How To Evaluate an Automated NIAP Vetting Tool for Mobile AppsPosted by Amy Schurr
The U.S. Department of Defense and other federal agencies must ensure their mobile apps comply with the National Information Assurance Partnership (NIAP) security requirements. NIAP validates the security of commercial hardware and software used in national security systems.
Operated by the U.S. National Security Agency (NSA), the NIAP program provides a standard way for federal government, contractors and suppliers to evaluate internally developed and commercial products. NIAP oversees the development of Common Criteria security requirements defined in Protection Profiles. Mobile apps are formally evaluated against these Protection Profiles to obtain Authority to Operate (ATO) on federal systems.
Recognizing the critical need for NIAP mobile app vetting, the U.S. Department of Homeland Security (DHS) Science and Technology Directorate (S&T) and the NSA recently performed a sample evaluation of a NIAP compliance tool using a thin-client mobile app. While this is a promising start to increasing awareness about NIAP mobile app vetting, there are several additional components critical to a successful, efficient and comprehensive NIAP mobile app vetting program at scale.
Automation Eases the NIAP Compliance Process
First, it’s helpful to have some background and context on scale, cost and process. The NIAP evaluation process has benefitted from initial focus on web, and more recently has evolved to scale to the rapid development cycles of mobile apps. A mix of automation, accuracy and fully detailed NIAP content to augment manual workflow is critical to scaling successfully.
In addition, NIAP certification is costly and time consuming. It can cost $200,000 – $250,000 per app and take anywhere from 3 – 6 months to certify mobile apps through rigorous laboratory testing. Agencies may choose to self-certify mobile apps for NIAP compliance by evaluating them on their own using NIAP requirements and tools. However, self assessment also entails a lengthy, tedious effort for an evaluator to manually test an app and assemble the appropriate documentation. What’s more, agencies may lack the expertise and personnel to perform this work, which makes automated NIAP compliance vetting an appealing solution.
Automating the NIAP vetting process for mobile apps enables agencies to quickly approve apps in a matter of days and reevaluate them as often as necessary. But not all automated NIAP mobile app vetting tools are alike, so choose carefully. Some solutions offer only partial implementation of the NIAP mobile application Protection Profile, use an older version of the requirements or lack full and accurate detail that leaves your organization at risk.
What To Look for in a Solution
Keep the following critical factors in mind as you evaluate automated NIAP mobile app vetting tools to find one that best meets your needs for today and tomorrow:
- Does the solution support current NIAP requirements? (As of press time, the latest version to test against is “Requirements for Vetting Mobile Apps from the Protection Profile for Application Software, Version 1.3.”)
- Does the vetting solution evaluate apps against all current NIAP requirements? (As of press time, the latest specification has 51 requirements in version 1.3 of the Protection Profile listed above.)
- Does your solution vendor have a dedicated security research team with full understanding of the evolving mobile attack surface?
- Does your solution vendor have extensive experience with mobile pen testing and has its team performed thousands of mobile pen tests?
- Does your solution vendor stay abreast of changes to NIAP requirements and can it adapt quickly to the rapidly changing mobile industry?
- Does your solution vendor test only for NIAP or does it test more broadly for multiple standards and regulatory requirements across multiple industries?
- Does the solution’s user experience demonstrate that it was built with direct interaction and support of federal agencies and workflows, or does it simply relabel an existing security testing tool and offer only partial coverage?
- Does the solution test mobile app binaries running on real iOS and Android devices to ensure proper real-world coverage?
- Does the solution meet both the full letter of the testing assurance activities documented in the protection profile and the intent of the requirements?
- Does your evaluation of NIAP testing tools entail testing real native iOS and Android binaries running on real devices that store data locally and transmit sensitive data over the network to ensure full coverage rather than a thin client app?
- Does the solution enable an evaluator to complete a NIAP compliance assessment in less than a day?
- Does the solution support the fast feedback loops of test-driven development and DevSecOps scenarios where needed versus occasional assessments?
- Does the solution enable users to configure and store attestations about the app for repeatable testing?
- Does the tool offer an automated workflow with an easy check, pass, or fail option?
- Does the tool provide rich finding details including industry-standard CVSS scores, impact, remediation instructions with code examples and other regulatory mappings?
- Does the solution provide contextual information with guidance in plain English or does it require the evaluator to perform additional external testing or consult additional resources?
- Does the tool also provide industry-standard security testing against OWASP MASVS, MASVS, MSTG and OWASP API Top 10?
- Does the tool make it easy to generate reports in an ATO-ready format?
For more help selecting a mobile app NIAP mobile app vetting solution for your agency or mobile app development team, consult our checklist with additional factors to consider. You can download the “Mobile App NIAP Compliance Vetting Checklist” here.