The document discusses establishing a mobile application security program that includes people, processes, and technologies. It recommends identifying all mobile apps, assessing their risks, and monitoring the program's effectiveness through metrics. For people, it suggests having skills in forensics, network security, and code analysis. For process, it advises building security into the software development lifecycle through policies, secure coding practices, and testing. For technology, it provides criteria for evaluating tools that can automate static, dynamic, interactive and forensic analysis of the mobile attack surface.