en

‫ Assessing the Security of Mobile Applications (Part 1) – Planning (section 2)

Number: IRCAR201506262
Date: 2015-06-30
Application assurance processes to mitigate security risk
Planning
Organizations should ensure that application assurance processes are undertaken. Whereby applications are vetted to ensure that they are free from vulnerabilities and that the app will function as intended. The procedure should include application-testing concluding in application rejection or approval.
Performing a risk assessment will assist in determining the impact the mobile application will have on the organizations computing, network, data and resources.
Step One:
Determine a set of security requirements unique to your organizations by considering the following:
  • The conditions under which the app will be utilized and when the app should not be used
  • How the data accessed by the app will be secured
  • How the wireless infrastructure functions and how it is secured
  • Are critical assets located on the mobile device or not
  • The acceptable level of risk allowed for the app
  • Determine the security requirements that is needed by the app, this will allow the organizations to clearly see if the requirement is met or violated when the testing takes place
  • Are there any app vulnerabilities that may be mitigated by other security controls that are already part of the organizations mobile device architecture or through the security controls of the mobile device itself
  • Evaluate your existing mobile device management solution to understand and confirm which security requirements are already covered by this solution
  • Determine security and privacy requirements specific to the organizations
  • Determine the users permitted to use the app
  • What level of testing has already been undertaken
  • What type of attacks are of concern to the organization (consider the information or operations if compromised and the effect it would have on the people involved and the organization and business function)
Step Two:
Define the limitations of the app testing process.
A procedure undertaken to assess applications will without a doubt have a positive effect on the organizations security posture however no process can guarantee to reveal all the potential weaknesses. Organizations need to be aware of the limitations.
  • Understand what the assessment process will and will not provide with regard to the security outcome
  • Manual human assessment should not be underestimated, it is an essential part of the process
  • Do not rely solely on automation with regards to your assessments, human interaction is needed to see the comprehensive behavior of the app in diverse contexts
  • The quality of your assessments is proportional to obtaining the correct combinations of multiples of automated testing tools with human interaction and security expertise
  • Avoid using a single testing tool or process as each tool will have their confines, utilize multiple tools and processes for the best results
  • Educate employees on the limitations of the app testing process
Step Three:
Organize a team to take responsibility and consider the budget available for the app testing process.
  • Get the appropriate people involved with the required expertise (mobile security, software security and information assurance expertise are a necessity)
  • Costs should be budgeted for and should not be an deliberation
References:

The Wall

No comments
You need to sign in to comment