Where does mobile app security testing fit into the latest NIST SSDF and CISA Zero Trust publications?
It’s difficult to find technically useful, well contributed information on mobile security testing and mobile software development life cycle (SDLC) best practices. There is a lot of high-level info scattered around, and it seems like new government cybersecurity publications are popping up all the time which makes it hard to tell how everything fits together. So I set out to research the topics on my own, and this blog covers what I’ve found. As I continue, and as comments come in, I’ll make corrections and updates.
Let’s start with very useful, seminal work on mobile security testing, with OWASP® contributors doing a wonderful job with two foundational works. Any searches on the topic of mobile security testing should have landed on them, but in case yours didn’t.
Mobile security testing guide
The first is the Mobile Security Testing Guide (MSTG)1 from OWASP. From its introduction:
“The OWASP Mobile Security Testing Guide (MSTG) is a comprehensive manual for testing the security of mobile apps. It describes processes and techniques for verifying the requirements listed in the Mobile Application Security Verification Standard (MASVS), and provides a baseline for complete and consistent security tests.”
If you haven’t seen it before, at first glance you may get the impression that it’s merely a high-level overview of basic principles that any mobile developer or security expert already knows. But in fact, it’s quite comprehensive and technically detailed, a great living work by all its contributors, and a very useful resource for new and advanced mobile security gurus alike.
The MSTG is comprised of three primary sections, again from the Guide’s overview:
- “The General Testing Guide contains a mobile app security testing methodology and general vulnerability analysis techniques as they apply to mobile app security. It also contains additional technical test cases that are OS-independent, such as authentication and session management, network communications, and cryptography.
- The Android Testing Guide covers mobile security testing for the Android platform, including security basics, security test cases, reverse engineering techniques and prevention, and tampering techniques and prevention.
- The iOS Testing Guide covers mobile security testing for the iOS platform, including an overview of the iOS OS, security testing, reverse engineering techniques and prevention, and tampering techniques and prevention.”
Mobile AppSec verification standard
The second work from the OWASP Mobile Security Project™ and its contributors, is the Mobile AppSec Verification Standard (MASVS)1.
From its introduction, “The MASVS is a community effort to establish a framework of security requirements needed to design, develop and test secure mobile apps on iOS and Android.”
You must admit, this is a bold undertaking to produce and keep current, but it’s a sorely needed one and a job well done. A useful summary from the document:
“The MASVS defines two security verification levels (MASVS-L1 and MASVS-L2), as well as a set of reverse engineering resiliency requirements (MASVS-R). MASVS-L1 contains generic security requirements that are recommended for all mobile apps, while MASVS-L2 should be applied to apps handling highly sensitive data. MASVS-R covers additional protective controls that can be applied if preventing client-side threats is a design goal.
Fulfilling the requirements in MASVS-L1 results in a secure app that follows security best practices and doesn't suffer from common vulnerabilities. MASVS-L2 adds additional defense-in-depth controls such as SSL pinning, resulting in an app that is resilient against more sophisticated attacks - assuming the security controls of the mobile operating system are intact and the end user is not viewed as a potential adversary. Fulfilling all, or subsets of, the software protection requirements in MASVS-R helps impede specific client-side threats where the end user is malicious and/or the mobile OS is compromised.”
NIST SSDF
And now for what’s happening from the U.S. gov end of things and recent cybersecurity standards and guidance news. Let’s start with the National Institute of Standards and Technology (NIST) which produces many publications on the topic of cybersecurity.
The recent news has been around the NIST 800-218 publication in 2021 and updated in February 2022, entitled “Secure Software Development Framework (SSDF): Recommendations for Mitigating the Risk of Software Vulnerabilities”.
It’s a comprehensive and relevant work as it applies to mobile software development and testing. Excusing the pun, it sets the new standard as far as past security frameworks for SDLC go. It contains numerous references to useful resources, and the OWASP MASVS resource is primarily referenced within the Produce Well-Secured Software (PW) section.
I find the NIST SSDF publication to be well thought-out and as you read through the examples for each “task”, it makes for a good checklist to walk through for your mobile software development practices (or any software development). Some tasks are easier said than done, but it provides for a great “you are here” resource for understanding your current SDLC security posture and what you need to keep an eye on moving forward.
Having no affiliation with it, I found this blog useful when reading NIST 800-218:
I Read NIST 800-218 So You Don’t Have To - Here’s What to Watch Out For, by Dan Lorenc.
When searching for other NIST cybersecurity initiatives that are currently underway, I found the following particularly interesting. They are looking into consumer labeling practices for both software and IoT devices. In a nutshell, when software or IoT devices are made available for end-use, the level of security testing performed or achieved would be clearly indicated. According to the links below, an initial summary report is to be published by May 12, 2022. This will be interesting to say the least and I’ll update this blog with relevant information.
CISA Zero Trust
There also have been recent news headlines made by the Cybersecurity & Infrastructure Agency (CISA), first established in 2018.
There are recent two works of interest:
- Zero Trust Maturity Model, introduced in September 2021, and
- Applying Zero Trust Principles to Enterprise Mobility, newly introduced in March 2022.
These works, to me at least, are more indirectly related to mobile security testing and SDLC best practices. This makes sense as Zero Trust refers to user access privileges and hence the in-production phases of SDLC.
But I would have hoped that Zero Trust would have extended to cover the design and development phases of the SDLC as more and more vulnerabilities are likely to be introduced well before software deliveries.
In the Zero Trust Maturity Model document, the topic of app security development and testing is included in the Application Workload pillar and its Application Security guidance, but that’s about it. It doesn’t use the acronyms, but it’s basically implying a shift from DevOps to DevSecOps.
Reproduced from Table 4 on page 12:
“Application Security Function:
- Traditional – Agency performs application security testing prior to deployment, primarily through static and manual testing methods.
- Advanced – Agency integrates application security testing into the application development and deployment process, including the use of dynamic testing methods.
- Optimal – Agency integrates application security testing throughout the development and deployment process, with regular automated testing of deployed applications.”
Looking through the Applying Zero Trust Principles to Enterprise Mobility document, you eventually reach “Table 1: Enterprise Mobile Security Components”. And wading through each, mobile security testing lands on its relatively small Mobile App Vetting (MAV) component.
Not bad I suppose for a CISA framework where the Zero Trust context aims at a different aspect of mobile security and different phase of mobile software development. Would have been helpful if CISA’s MAV and NIST’s SSDF were linked or cross-referenced.
I’d keep an eye on CISA “Zero Trust” publications, but looks like the NIST “SSDF” publications are currently more directly relevant to the topic of mobile security testing and mobile SDLC.
To learn more about Corellium and what we do, visit us at Corellium.com
1 OWASP trademarks and published works belong to and are under copyright by The OWASP Foundation. The OWASP works are licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. For any reuse or distribution, you must make clear to others the license terms of the works.