Mobile App Standards and Compliance
Standards-based testing, verification and certification are critical for consistent predictability, safety, data integrity and governance. Standards improve dev and security team alignment and collaboration, which ensures quality and speeds release times while safeguarding user trust. NowSecure powers your mobile app security program to support leading industry frameworks, testing standards and compliance standards.
Industry Frameworks with Mobile Apps
Industry Frameworks power an organizational-wide foundation to manage risk, establish security controls and respond to issues. From mobile app development to mobile DevSecOps to mobile supply chain risk management, they ensure the organization has the right risk factors and controls in place.
Offers a proactive and systematic approach to cybersecurity measures for all types of computing platforms, including general-purpose computing, cyber-physical, cloud-based, weapons, space, communications, environmental control, and industrial control systems as well as mobile and Internet of Things (IoT) devices. NowSecure supports organizations looking to comply with NIST 800-53. The solution visually implements mobile app security controls that will identify security vulnerabilities requiring remediation to meet the framework requirements.
Details requirements for information security management systems to help automate the security management of critical assets like financial information, intellectual property (IP), employee details, and information entrusted by third parties. NowSecure supports organizations looking to comply with ISO 27001 by implementing mobile app security controls that identify security vulnerabilities requiring remediation to meet the framework requirements.
MITRE ATT&CK for Mobile
Captures the tactics and techniques organizations should utilize for device access, mobile apps and network-based attack vectors often used by adversaries with or without device access. NowSecure supports organizations that seek to threat model their mobile apps using the MITRE ATT&CK framework. This approach enables rapid implementation of mobile app security controls that will identify security vulnerabilities requiring remediation to meet the framework requirements.
Mobile App Security Testing Standards
Mobile App Security Testing Standards are the foundation of all effective mobile app security programs. They detail specific criteria for identifying and classifying mobile app security risks, developing secure apps, and properly testing mobile app security.
The OWASP Mobile Application Security Verification Standard (MASVS) is the definitive standard for mobile app security. It specifies/details mobile app security requirements to be utilized by mobile software designers and developers to build more secure mobile applications. It also serves as a guide for security testers for the depth of testing and consistency of test results.
MASVS requirements are organized into eight categories:
- V1 – Architecture Design and Threat Modeling Requirements
- V2 – Data Storage and Privacy Requirements
- V3 – Cryptography Requirements
- V4 – Authentication and Session Management Requirements
- V5 – Network Communication Requirements
- V6 – Platform Interaction Requirements
- V7 – Code Quality and Build Setting Requirements
- V8 – Resilience Requirements
In conjunction with the MASVS, OWASP also created the Mobile Application Security Testing Guide (MASTG) as a comprehensive guide to mobile application security testing and reverse engineering for both iOS and Android mobile apps. MASTG includes content around mobile platform internals, the mobile app development lifecycle, static and dynamic security testing, mobile app reverse engineering and tampering, assessing the quality of software protections around the mobile app, and test cases that map directly to the MASVS. NowSecure leverages the OWASP MASTG throughout our mobile app security testing software and services.
OWASP API Top 10
Released at the end of 2019, The OWASP API Top 10 is a newer list of risks and vulnerabilities identified by OWASP specifically for API security. As mobile apps increasingly use APIs for connectivity and services to backend systems and third-party services, the risks of API security failures expand dramatically. NowSecure tests for the OWASP API Top 10 throughout our mobile app security testing software and services.
Modern software builds use third-party and open-source components glued together in a complex and unique way, integrated with original code to achieve the desired functionalities. An accurate inventory of all components inside of an application is critical for organizations to identify risk, allow for greater transparency, and conduct rapid impact analysis.
OWASP CycloneDX is the leading standard for Software Bill of Material (SBOM) formatting. This is a lightweight SBOM standard for use in application security contexts and supply chain component analysis, and is offered in XML, JSON, and Protocol Buffers. There is also a large collection of official and community supported tools that create or interoperate with the standard. CycloneDX offers guiding principles to reinforce the risk-based approach to standards development.
The Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information-security vulnerabilities and exposures that, in total, maintains a list of more than 175,000 records. CVE and the National Vulnerability Database (NVD) operated by NIST work together to provide all vulnerabilities a security severity score based on the Common Vulnerability Scoring System (CVSS). NowSecure tests mobile apps for CVEs, flagging issues with remediation instructions and links to source CVE database.
The Common Vulnerabilities Scoring System (CVSS) offers organizationes a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score is translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes. NowSecure scores all findings with CVSS Scores linked back to the CVSS system to ensure understanding of level of risk and priority to address the issues.
CWE Top 25
Common Weakness Enumeration (CWE) is a community-developed list of software and hardware weaknesses serving as a common language with details to assist in identification, mitigation, and prevention efforts. The 2021 CWE Top 25 Most Dangerous Software Weaknesses is a list of the most common and impactful issues found in mobile and web apps over the past two calendar years. This list focuses on findings that are easy to find, exploit, and have high risk attached to them, allowing adversaries to take control of a system, steal data, or break an application. This standard leverages Common Vulnerabilities and Exposures (CVE®) data found within the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD), as well as the Common Vulnerability Scoring System (CVSS) scores associated with each CVE. NowSecure tests mobile apps for the CWE Top 25, flagging issues with remediation instructions and links to the source CWE Top 25.
Compliance Standards with Mobile Apps
Compliance Standards for mobile apps are critical across most industries as organizations need to ensure they are complying with relevant laws, policies, and regulations. Compliance testing helps organizations ensure PII data, PHI data, sensitive IP and transactions are not exposed by the mobile apps in violation of these standards, which could cause financial or legal penalties or even block systems in production.
The App Defense Alliance (ADA) founded with a core mission in mind – to protect app users across the broader app ecosystem by preventing threats from reaching their devices and improving app quality. In 2022, The ADA created the Mobile App Security Assessment (MASA) verification program built on the industry standard OWASP MASVS and MASTG, By completing an ADA MASA verification from an ADA Authorized Labs, Android developers can add the independent security review badge to their Google Play Data Safety sections. NowSecure partnered with Google and other industry leaders to create the MASA program and serves as an ADA Authorized Lab.
The California Consumer Privacy Act (CCPA) of 2018 is legislation designed to give consumers more control over the personally identifiable information (PII) that organizationes collect about them. It puts forward a set of regulation which provide guidance around the “right to know” personal information, “right to delete” personal information, “right to opt-out” of selling personal information, and “right to non-discrimination” for exercising those rights. For organizations to meet these regulations, specific security requirements need to be met around PII. NowSecure tests mobile apps for CCPA throughout the mobile app security testing software and services, listing any potential violations, evidence, and remediation instructions. Read the NowSecure Blog What You Need to Know About the CCPA Data Privacy Regulation for Mobile Apps.
Federal Financial Institutions Examination Council (FFIEC) is a formal U.S. government interagency body including five banking regulators who design principles, standards, and reports that promote uniformity and consistency for financial institutions. In 2017 the FFIEC published the CyberSecurity Assessment tool as a response to the increasing volume and sophistication of cyber threats. NowSecure tests mobile apps for FFIEC throughout the mobile app security testing software and services, listing any potential violations, evidence, and remediation instructions.
The Federal Information Security Modernization Act (FISMA) originally passed in December 2002 and was amended in 2014. It requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other sources. NowSecure tests mobile apps for FISMA throughout the mobile app security testing software and services, listing any potential violations, evidence, and remediation instructions.
General Data Protection Regulation (GDPR) requires organizations to implement reasonable data protection measures to protect the personal data of consumers and employees against data loss or exposure. To achieve that goal, the law regulates all areas related to data management and processing, from obtaining user consent to setting up company-wide data protection practices and handling data breach incidents. NowSecure tests mobile apps for GDPR throughout the mobile app security testing software and services, listing any potential violations, evidence, and remediation instructions.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. Any organization operating within the healthcare industry or processing patient data must comply with HIPAA standards, and NowSecure tests mobile apps for HIPAA throughout the mobile app security testing software and services, listing any potential violations, evidence, and remediation instructions.
The ioXt Alliance defines the global standard for IoT security and is the result of the industry working together to set security standards that bring security, upgradability, and transparency to the market. NowSecure helped create the ioXt mobile app protection profile specification with ioXt, Google, and Amazon that ensures the rigorous security of IoT-connected mobile apps and mobile VPNs. NowSecure is an ioXt Authorized Lab that provides fast turnaround, high quality results and collaborative assistance to complete compliance certification promptly.
The National Information Assurance Partnership (NIAP) is responsible for U.S. implementation of the Common Criteria, including management of the NIAP Common Criteria Evaluation and Validation Scheme (CCEVS) validation body. NIAP manages a national program for developing Protection Profiles, evaluation methodologies, and policies that will ensure achievable, repeatable, and testable requirements. For mobile apps, NIAP created the Mobile App Vetting Protection Profile for Application Software v 1.3. NowSecure is the only vendor to support the NIAP Mobile App Vetting Protection Profile V 1.3 with automated testing and expert professional services to help organizations achieve Authority to Operate (ATO) faster. Download the NowSecure Paper How To Ensure NIAP Mobile App Compliance
The Payment Card Industry Data Security Standard (PCI DSS) is a standard requiring compliance for any organization or application accepting digital payment information. PCI DSS design ensures the safe handling of cardholder information at every step of the process. NowSecure tests mobile apps for PCI-DSS throughout the mobile app security testing software and services, listing any potential violations, evidence, and remediation instructions.
Testing directly supports standards through nine means of testing, analysis and actionable results. Integrating standards based testing and customizing standard policies ensures detailed findings and the identification of compliance gaps by including relevant standards information and generates an audit trail with details on tests passed. Utilizing NowSecure to drive mobile app innovation provides customers with the ability to create customizable policies and detail high risk vs. lower risk apps based on standards specifically relevant to a target team, product, or organization organization. NowSecure’s new policy engine with both inclusion and exclusion parameters delivers a policy cornerstone to deliver mobile apps on time and securely with standards-based testing bridging the gap between dev and sec to deliver a valuable shared service level agreement (SLA).Learn More
helps educate customers on unique standard and compliance implementation with self-service mobile app security training and privacy courses, best practices, certificates, resources and more. For every industry, customers leverage the Academy to “shift left” while meeting standards and company-specific standards or mobile app testing frameworks. This approach helps customers expedite app production cycles and reduces the volume of compliance issues introduced from source application development.Learn More
NowSecure’s Pen Testing & Workstation
provide the periodic manual assessments required for many compliance standards. They combine this testing with exemplary customer service, flexible scheduling and lightning-fast turnaround time. These critical elements offer valuable third-party NowSecure attestation for meeting compliance needs. These award-winning solutions help customers facilitate a threat-based scope, thoroughly testing with multiple analysis types, frameworks, and standards while assisting remediation efforts and validating fixes.Learn More
NowSecure Supply Chain Risk Management
leverages standards framework to protect sourcing, vendor management, partner continuity and quality, transportation security. NowSecure’s Privacy and Breach tracker rapidly identifies app compliance gaps that fail to meet company-specific requirements. Protecting organization from third-party compliance issues is achieved through NowSecure solutions, involving people, processes and knowledge across the enterprise delivers a superior and coordinated mobile app security testing effort.Learn More
Experience best-in-class mobile app security testing (MAST)
IDC named NowSecure a Leader in 2 Marketscape reports for MAST. See NowSecure in action.