The document discusses establishing a mobile application security program that includes people, processes, and technologies. It recommends identifying all mobile apps, assessing their risks, and monitoring the program's effectiveness through metrics. For people, it suggests having skills in forensics, network security, and code analysis. For process, it advises building security into the software development lifecycle through policies, secure coding practices, and testing. For technology, it provides criteria for evaluating tools that can automate static, dynamic, interactive and forensic analysis of the mobile attack surface.

1. Next-level mobile app security:
A programmatic approach

2. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
NowSecure #MobSec5
Weekly mobile security news update
SUBSCRIBE NOW:
www.nowsecure.com/go/subscribe

3. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Katie Strzempka
VP Customer Success & Services | NowSecure

4. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
Contents
● Mobile app security program definition
● People - building and managing a team
● Process - building security into the mobile SDLC
● Technology - choosing the right tools
● Questions and an exclusive, FREE offer for attendees

5. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
Defining a program

6. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
What does a mobile app security program consist of?
● Identifying, assessing, and managing risk in your portfolio of mobile apps
on an ongoing basis
● Examples of questions you’ll need to answer:
○ How many mobile apps does your organization develop?
○ How will you assess the security of those apps on a regular basis?
○ How often will you assess those apps?
○ What sorts of security findings will block a release?

7. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
Monitoring your program’s effectiveness - Metrics
● How many apps does your organization have?
● How critical is each mobile app to your business goals?
○ Revenue
○ Users
○ Etc.
● How many mobile app security flaws are in production?
○ Flaws per lines of code
○ How many high, medium, and low risk flaws?
● How many flaws are fixed before and/or after deployment?
● Is the number of flaws increasing or decreasing over time?
To track progress against your objectives and make changes as necessary
https://www.redseal.net/ceos-reveal-cyber-naivete-as-incidents-rise-and-losses-mount/

8. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
People:
Building/maintaining a team

9. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
The skills you need on your team
Forensics
&
data recovery
Network security
& web services /
API testing
Server-side
penetration
testing
Reverse-
engineering &
code analysis

10. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
Smaller teams
● Example: 1 or 2 analysts testing 1-10 apps/year
● Mobile apps are typically a subset of responsibilities
● Less familiarity with specifics of mobile testing
Example: ≳3 analysts testing a number of apps
Consistency can be a challenge (more devs too)
HINT: Split levels/depth of testing by skill level
Larger teams
And don’t forget cross-departmental collaboration and buy-in!

11. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
Process:
Building security in

12. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
Building security into the mobile SDLC
Document app security policies
Code using secure development
best practices
Perform automated security
assessments on each build
Perform penetration testing on
each release candidate
Deploy more secure apps
to production

13. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
Develop a testing checklist
● Benefits of a testing checklist
○ On-board staff more quickly
○ Provide transparency to developers
● Start with de-facto industry standards
○ OWASP Top Ten Mobile Risks
○ NIST - Vetting the Security of Mobile Applications
○ Common Vulnerability Scoring System (CVSS)
○ Common Weakness Enumeration (CWE)
● Add additional tests specific to your internal policies

14. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
Train and educate security analysts and developers
● How mobile app security flaws put the business at risk
(i.e., the reason why you bother doing security assessments)
● Secure coding practices that prevent security flaws in the first place
● Documented security policies against which you’ll assess mobile apps
● How finding and fixing security flaws earlier saves time and reduces stress
● A demonstration of how you will assess apps for those issues
Key aspects of ongoing training initiatives

15. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
Integrate with DevOps or risk being ignored/avoided
● Puppet 2016 State of DevOps Report
○ High performers - deploy on demand, multiple times per day
○ Medium performers - deploy once per week to once per month
○ Low performers - deploy once per month to once every six months
● If you slow developers or IT operations down, they may work around you
● Integrate security testing just like other forms of testing
○ Security testing can be just another layer in the stack
○ Performed simultaneously and as frequently
○ E.g., unit, integration, compatibility, and performance testing
Source: https://puppet.com/resources/whitepaper/2016-state-of-devops-report
Puppet 2016 State of DevOps Report

16. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
Standardizing your process builds consistency

17. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
Technology:
Choosing the right tools

18. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
Mobile app security testing technology imperatives

19. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
Open-source tools can help, but aren’t right for everyone

20. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
Criteria for evaluating commercial tools
● Look for all four types of analysis:
1. Static analysis
2. Dynamic analysis
● Look for coverage for all aspects of the mobile attack surface:
1. Data at rest
2. Data in transit
● Look for reporting that:
1. Provides remediation instructions
2. Maps to industry-accepted severity classifications
3. Aligns with your internal policies
DOWNLOAD
Source: https://www.nowsecure.com/ebooks/evaluation-guide-for-mobile-app-security-testing/
3. Interactive analysis
4. Forensic analysis
3. Web services/APIs
4. Reverse engineering

21. © Copyright 2017NowSecure, Inc. All Rights Reserved. Proprietary information.
Your go-to guide for:
● Building and managing a team
● Instituting a process
● Choosing the right technology
● Establishing program metrics
Mobile app security program management
DOWNLOAD
https://info.nowsecure.com/mobile-appsec-program-handbook.html

22. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
Special offer only for
webinar attendees:
● Free 15-minute phone consultation
● For both beginners & seasoned pros
● Dig into the details of your program
Send an e-mail to kstrzempka@nowsecure.com

23. Let’s talk
NowSecure
+1 312.878.1100
info@nowsecure.com
@NowSecureMobile
www.nowsecure.com
Subscribe to #MobSec5
www.nowsecure.com/go/subscribe
A digest of the week’s mobile security news that matters