NIST NCCoE Selects Technology Vendors to Collaborate on Mobile Device Security for Enterprises

The MDSE project aims to help organizations across business sectors develop a series of clear and repeatable reference mobile architectures that any organization can adapt and adopt to ease design, accelerate deployment, and build in security for their mobility program from the outset. All products incorporated into the reference design will be standards-based and commercially available products.

U.S. Government Approved Protection Profile – Protection Profile for Application Software

The U.S. Department of Defense requires all managed mobile applications to meet the NIAP Protection Profile for Application Security Software requirements. The scope of this Protection Profile (PP) is to describe the security functionality of application software in terms of Common Criteria and to define functional and assurance requirements for such software. In recent years, software attacks have shifted from targeting operating systems to targeting applications. This has been the natural response to improvements in operating system security and development processes. As a result, it is paramount that the security of applications be improved to reduce the risk of compromise.

NIST Mobile Threat Catalogue

This document outlines a catalogue of threats to mobile devices and associated mobile infrastructure to support development and implementation of mobile security capabilities, best practices, and security solutions to better protect enterprise information technology (IT). Threats are divided into broad categories, primarily focused upon mobile applications and software, the network stack and associated infrastructure, mobile device and software supply chain, and the greater mobile ecosystem. Each threat identified is catalogued alongside explanatory and vulnerability information where possible, and alongside applicable mitigation strategies. Background information on mobile systems and their attack surface is provided to assist readers in understanding threats contained within the Mobile Threat Catalogue (MTC).

OWASP Mobile Security Testing

OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security. OWASP has published the Mobile Security Testing Guide (MSTG), Mobile App Security Requirements and Verification, and Mobile App Security Checklist documents.

Effectiveness of Mobile App Vetting Tools in the Enterprise

Various use cases for enterprise vetting of mobile apps exist, including in-house developed apps for enterprise use, in-house developed apps for public distribution, commercially developed apps for enterprise use, and commercially developed apps for personal use on enterprise devices. Each of these approaches carries different risks. This report provides guidance to US Government and commercial enterprises alike, on how to assess the feasibility of applying automated app vetting tools. Government agencies can contact the authors for a copy of the report.

DHS Study on Mobile Device Security

The study found that the threats to the Federal government’s use of mobile devices—smartphones and tablet computers running mobile operating systems—exist across all elements of the mobile ecosystem. These threats require a security approach that differs substantially from the protections developed for desktop workstations largely because mobile devices are exposed to a distinct set of threats, frequently operate outside of enterprise protections and have evolved independently of desktop architectures. The Department of Homeland Security (DHS) has submitted a report to Congress that details current and emerging threats to the Federal government’s use of mobile devices and recommends security improvements to the mobile device ecosystem. The DHS Science and Technology Directorate (S&T) led the study in coordination with the National Institute of Standards and Technology and its National Cybersecurity Center of Excellence.

Securing Mobile Applications for First Responders

The Securing Mobile Applications for First Responders report describes a mobile application (app) pilot testing program designed to serve a public safety purpose. The Department of Homeland Security (DHS) Science and Technology Directorate (S&T) Cyber Security Division (CSD), the Association of Public-Safety Communications Officials (APCO) International, and Kryptowire LLC,collaborated to identify security vulnerabilities and privacy issues important for public safety users and to recruit app developers to participate in testing and evaluation.