The document discusses mobile app security compliance for the banking and financial services sector, outlining various compliance frameworks, including standards from FFIEC, PCI DSS, and GLBA. It emphasizes the importance of secure coding, risk assessments, and ongoing security testing as critical components for meeting compliance requirements. A case study highlights the practical application of these standards in ensuring effective mobile app security and compliance.

1. Solving for compliance:
Mobile app security for banking and
financial services

2. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
NowSecure #MobSec5
Weekly mobile security news update
SUBSCRIBE NOW:
www.nowsecure.com/go/subscribe

3. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Brian Lawrence
Solutions Engineer | NowSecure

4. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
Contents
● Overview of compliance regimes
● Overlap & mobile app security testing programs
● In action: customer case study
● Questions

5. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
A survey of compliance and
mobile apps

6. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
http://www.arelaw.com/downloads/ARElaw_MobileDeviceApplications_KeyLawsChart_rev061815.pdf
Sample of Laws, regulations, rules applicable to mobile
GENERAL CONTENT FINANCIAL
HEALTH/
MEDICAL MINORS OTHERS
FTC Act
Sarbanes-Oxley
Electronic
Communications Privacy
Act (ECPA)
Computer Fraud and
Abuse Act (CFAA)
NIAP (Common Criteria
for app vetting)
Digital Millennium
Copyright Act (DMCA)
Communications
Decency Act (CDA)
Restore Online
Shoppers’ Confidence
Act (ROSCA)
Gramm-Leach-Bliley Act
(GLBA)
FFIEC compliance
standards
Payment card industry
(PCI) standards
Health Insurance
Portability and
Accountability Act
(HIPAA)
Health Information in
Technology for
Economic and Clinical
Health Act (HITECH)
Food and Drug
Administration Act
(mobile medical apps)
FTC’s Health Breach
Notification Rule
Children’s Online
Privacy Protection Act
(COPPA)
California Online Privacy
and Protection Act
(CalOPPA)
State data-breach
notification, data
security, and records
disposal statutes
FCC’s Proprietary
Network Information
(CPNI) Breach
Notification Rule

7. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
IANYA - I am not your auditor/assessor/accountant
● We are mobile app security experts
● We highlight relevant compliance items
● Compliance is a team sport
● Consult w/ governance, risk
& compliance teams
!

8. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
FFIEC IT Examination Handbook: Mobile Financial Services
Guidance that FFIEC examiners use in assessing financial institutions’ mobile offerings.
AppE.5.b Operational Risk Mitigation
● Secure coding
● Rigorous security testing
● Sensitive data storage
● Multi-factor authentication
● Third party risk
AppE.5.b(iii) Mobile Application Risk Mitigation
● Root/jailbreak detection
● Security testing throughout the SDLC
● Critical data storage
● Secure back-end servers

9. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
Payment Card Industry Data Security Standard (PCI DSS)
PCI DSS Version 3.2
6 Develop and maintain secure systems and applications
● 6.3 Develop internal and external software applications securely
● 6.5 Address common coding vulnerabilities in software-development
processes [based on OWASP, SANS, CERT guidance]
11 Regularly test security systems and processes
● 11.3 Implement a methodology for penetration testing…
● ...Defines application-layer penetration testis to include, at a
minimum, the vulnerabilities listed in Requirement 6.5
PCI Mobile Payment Acceptance Security Guidelines
Merchant-owned devices/apps used for payments (i.e., a POS system) are in
scope for PA-DSS. Apps on a consumer’s device that facilitate payments are
not in scope for PA-DSS, but development is in scope for PCI DSS.
Information security standard for organizations that handle payment cards. For a consumer-facing app
that facilitates a merchant’s payment acceptance process, the development of the app is in scope.

10. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
Federal Information Security Management Act (FISMA)
Framework for cost-effective, risk-based information security within the federal government. NIST defines
standards, guidelines, and minimum requirements via a number of publications.
NIST FIPS 200: Minimum Security Requirements
● Certification, accreditation, and security assessments (CA)
● Risk assessment (RA)
NIST SP 800-53: Security & Privacy Controls
● CA-2 Security Assessments
● SA-11 Developer security testing and evaluation
NIST SP 800-163: Vetting the Security of Mobile Applications
● Preventing unauthorized functionality
● Limiting permissions
● Protecting sensitive data
● Security app code dependencies
● Testing app updates

11. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
Gramm-Leach-Bliley Act Safeguards Rule
Requires financial institutions under FTC jurisdiction to protect the customer information they collect
and ensure their affiliates and service providers do too.
PART 314—Standards for safeguarding customer information
Financial institutions must implement an information security program
which includes:
● Designating employee(s) to coordinate the program;
● Identifying internal and external risks to the security, confidentiality,
and integrity of customer information and assessing any safeguards
in place to control the risks;
● Designing and implementing safeguards to address the risks and
monitor the effectiveness of these safeguards;
● Selecting and retaining service providers that are capable of
maintaining appropriate safeguards for the information and requiring
them, by contract, to implement and maintain such safeguards;
● Adjusting the information security program in light of developments
that may materially affect the program.

12. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
NY Cybersecurity Reqs. for Financial Services Companies
Requires companies to certify yearly that they have a program in place to secure nonpublic information
both on their own systems and those of any third party that has access to that information.
Section 500.03 Cybersecurity Policy
Implement and maintain written policies and procedures for the protection
of information systems addressing (among other items):
● (a) information security
● (i) systems and application development and quality assurance
● (k) customer data privacy
● (m) risk assessment
Section 500.05 Penetration Testing and Vulnerability Assessments
● Program shall include monitoring and testing developed in
accordance with the risk assessment
● Include continuous monitoring or periodic penetration testing and
vulnerability assessments
● Penetration testing annually
● Vulnerability assessments bi-annually

13. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
Sarbanes-Oxley Act (SOX)
The act lays out guidelines publicly traded companies (and their service providers in many cases) must
follow to ensure the accuracy of financial information).
Section 404 — Assessment of internal control
● Understand the flow of transactions
● Perform a fraud risk assessment
SSAE 18 — Statement on Standards for Attestation Engagements
● SSAE 18 helps service organizations comply with SOX
● Service Organization Control (SOC) reports
● SOC 2 reports report on controls that address:
○ Security
○ Availability
○ Processing integrity
○ Confidentiality
○ Privacy

14. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
Overlap: Regulations
& mobile app security testing

15. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
FFIEC PCI DSS
FISMA GLBA
MAST
PROGRAM

16. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
How to Ensure Your Mobile Testing Supports Compliance
● Risk Assessment
● Encryption
○ Data at rest
○ Data in transit
● Secure coding practices
○ Mobile Best Practices
○ Authentication
○ Authorization
● Documentation
● Testing methodology

17. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
Elements of a Mobile App Security Testing Program

18. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
NowSecure WORKSTATION
Deep Pen Testing Analysis
for Security Analysts
NowSecure AUTOMATED
OnDemand Cloud Analysis
for Dev, QA & Security teams
NowSecure INTELLIGENCE
AlwaysOn Cloud Analysis
for EMM & Security teams
NOWSECURE PLATFORM for 360º COVERAGE
OF MOBILE APP SECURITY TESTING

19. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
In action: Mobile app compliance
in financial services

20. Case study: MEA Financial
● SOC Type II reports
● NowSecure platform for assessments
● Archive assessment reports
● Provided to auditors upon request
“NowSecure helps us be pro-active as an
organization and gives us confidence that any
security concerns we can control truly are in order
when we let an app through to production.”
—Travis Swinford, product manager
MEA is a national leader in the provision of
innovative software solutions to the
financial services marketplace around the nation.
https://www.nowsecure.com/case-studies/mea-financial-instills-trust-in-mobile-banking-apps/

21. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
Summary & next steps

22. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
Three key takeaways
1
2
3
Set standards, assess against those standards
Ensuring proper testing and validation
accomplishes many compliance requirements
Maintain documentation

23. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
Practical next steps
Next week:
Refresh your knowledge of your app inventory and relevant compliance regimes
Next month:
Work with governance/risk/compliance teams to identify gaps in reporting
Next quarter:
Implement adjustments to your current methodology to fill any gaps

24. Let’s talk
NowSecure
+1 312.878.1100
@NowSecureMobile
www.nowsecure.com
Subscribe to #MobSec5
A digest of the week’s mobile security news that matters
https://www.nowsecure.com/go/subscribe