Home  >  Uncategorized

Mapping App Security Standards

Published date

Author

Here at Copper Horse we’ve been working on some really interesting projects in conjunction with the UK’s DCMS (Department for Digital, Culture, Media & Sport). We were commissioned to look into the current state of app security standards and recommendations with a view to explore the landscape to understand commonalities and gaps. We included 11 different standards and recommendation documents which are outlined later in this blog. From these 11 documents we mapped a total of 706 requirements across 14 different topics in an easy to navigate visual interface at: https://appsecuritymapping.com/.

Secure by design mapping layout screenshot.
Image of the appsecuritymapping.com Secure by Design topic

As there was no baseline ‘anchor’ standard to work from, the requirements were recorded and then grouped into logically similar categories. It’s worth mentioning here that there’s many similarities with the mappings in the ETSI EN 303 645 and we’ve already mapped Security & Privacy in the Internet of Things which can be found at: https://iotsecuritymapping.com/. The methodology used was to identify relevant standards and recommendations via open source research, which was boot-strapped by an initial list of standards provided by DCMS. A quality assurance process was taken when determining if a standard or recommendation should be included. This process involved evaluation of papers and websites whose primary security focus was apps or IoT ecosystem security, encompassing companion apps.

Once all the relevant documents were identified, the requirements were individually recorded and then mapped into logically similar categories, we separated categories based on design, software updates and different categories of security, privacy and quality considerations. Any outliers were then triaged, which in turn created new groupings or ‘topics’. It should be noted that the mappings were created based on Copper Horse’s own judgement – others may have different views as to which requirements belong to particular topics. The general goal was to understand where there were commonalities (and to what extent) and where there were areas of difference. The result of our research yielded the following topics:

  • App/Code Hardening
  • Cryptography
  • Passwords and Authentication
  • Attack Surface Reduction
  • Functional/Quality
  • Secure Data Storage
  • Secure Communication
  • Outliers
  • Update Software, Dependencies and End of Life
  • Web App Security
  • Secure by Design
  • Session Handling
  • Permissions
  • Vulnerability Management
  • Privacy

We’ve expanded on these categories on the app mapping website, you can read more here: https://appsecuritymapping.com/mapping-topics/

Standards and Recommendations Reviewed

This first release of the mapping includes the following documents:

Standard / RecommendationLinkNo. of Pages
NIST SP 800-163https://csrc.nist.gov/publications/detail/sp/800-163/rev-1/final55
OWASP MASVS v1.4.2https://owasp.org/www-projct-mobile-security-testing-guide/51
NIST SP 800-190https://csrc.nist.gov/publications/detail/sp/800-190/final51
Android Security Best Practiceshttps://developer.android.com/topic/security/best-practicesWebpages (15 sections)
Requirements for Vetting Mobile Apps from the Protection Profile for Application Softwarehttps://www.niap-ccevs.org/MMO/PP/394.R/pp_app_v1.2_table-reqs.htmWebpage
ioXt 2020 Mobile Application ProfileMobile_Application_Profile.pdf16
MITRE ATT&CKhttps://attack.mitre.org/mitigations/M1013/Webpage
NCSC App Dev Guidancehttps://www.ncsc.gov.uk/collection/application-development16
Apple Developer Security Guidelineshttps://developer.apple.com/documentation/securityWebpage (22 sections)
Core App Quality (Android)https://developer.android.com/docs/quality-guidelines/core-app-qualityWebpage
OWASP Application Security Verification Standardhttps://github.com/OWASP/ASVS71
Table of Standards and Recommendations included in this mapping

We have only included standards and recommendations that are provided for free and that are openly available. This is particularly important for developers who are often not in a position to pay to read security requirements. We considered the standards provided by the UK’s BSI but these required a paid licence so were put out-of-scope.

Number of Requirements Mapped by Topic

Here’s the mapping totals by topic. Also included here are outliers that couldn’t be mapped to any of the topics:

List of Mapping TopicsReqs Mapped
App/Code Hardening144
Cryptography84
Passwords and Authentication84
Attack Surface Reduction71
Functional/Quality54
Secure Data Storage51
Secure Communication42
Outliers35
Update Software, Dependencies and End of Life32
Web App Security28
Secure by Design24
Session Handling19
Permissions17
Vulnerability Management16
Privacy5
Total706
Table of Mapping Totals by Topic

A word on tooling

On our previous mapping sites we’ve used the excellent tool Kumu (https://kumu.io). We decided we wanted to use a tool with additional functionality for this project and for this we selected MindMeister (https://www.mindmeister.com). In addition to offering a fantastic user experience it allowed us to add accessibility options such as displaying the mapping topics in an outline format rather than as an interactive map. This format can be used with a screen reader for visually impaired users.

Amongst many of the benefits of MindMeister, we are able to easily generate downloadable .pdfs which show both the visual map and outline layouts in a single document. Anyone with an account can save our maps to their own account and build on our data.

As with all our mappings we have provided free, downloadable open data for each of our mapping topics. The data is available in .json, .csv and .ods formats.

Something we missed?

We will be returning to this work periodically to add new standards and recommendations. If you feel there are any documents we should review, please drop us a line at appsecuritymapping[@]copperhorse.co.uk

Categories:Uncategorized

Tags:

Mark Neve

Share

Related Posts