Mobile Standards & Compliance
Standards-based testing and certification are critical for consistent predictability, safety and governance. Standards improve dev and security team alignment and collaboration, which ensures quality and speeds release times. NowSecure enables your mobile app security program to support leading industry frameworks, testing standards and compliance standards.
Industry Frameworks with Mobile Apps
This framework captures a proactive and systematic approach to cybersecurity measures for all types of computing platforms, including general-purpose computing, cyber-physical, cloud-based, weapons, space, communications, environmental control, and industrial control systems as well as mobile and Internet of Things (IoT) devices. NowSecure supports organizations that seek to comply with NIST 800-53 by implementing mobile app security controls that will identify security vulnerabilities that need to be remediated in order to meet the framework requirements. Learn more: NIST 800-53
This framework provides requirements for information security management systems to manage the security of critical assets like financial information, intellectual property, employee details, and information entrusted by third parties. NowSecure supports organizations looking to comply with ISO 27001 by implementing mobile app security controls that will identify security vulnerabilities that need to be remediated in order to meet the framework requirements. Learn more: ISO 27001
This captures the tactics and techniques organizations should utilize for device access, mobile apps and network-based attack vectors that can be used by adversaries with or without device access. NowSecure supports organizations that seek to threat model their mobile apps using the MITRE ATT&CK framework and enable implementation of mobile app security controls that will identify security vulnerabilities that need to be remediated in order to meet the framework requirements. Learn more: MITRE ATT&CK for Mobile
Mobile App Security Testing Standards
The OWASP Mobile Application Security Verification Standard (MASVS) is the definitive standard for mobile app security. It specifies/details mobile app security requirements to be utilized by mobile software designers and developers to build more secure mobile applications. It also serves as a guide for security testers for the depth of testing and consistency of test results.
The MASVS requirements are organized into 8 categories:
- V1 – Architecture Design and Threat Modelling Requirements
- V2 – Data Storage and Privacy Requirements
- V3 – Cryptography Requirements
- V4 – Authentication and Session Management Requirements
- V5 – Network Communication Requirements
- V6 – Platform Interaction Requirements
- V7 – Code Quality and Build Setting Requirements
- V8 – Resilience Requirements
NowSecure tests for the OWASP MASVS throughout the mobile app security testing software and services. Download the NowSecure Manager’s Guide to OWASP Mobile Security Project. Learn more: OWASP MASVS
In conjunction with the MASVS, OWASP has also created the Mobile Security Testing Guide (MSTG) as a comprehensive guide to mobile application security testing and reverse engineering for both iOS and Android mobile apps. It includes content around mobile platform internals, the mobile app development lifecycle, static and dynamic security testing, mobile app reverse engineering and tampering, assessing the quality of software protections around the mobile app, and test cases that map directly to the MASVS. NowSecure leverages the OWASP MSTG throughout our mobile app security testing software and services. Learn more: OWASP MSTG
Released at the end of 2019, The OWASP API Top 10 is a newer list of risks and vulnerabilities identified by OWASP specifically for API security. As mobile apps increasingly use APIs for connectivity and services to backend systems and third-party services, the risks of API security failures have grown dramatically. NowSecure tests for the OWASP API Top 10 throughout our mobile app security testing software and services. Learn more: OWASP API Top 10
Modern software is assembled using third-party and open source components that are glued together in a complex and unique way, integrated with original code to achieve the desired functionalities. An accurate inventory of all components inside of an application is critical for organizations to identify risk, allow for greater transparency, and conduct rapid impact analysis.
OWASP CycloneDX is the leading standard for Software Bill of Material formatting. It is designed to be a lightweight SBOM standard for use in application security contexts and supply chain component analysis, and can be provided in XML, JSON, and Protocol Buffers. There is also a large collection of official and community supported tools that create or interoperate with the standard. CycloneDX has guiding principles which reinforce the risk-based approach to standards development. Learn more: OWASP CycloneDX
The Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information-security vulnerabilities and exposures that, in total, maintains a list of 151,644 records. CVE and the National Vulnerability Database (NVD) operated by NIST work together to provide all vulnerabilities a security severity score based on the Common Vulnerability Scoring System (CVSS). NowSecure tests mobile apps for CVEs, flagging issues with remediation instructions and links to source CVE database. Learn more: CVE
The Common Vulnerabilities Scoring System (CVSS) provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes. NowSecure scores all findings with CVSS Scores linked back to the CVSS system to ensure understanding of level of risk and priority to address the issues. Learn more: CVSS
Common Weakness Enumeration (CWE) is a community-developed list of software and hardware weaknesses that serves as a common language with details to assist in identification, mitigation, and prevention efforts. The 2020 CWE Top 25 Most Dangerous Software Weaknesses is a list of the most common and impactful issues found in mobile and web apps over the past two calendar years. They focus on findings that are easy to find, exploit, and have high risk attached to them, allowing adversaries to take control of a system, steal data, or break an application. This standard is created by leveraging Common Vulnerabilities and Exposures (CVE®) data found within the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD), as well as the Common Vulnerability Scoring System (CVSS) scores associated with each CVE. NowSecure tests mobile apps for the CWE Top 25, flagging issues with remediation instructions and links to the source CWE Top 25. Learn more: CWE Top 25
Compliance Standards with Mobile Apps
The California Consumer Privacy Act (CCPA) of 2018 is legislation that is designed to give consumers more control over the personal information that businesses collect about them. It puts forward a set of regulation which provide guidance around the “right to know” personal information, “right to delete” personal information, “right to opt-out” of selling personal information, and “right to non-discrimination” for exercising those rights. In order for organizations to meet these regulations, there are specific security requirements that need to be met around personally identifiable information (PII). NowSecure tests mobile apps for CCPA throughout the mobile app security testing software and services, listing any potential violations, evidence and remediation instructions. Read the NowSecure Blog What You Need to Know About the CCPA Data Privacy Regulation for Mobile Apps. Learn more: CCPA
Federal Financial Institutions Examination Council (FFIEC) is a formal U.S. government interagency body that includes five banking regulators who design principles, standards, and reports that promote uniformity and consistency for financial institutions. In 2017 the FFIEC published the CyberSecurity Assessment tool as a response to the increasing volume and sophistication of cyber threats. NowSecure tests mobile apps for FFIEC throughout the mobile app security testing software and services, listing any potential violations, evidence and remediation instructions. Learn more: FFIEC
The Federal Information Security Modernization Act (FISMA) was originally passed in December 2002 and was amended in 2014. It requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other sources. NowSecure tests mobile apps for FISMA throughout the mobile app security testing software and services, listing any potential violations, evidence and remediation instructions. Learn more: FISMA
General Data Protection Regulation (GDPR) requires organizations to implement reasonable data protection measures to protect the personal data of consumers and employees against data loss or exposure. To achieve that goal, the law regulates all areas related to data management and processing, from obtaining user consent to setting up company-wide data protection practices and handling data breach incidents. NowSecure tests mobile apps for GDPR throughout the mobile app security testing software and services, listing any potential violations, evidence and remediation instructions. Learn more: GDPR
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. Any organization operating within the healthcare industry or processing patient data must comply with HIPAA standards, and NowSecure tests mobile apps for HIPAA throughout the mobile app security testing software and services, listing any potential violations, evidence and remediation instructions. Learn more: HIPAA
The ioXt Alliance has set out to define the global standard for IoT security and is the result of the industry working together to set security standards that bring security, upgradability, and transparency to the market. NowSecure helped create the ioXt mobile app protection profile specification with ioXt, Google, Amazon that ensures the rigorous security of IoT-connected mobile apps and mobile VPNs. NowSecure is an ioXt Authorized Lab that provides fast turnaround, high quality results and collaborative assistance to complete compliance certification promptly. Learn more: ioXt
The National Information Assurance Partnership (NIAP) is responsible for U.S. implementation of the Common Criteria, including management of the NIAP Common Criteria Evaluation and Validation Scheme (CCEVS) validation body. NIAP manages a national program for developing Protection Profiles, evaluation methodologies, and policies that will ensure achievable, repeatable, and testable requirements. For mobile apps, NIAP has created the Mobile App Vetting Protection Profile for Application Software v 1.3. NowSecure is the only vendor to support the NIAP Mobile App Vetting Protection Profile V 1.3 with automated testing and expert professional services to help organizations achieve Authority to Operate (ATO) faster. Download the NowSecure Paper How To Ensure NIAP Mobile App Compliance. Learn more: NIAP
The Payment Card Industry Data Security Standard (PCI DSS) is a standard that any organization or application that accepts payment information must comply with. It is designed to ensure the safe handling of cardholder information at every step of the process. NowSecure tests mobile apps for PCI-DSS throughout the mobile app security testing software and services, listing any potential violations, evidence and remediation instructions. Learn more: PCI DSS
Mobile Standards & Compliance
Resources
Experience best-in-class mobile app security testing (MAST)
IDC named NowSecure a Leader in 2 Marketscape reports for MAST. See NowSecure in action.