The Computer Security Resource Center at NIST [National Institute of Standards and Technology] have released an important update to guidance on mobile application vetting and security. The revision explores resources that can be used to inform an organization’s requirements for mobile app security. These include overviews of relevant documentation from the National Information Assurance Partnership (NIAP), the Open Web Application Security Project (OWASP), The MITRE Corporation, and NIST.
NIAP lists products on a product-compliant list when a certification has been successfully granted. This is an official list and requires NIAP’s official certification for use in federal information systems. It should be noted that the certification requirements evaluated by NIAP certification may not map directly into non-federal requirements. In the case of regulated industries, such as the financial industry, it is important that organizations should follow their respective compliance requirements as appropriate.
The revision also details and refines the vetting model described in the original document by better defining the roles and processes that affect the mobile app vetting process. Specifically, it better defines the inputs and outputs of each step involved in the process of app vetting. It also details how the process might be integrated into an organization’s general security posture.
The original document describes how the actual testing of applications can be undertaken, whereas the revision augments this discussion by describing how vulnerabilities can be identified and weighted based on existing standards and best practices.
Finally, revision goes into a greater—and updated—exploration of the current threat landscape facing mobile apps, with references to threats specific to banking and financial information. Furthermore, it includes and aligns itself with current guidelines and recommendations being made by both industry and other federal partners.