While federal agencies have taken advantage of mobile technology for some time (e.g., Palm, PocketPC, and the formerly ubiquitous BlackBerry), I’ve seen a strong current of transition to the Android and iOS platforms over the last several years. Private and federal enterprises experienced growing pains transitioning to these platforms and managing the associated risk. As a result, original equipment manufacturers (OEMs) and third party providers implemented controls and made improvements to overall device security. Now’s the time for federal agencies to take advantage of these platforms beyond standard personal information management (e.g., e-mail, calendar, contacts, etc.) by developing their own secure custom apps to help achieve their mission.
Mobile apps increase agency productivity and efficiency
Many government agencies are not taking full advantage of the productivity gains and cost savings that can come from using mobile apps, and part of that hesitation probably comes from concerns about security. Standards and frameworks such as OWASP’s Mobile Top 10, MITRE’s Common Weakness Enumeration (CWE) and Common Vulnerabilities and Exposures (CVE), and the National Information Assurance Partnership (NIAP) combined with technological advances in mobile app assessment tools make it easier for federal agencies to evaluate the security of the apps they build and deploy. Sure, there’s a catalog of federal government mobile apps available at www.usa.gov/mobile-apps, but for the most part, they’re simply repackaged web sites displaying data. A lot of these apps don’t realize the full potential of mobile devices. In terms of mobile apps, the private sector has matured to leverage strong authentication, data privacy, and assurance requirements within basic internal apps. While federal mobile apps may not be the prettiest in comparison to those produced by the private sector, which benefited from a head start, it shouldn’t preclude federal agencies from getting started and then iterating and improving their apps. I know of one commercial company, not in the technology industry, that uses more than 65 internal apps for business functions and also provides several public-facing apps. Mobile technology coupled with a properly secured and vetted mission-related app can result in serious efficiencies, process improvements, and new capabilities and services. I know of international governments that use more than 300 mobile apps ranging from enterprise training management systems to marriage certificate and driver’s license application software. So why the lack of mobile apps in the US federal government? One reason is agencies’ legitimate concern regarding data privacy and security. I argue that those concerns always exist and persist with any new technology medium (e.g., web, Wi-Fi, and social media). In the end, the government eventually embraced the technology, and it had meaningful impact. Mobile app risk is real, but it can be managed.
Alleviating federal government mobile app security concerns
New mobile app security assessment technology has made building secure mobile apps easier than ever. For example, NowSecure’s mobile app security testing solutions identify security flaws and vulnerabilities by automating static analysis of an app’s code and dynamic analysis of the app during runtime on physical devices rather than emulators. With this approach developers and security stakeholders can validate that security controls are in place and risk is mitigated to a reasonable and acceptable level depending on the app’s function. Automating mobile app security assessment speeds up the security testing process and performing the assessment of an app on an physical device provides more accurate results. NowSecure’s automated mobile app security testing solution also provides a repeatable and scalable process that maps findings to widely recognized standards such as CWE, CVE and NIAP to create a baseline of findings. This makes it possible for federal agencies to quantify and then remediate the risk. Many federal agencies have held themselves back from mobile development projects not knowing that validating these risks was possible. Another way federal agencies are developing secure mobile apps more quickly is by leveraging services provided by companies such as Monkton. Monkton focuses on the federal government and develops and maintains the accreditation of reusable mobile modules and software development kits (SDKs). This makes a mobile developer’s job easier because they can focus on building their app’s functionality and leave the security and compliance of those building blocks to Monkton. Apps built using re-usable modules and SDKs, however, should still undergo security testing. Federal agencies may also balk at the expense of recruiting and retaining mobile app security talent or hiring a third party for mobile app security assessment. Automated mobile app security testing technology significantly reduces the time and cost associated with identifying and fixing security vulnerabilities. NowSecure customers perform assessments at least one-and-a-half times faster than they could without our mobile app security testing solution “ reducing testing time from days to minutes. Prior to using NowSecure, many of our customers’ analysts found themselves having to manage a mish-mash of open-source and/or proprietary assessment tools and then cobble together a report with inconsistent source material. Analysts also appreciate the tool because it significantly increases their productivity, freeing them from having to perform mundane tasks such as setting up Man in the Middle (MITM) proxies and pushing device certificates. There’s no better time than the present for federal agencies to streamline mission-related functions and add efficiency with mobile technology. A number of mobile app security assessment solutions are now available to help them identify, mitigate and quantify risk in their mobile apps.
NowSecure’s mobile app security testing workstation is now available for purchase via common contract vehicles including the General Services Administration (GSA) IT Schedule 70, NASA’s Solutions for Enterprise-Wide Procurement (SEWP) and the U.S. Air Force’s Network-Centric Solutions (NETCENTS) programs. To purchase Lab Workstation via the GSA Schedule 70, SEWP or NETCENTS programs, contact immixGroup through their website or by phone at (703) 752-0610. For more information, contact NowSecure.