Mobile App Security Standards to Look for in Your Testing ToolsPosted by Amy Schurr
As organizations dig into secure coding and testing best practices, they quickly discover a variety of sometimes confusing approaches and solutions for mobile app security testing. Security professionals and leaders alike can ease the process of finding the testing tools that best fit their needs by requiring mobile app security standards in their selection criteria.
When searching for a solution to quickly identify mobile application vulnerabilities and code defects, focus on finding tools that incorporate industry standards and guidelines such as OWASP, CVSS, CWE and NIAP. Teams may already be familiar with the following mobile app security standards for assessing application vulnerabilities.
What are Mobile App Security Standards?
Mobile App Security Standards are guideposts that organizations can use to understand what the “minimum bar” for security is. Examples of mobile app security standards include the OWASP MASVS, MSTG, and CWE Top 25. They are typically free and open source projects that capture the most impactful security issues to remediate. To learn more about mobile app security standards, visit our standards page.
Why Mobile App Security Standards are Important
By utilizing mobile app security standards and standards-based testing and certification, organizations get consistent predictability, safety and governance. Standards improve dev and security team alignment and collaboration, which ensures quality and speeds release times. NowSecure enables your mobile app security program to support leading industry frameworks, testing standards and compliance standards.
Mobile App Security Risks
Mobile apps have a unique attack surface spanning everything from the code of the app to the operating system of the device it is installed on. With this broader and more sophisticated attack surface, insecure mobile apps provide a real threat to your organization. The NowSecure Breach Tracker and Mobile Risk Tracker both demonstrate the pervasive risk and negative impacts that an insecure mobile application can have on your organization.
Mobile App Security Best Practices
Building a secure mobile app is complicated. Security teams often have more experience securing web applications, and development teams are often better trained on that as well. NowSecure has a Secure Mobile Development Best Practices free resource that you can use to learn more than fifty best practices, or you can check out NowSecure Academy and make a free account to take courses to learn everything you need to know to build secure mobile apps and a successful mobile app security program.
OWASP MASVS Risks
When embarking on a testing initiative, consult the Open Web Application Security Project (OWASP)’s Mobile Top 10 to figure out scope of risk and testing requirements. Developed by an online software security community and updated every three years, the Top 10 acts as a de facto security standard to help teams develop more secure code, fix flaws earlier in the development lifecycle, and reduce the vulnerability of an app before it’s deployed.
The OWASP MASVS provides all key categories such as data in motion, data at rest, code quality, authentication, authorization, reverse engineering and more — all of which should be on any security analyst’s checklist.
Common Vulnerability Scoring System (CVSS)
Next, seek a tool that uses the CVSS specification to review all vulnerabilities and risks, define the severity and prioritize what to fix. CVSS is the most widely recognized universal, open and standardized method for rating IT vulnerabilities and determining the urgency of action.
CVSS version 3.0 provides a way to capture the key characteristics of a vulnerability and produce a numerical score reflecting its risk severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high and critical) to help organizations properly assess and prioritize their vulnerability management and remediation processes.
Common Weakness Enumeration (CWE)
Mobile appsec testing tools should also include CWE findings about publicly known vulnerabilities. Sponsored by the U.S. Department of Homeland Security’s US CERT, CWE is a community-developed list of common software security weaknesses. This unified language enables more effective discussion, description, selection, and use of software security tools and services to zero in on weaknesses in source code and remediate issues.
National Information Assurance Partnership (NIAP)
Federal agencies and government contractors should also seek mobile appsec testing tools that meet NIAP vetting requirements to ensure their apps comply with government regulations. NIAP is a national program for developing protection profiles, evaluation methodologies, and policies that ensures achievable, repeatable, and testable security and risk requirements for the U.S government. The organization oversees U.S. government implementation of the Common Criteria and also conducts security evaluations in the private sector.
In addition to choosing tools that support mobile app security standards as part of your rigorous selection process, ask the right questions of potential vendors, mobile application testing service providers and makes of open-source software tools:
- Does your solution cover the full battery of OWASP MASVS?
- How does your solution score the risk level of your findings and are they based on industry standards like CVSS and CWE?
- If you don’t use industry standards, what method does your solution use and how does that compare to others?
For more insight into the key considerations for selecting a mobile appsec testing solution, download the NowSecure ebook, “Evaluation Guide for Mobile App Security Testing.”