Here at Copper Horse we’ve been working on some really interesting projects in conjunction with the UK’s DCMS (Department for Digital, Culture, Media & Sport). We were commissioned to look into the current state of app security standards and recommendations with a view to explore the landscape to understand commonalities and gaps. We included 11 different standards and recommendation documents which are outlined later in this blog. From these 11 documents we mapped a total of 706 requirements across 14 different topics in an easy to navigate visual interface at: https://appsecuritymapping.com/.
As there was no baseline ‘anchor’ standard to work from, the requirements were recorded and then grouped into logically similar categories. It’s worth mentioning here that there’s many similarities with the mappings in the ETSI EN 303 645 and we’ve already mapped Security & Privacy in the Internet of Things which can be found at: https://iotsecuritymapping.com/. The methodology used was to identify relevant standards and recommendations via open source research, which was boot-strapped by an initial list of standards provided by DCMS. A quality assurance process was taken when determining if a standard or recommendation should be included. This process involved evaluation of papers and websites whose primary security focus was apps or IoT ecosystem security, encompassing companion apps.
Once all the relevant documents were identified, the requirements were individually recorded and then mapped into logically similar categories, we separated categories based on design, software updates and different categories of security, privacy and quality considerations. Any outliers were then triaged, which in turn created new groupings or ‘topics’. It should be noted that the mappings were created based on Copper Horse’s own judgement – others may have different views as to which requirements belong to particular topics. The general goal was to understand where there were commonalities (and to what extent) and where there were areas of difference. The result of our research yielded the following topics:
- App/Code Hardening
- Passwords and Authentication
- Attack Surface Reduction
- Secure Data Storage
- Secure Communication
- Update Software, Dependencies and End of Life
- Web App Security
- Secure by Design
- Session Handling
- Vulnerability Management
We’ve expanded on these categories on the app mapping website, you can read more here: https://appsecuritymapping.com/mapping-topics/
Standards and Recommendations Reviewed
This first release of the mapping includes the following documents:
We have only included standards and recommendations that are provided for free and that are openly available. This is particularly important for developers who are often not in a position to pay to read security requirements. We considered the standards provided by the UK’s BSI but these required a paid licence so were put out-of-scope.
Number of Requirements Mapped by Topic
Here’s the mapping totals by topic. Also included here are outliers that couldn’t be mapped to any of the topics:
|List of Mapping Topics||Reqs Mapped|
|Passwords and Authentication||84|
|Attack Surface Reduction||71|
|Secure Data Storage||51|
|Update Software, Dependencies and End of Life||32|
|Web App Security||28|
|Secure by Design||24|
A word on tooling
On our previous mapping sites we’ve used the excellent tool Kumu (https://kumu.io). We decided we wanted to use a tool with additional functionality for this project and for this we selected MindMeister (https://www.mindmeister.com). In addition to offering a fantastic user experience it allowed us to add accessibility options such as displaying the mapping topics in an outline format rather than as an interactive map. This format can be used with a screen reader for visually impaired users.
Amongst many of the benefits of MindMeister, we are able to easily generate downloadable .pdfs which show both the visual map and outline layouts in a single document. Anyone with an account can save our maps to their own account and build on our data.
As with all our mappings we have provided free, downloadable open data for each of our mapping topics. The data is available in .json, .csv and .ods formats.
Something we missed?
We will be returning to this work periodically to add new standards and recommendations. If you feel there are any documents we should review, please drop us a line at appsecuritymapping[@]copperhorse.co.uk