件，如函式庫及框架，皆經識別及已知漏洞查驗 | ✓ | ✓ |
+| **7.6** | 應用程式進行例外處理| ✓ | ✓ |
+| **7.7** | 預設無法存取安全性控管的錯誤處理邏輯 | ✓ | ✓ |
+| **7.8** | 在非託管程式碼，記憶體將被安全的被分配、釋出及使用  | ✓ | ✓ |
+| **7.9** | 由Toolchain所提供的免費安全性功能將啟用，如簡化位元組碼(byte-code)、堆疊(Stack)保護、PIE支援、自動參考計數(Reference Counting)| ✓ | ✓ |
+
+## 參考資料
+OWASP 行動應用安全性測試指南針對此章節所列出的認證要，提供詳細的說明
 
 - Android - https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05i-Testing-Code-Quality-and-Build-Settings.md
 - iOS - https://github.com/OWASP/owasp-mstg/blob/master/Document/0x06i-Testing-Code-Quality-and-Build-Settings.md
 
-For more information, see also:
+更多資訊，請參考：
 
-- OWASP Mobile Top 10:  M7 - Client Code Quality
+- OWQSP 行動應用程式 Top 10：客戶端程式碼品質
 - CWE: https://cwe.mitre.org/data/definitions/119.html
 - CWE: https://cwe.mitre.org/data/definitions/89.html
 - CWE: https://cwe.mitre.org/data/definitions/388.html

Document-zhtw/0x91-Appendix-B_References.md

@@ -1,9 +1,9 @@
 # 附錄B ：參考資料 
 以下專案內容將幫助使用者/適用者更了解這個標準
-- OWASP 行動裝置安全性專案 - [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project](https://www.owasp.org/index.php/OWASP_Mobile_Security_Project)
-- OWASP 行動裝置安全測試指南
+- OWASP 行動應用安全性專案 - [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project](https://www.owasp.org/index.php/OWASP_Mobile_Security_Project)
+- OWASP 行動應用安全測試指南
 [https://www.owasp.org/index.php/OWASP_Mobile_Security_Testing_Guide](https://www.owasp.org/index.php/OWASP_Mobile_Security_Testing_Guide)
-- OWASP 行動裝置 Top 10 風險
+- OWASP 行動應用 Top 10 風險
  [https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks](https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks)
 - OWASP 逆向工程及程式碼編修防護
 [https://www.owasp.org/index.php/OWASP_Reverse_Engineering_and_Code_Modification_Prevention_Project](https://www.owasp.org/index.php/OWASP_Reverse_Engineering_and_Code_Modification_Prevention_Project)

Document-zhtw/SUMMARY.md

@@ -1,19 +1,19 @@
 # Summary
 
-- [Foreword](Foreword.md)
+- [前言](Foreword.md)
 
-- [Frontispiece](0x02-Frontispiece.md)
-- [Using the MASVS](0x03-Using_the_MASVS.md)
-- [Assessment and Certification](0x04-Assessment_and_Certification.md)
+- [卷首](0x02-Frontispiece.md)
+- [使用 MASVS](0x03-Using_the_MASVS.md)
+- [評估與認證](0x04-Assessment_and_Certification.md)
 
-- [V1: Architecture, Design and Threat Modeling Requirements](0x06-V1-Architecture_design_and_threat_modelling_requireme.md)
-- [V2: Data Storage and Privacy Requirements](0x07-V2-Data_Storage_and_Privacy_requirements.md)
-- [V3: Cryptography Requirements](0x08-V3-Cryptography_Verification_Requirements.md)
-- [V4: Authentication and Session Management Requirements](0x09-V4-Authentication_and_Session_Management_Requirements.md)
-- [V5: Network Communication Requirements](0x10-V5-Network_communication_requirements.md)
-- [V6: Platform Interaction Requirements](0x11-V6-Interaction_with_the_environment.md)
-- [V7: Code Quality and Build Setting Requirements](0x12-V7-Code_quality_and_build_setting_requirements.md)
-- [V8: Resilience Requirements](0x15-V8-Resiliency_Against_Reverse_Engineering_Requirements.md)
+- [V1: 架構、設計和威脅模型分析準則](0x06-V1-Architecture_design_and_threat_modelling_requireme.md)
+- [V2: 資料存儲和隱私要求](0x07-V2-Data_Storage_and_Privacy_requirements.md)
+- [V3: 加密要求](0x08-V3-Cryptography_Verification_Requirements.md)
+- [V4: 身份驗證和對談管理準則](0x09-V4-Authentication_and_Session_Management_Requirements.md)
+- [V5: 網路通訊規範](0x10-V5-Network_communication_requirements.md)
+- [V6: 平台互動要求](0x11-V6-Interaction_with_the_environment.md)
+- [V7: 程式碼品質和與建立設定要求](0x12-V7-Code_quality_and_build_setting_requirements.md)
+- [V8: 彈性要求](0x15-V8-Resiliency_Against_Reverse_Engineering_Requirements.md)
 
-- [Appendix A - Glossary](0x90-Appendix-A_Glossary.md)
-- [Appendix B - References](0x91-Appendix-B_References.md)
+- [附錄 A - 詞彙表](0x90-Appendix-A_Glossary.md)
+- [附錄 B - 參考資料](0x91-Appendix-B_References.md)