DHS S&T Demos Automated Cybersecurity Mobile App Assessment
Assessing whether mobile apps are compliant to a NIAP Protection Profile (PP) has traditionally been a long and costly process. By automating that process, S&T and NIAP offer agencies the ability to quickly, affordably and reliably determine if their apps meet NIAP’s stringent security requirements.
“Automated testing will help bring the speed of NIAP evaluations to keep pace with the rapid, agile development and release cycles of today’s modern mobile app ecosystem,” said Mary Baish, director of NIAP.
For the pilot, researchers worked with S&T Mobile Security and Emergency Communications (Mobile SEC) partners Kryptowire and Intelligent Waves, using Kryptowire’s vetting infrastructure to perform an automated analysis of the Android and Apple iOS versions of Intelligent Waves’ Hypori app.
The Leidos Common Criteria Testing Laboratory then analyzed Kryptowire’s results to determine if they were consistent with a conventional evaluation. Separately, NIAP experts provided additional analysis. Evaluators determined that automated testing accurately met NIAP requirements while requiring less time, personnel and money.
“The pilot’s success is significant in that automating these evaluations to deliver accurate and trustworthy results will lower the barrier to entry by reducing the burden needed for NIAP PP Mobile App Vetting certifications,” said Mobile SEC Program Manager Vincent Sritapan. “This increased testing will raise the security posture of the government’s mobile app ecosystem and at the same time raise confidence among app end-users, primarily the tax-paying public.”
The pilot also produced findings that show how NIAP certifications and app vetting can be designed and conducted in the future, including the following:
• Automated vetting against NIAP requirements allows for faster testing and fielding of app updates.
• Apps can be assessed for basic compliance before a formal NIAP evaluation, providing risk reductions for several stakeholders including agencies, software vendors, and end-users.
• Apps can be accurately vetted, even if analysts and evaluators do not have access to source code.
• Apps can be vetted against updated requirements without undergoing a full NIAP recertification.
• The results bode well for other security automation efforts, some of which already are underway.
The pilot testing report, titled “Automating National Information Assurance Partnership Requirements Testing for Mobile Apps,” demonstrates that automated testing tools and methodologies are reliable and efficient. It behooves stakeholders from both the federal government and industry to continue developing them to address the increasing scale and complexity of certifying mobile apps.
Would you like to comment on this story? Find our comments system below.
Get your CompTIA A+, Network+ White Hat-Hacker, Certified Web Intelligence Analyst and more starting at $35 a month. Click here for more details.