Automation Boosts App Security Testing
Under a joint pilot program, verifying the security of mobile application software for use within the federal government no longer needs to be time consuming or expensive. The Department of Homeland Security (DHS), working with a partnership within the NSA, automated the process to determine if apps meet the agency’s National Information Assurance Partnership (NIAP) protection profile.
Assessing whether mobile apps are compliant with the profile has traditionally been a long and costly process. By automating that process, the DHS’ Science and Technology Directorate (S&T) and NIAP offer agencies the ability to quickly, affordably and reliably determine if their apps meet stringent security requirements.
For the pilot, researchers worked with the S&T Mobile Security and Emergency Communications partners Kryptowire and Intelligent Waves. The scientists used the former firm’s vetting infrastructure to perform an automated analysis of the Android and Apple iOS versions of the latter company’s Hypori app. The results were analyzed to determine if they were consistent with a conventional evaluation. The NIAP experts also provided additional analysis.
Vincent Sritapan, mobile SEC program manager, says reducing the time needed to vet mobile apps for NIAP protection profile certifications will lower the barrier to entry. “This increased testing will raise the security posture of the government’s mobile app ecosystem and at the same time raise confidence among app end users, primarily the tax-paying public, Sritapan explains.
The pilot testing report also demonstrated how certifications and app vetting can be designed and conducted in the future. For example, automated vetting against NIAP requirements allows for faster testing and fielding of app updates and enables apps to be accurately vetted even if analysts and evaluators do not have access to source code. The testing results show that other security automation efforts, some of which already are underway, can succeed.