As organizations dig into secure coding and testing best practices, they quickly discover a variety of sometimes confusing approaches and solutions for mobile app security testing. Security professionals and leaders alike can ease the process of finding the testing tools that best fit their needs by requiring mobile app security standards in their selection criteria.
When searching for a solution to quickly identify mobile application vulnerabilities and code defects, focus on finding tools that incorporate industry standards and guidelines such as OWASP, CVSS, CWE and NIAP. Teams may already be familiar with the following mobile app security standards for assessing application vulnerabilities.
When embarking on a testing initiative, consult the Open Web Application Security Project (OWASP)’s Mobile Top 10 to figure out scope of risk and testing requirements. Developed by an online software security community and updated every three years, the Top 10 acts as a de facto security standard to help teams develop more secure code, fix flaws earlier in the development lifecycle, and reduce the vulnerability of an app before it’s deployed.
The OWASP Mobile Top 10 provides all key categories such as data in motion, data at rest, code quality, authentication, authorization, reverse engineering and more — all of which should be on any security analyst’s checklist.
Next, seek a tool that uses the CVSS specification to review all vulnerabilities and risks, define the severity and prioritize what to fix. CVSS is the most widely recognized universal, open and standardized method for rating IT vulnerabilities and determining the urgency of action.
CVSS version 3.0 provides a way to capture the key characteristics of a vulnerability and produce a numerical score reflecting its risk severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high and critical) to help organizations properly assess and prioritize their vulnerability management and remediation processes.
Mobile appsec testing tools should also include CWE findings about publicly known vulnerabilities. Sponsored by the U.S. Department of Homeland Security’s US CERT, CWE is a community-developed list of common software security weaknesses. This unified language enables more effective discussion, description, selection, and use of software security tools and services to zero in on weaknesses in source code and remediate issues.
Federal agencies and government contractors should also seek mobile appsec testing tools that meet NIAP vetting requirements to ensure their apps comply with government regulations. NIAP is a national program for developing protection profiles, evaluation methodologies, and policies that ensures achievable, repeatable, and testable security and risk requirements for the U.S government. The organization oversees U.S. government implementation of the Common Criteria and also conducts security evaluations in the private sector.
In addition to choosing tools that support mobile app security standards as part of your rigorous selection process, ask the right questions of potential vendors, mobile application testing service providers and makes of open-source software tools:
- Does your solution cover the full battery of OWASP Mobile Top 10?
- How does your solution score the risk level of your findings and are they based on industry standards like CVSS and CWE?
- If you don’t use industry standards, what method does your solution use and how does that compare to others?
For more insight into the key considerations for selecting a mobile appsec testing solution, download the NowSecure ebook, “Evaluation Guide for Mobile App Security Testing.”