In the last of my run of three mobile app related posts, US standards body National Institute of Standards and Technology (NIST) has released Special Publication (SP) 800-163 Vetting the Security of Mobile Applications.
SP 800-163 is for organisations that plan to implement a mobile app vetting process or consume app vetting results from other parties. It is also intended for developers that are interested in understanding the types of software vulnerabilities that may arise in their apps during the software development life cycle (SDLC). The report is grouped into planning, testing and app approval/rejection sections:
- Security requirements
- Understanding vetting limitations
- Budget and staffing
- General app security requirements
- Testing approaches
- Sharing results
- App approval/rejection
- Report and risk auditing
- Organisation-specific vetting criteria
- Final approval/rejection.
The guidance is practical and highlights risks that are mobile app specific as well as general application security risks. Appendices B & C provide helpful categorised lists of Android and iOS mobile app vulnerability types respectively.
Posted on: 10 February 2015 at 07:48 hrs