Define Common MASTG Mitigations

[cpholguera]

If we'd have common mitigations defined we could always refer back to specific MASTG Mitigation which would have a certain ID and suggest those on pentest reports.

We could get some ideas from here (note that these are mobile device specific and we need app specific): https://attack.mitre.org/mitigations/mobile/

When testing for a specific MASVS ID, we'd perform one or more MASTG tests (also have ID) and suggest a mitigation (also clearly identified with an ID) or at least a mitigation based on / related to a MSTG one.

Example for "Testing MASVS-NETWORK-1", mitigations include:

• M1009 | Encrypt Network Traffic (obvious)
• M1013 | Application Developer Guidance (not that obvious for many but could be included)

As of now we offer mitigation sometimes and each time a new one (merged in the text, each time new text). We could reduce work by having a list of mitigations and extending it if needed. Many tests will need the same one such as "Application Developer Guidance" or "User Guidance".

We should evaluate the feasibility of this for the MASTG. If it's feasible and relatively easy to implement we could do it. For now it's just an idea/proposal.