DOCUMENT

3 MAS - Industry Day - PM Brief.pdf

OVERVIEW

Description
Mobile Application Security (MAS) Industry Day Slides and Q&A
Original Source
Contract Opportunity
Date Originally Posted
June 23, 2016, 9:32 a.m.
Type
.pdf
Size
1.46MB
Profiled People
None

DOCUMENT PREVIEW

EXTRACTED TEXT

Vincent SritapanProgram ManagerCyber Security DivisionScience and Technology DirectorateMobile Application Security (MAS) R&DBroad Agency Announcement HSHQDC-16-R-B0006 –Industry Day June 09, 2016 DHS and Government-wideApproximately 90,000 mobile devices in use across DHS (MI-5)38% of DHS employees have mobile GFEApproximately 300 government mobile apps built for public (Federal Government Mobile Apps Directory)~200 Public Safety Apps (APCO International)Mobility TodayInitial security focus has been on mobile device management, but attack vector is applicationsUSA and WorldwideApproximately 200M mobile devices in the U.S. (Statista)1.8B globally (Statista)64% of all U.S. adults own and use smartphones (Pew Research)Approximately 4M unique mobile apps across legitimate marketplaces (iTunes, Google Play, Windows Phone Store)2 Approximately 300 government mobile apps built for public (Federal Government Mobile Apps Directory)Public safety community ~200 mobile apps (APCO International)Multiple mission-specific apps under developmentDHS Mobile Car WashCBP United Program –Emphasis on requirements and development of mobile appsUSCIS Case Tracker & Searcher / ICE Mission AppsFEMA Apps (Disaster Reporter) / TSA Apps (My TSA), continue to develop mission critical apps (internal/external)DoD, Federal Government, and Private SectorRise of Mobile Apps in the EnterpriseMobile app security is now a primary focus area, but market is immatureDHS Citizen Mobile Apps3 Increased use of mobile technologies makes mobile apps the new target for cyber attacks Security state of apps is unknown –may be benign, malicious or potentially unsafeBroad and Varied Attack SurfaceConstant ChangeNew apps, app updates, new deviceOS updates, service provider updatesNew threats, vulnerabilities, and exploitsMobile Application Security (MAS) Problem: Securing Mobile Apps is Hard!Attack SurfaceAuthenticationData in Transit & at RestZero-day Exploits3rdParty LibrariesDevPlatformPermission LevelsNeed Security Assurance –Evaluate Security throughout Mobile App LifecycleSecurity Evaluation4 Increased use of mobile technologies makes mobile apps the new target for cyber attacks Security state of apps is unknown –may be benign, malicious or potentially unsafeBroad and Varied Attack SurfaceConstant ChangeNew apps, app updates, new deviceOS updates, service provider updatesNew threats, vulnerabilities, and exploitsMobile Application Security (MAS) Problem: Securing Mobile Apps is Hard!Need Security Assurance –Evaluate Security throughout Mobile App LifecycleJuly 2015October 2015November 20155 Validation through Gaps/AlignmentIdentified by the Joint Requirements Council (JRC) as 2015 high priority new capabilityAligned with DHS Information Technology Strategic Plan 2015-2018Federal CIO Council’s Mobile Technology Tiger Team focus –App Reciprocity Reporting 2015-2016National Information Assurance Partnership –Mobile App Protection ProfileCapability gaps prioritized by mi-5 and CSD Mobile Security Sub-IPT:Automate Security in Mobile App Lifecycle ManagementContinuous Monitoring of Mobile AppsIntegration of Mobile Security Technologies with CDM MAS Program Aligned to DHS PrioritiesContinuous Assurance -Mobile App Development Platforms Availability of security capabilities varies by vendor and app focus (enterprise or consumer)Mobile App VettingTools/services often point solutions that require retest/vetting if app is changed; criteria are proprietary vs. standards-basedContinuous Monitoring for Mobile AppsNascent in marketplace; no known R&DToday’s incomplete/disjointed solutions leave missions exposed to mobile app attacks6 MAS Program Approach7SME, Advisor, & Tech ChampionStrategic PartnershipsR&DFED CIO CouncilCTIA Wireless AssociationRequirements NIST/NIAPPilots & Transition PartnersLandscape AwarenessLead Mobility CoPImpact PolicySupport ProcurementOutreachDevelop innovative secure mobile technologies“Enabling the secure use of mobile applications for the mission” FY19TTA II: Integrating Security throughout the Mobile Application LifecyclePartners: DHS HQ, CBP, TSA, ICE & FEMA + Commercial Market, Academia FY20Prior Work: Enable Enterprise Integration of Mobile App Vetting & ArchivingPerformer: KryptoWire through LRBAAPartners: DOJ, DHS HQ, FRG, NIST, US-CERT, CBPTTA I: Continuous Validation & Threat Protection for Mobile ApplicationsPartners: DHS, NPPD US-CERT, NIST, NSA, DISA, Commercial Market, AcademiaHSARPA/FRG/NIST/US-CERTHSARPABEGIN: FY17END: FY20Transition: Pilot & AdoptionTransition: Pilot & AdoptionFY18FY17FY16MAS Technical Approach31421234Fed CIO Council’s Mobile Technology Tiger Team –App Reciprocity ReportMobile App Development for internal/mission critical use; security evaluation neededContinuous Diagnostic & Mitigation covering mobile (hardware/software asset management & security)55US-CERT requirement for correlation of mobile apps to known vulnerabilities/threat indicatorsDoD/Federal Government requirement for vetting of mobile apps met by commercial marketImmediate NeedImmediate NeedMDM 2017 MAS 20182018-20192020HSARPA8 Looking for novel approaches to solve:Continuous monitoring of mobile apps and the need to continually vetting of mobile applications to support business and mission operationsSafeguard against known and unknown vulnerabilities; sources include government and industry mobile threat intelligence and vulnerability databases (e.g. National Vulnerability Database, US-CERT Alerts, etc.)Protect against future threats (e.g. predictive security for mobile, use mobile app security to detect rogue bay stations, etc.)Additional considerations:Integration with existing environments (e.g. Integration with enterprise mobility management solutions, continuous diagnostic and mitigation tools, security operation center activities)Business process to notify mobile app developers to fix security issuesMobile App Security R&D TTA I9Continuous Validation & Threat Protection for Mobile Applications Mobile App Lifecycle–Mobile OS Platform–App Type (Native, HTML)–Users –Functional Requirements–App Dev Platform–Data Requirements–Authentication–Usage Environment–Iterative Testing–App Vetting–Authorization Decision–App Store Deployment–App Updates –App Security Monitoring –Threat & Vulnerability Monitoring & RemediationConceptDevelop/BuyMaintainDeployTestIntegrating Security throughout the Mobile Application LifecycleMobile App Security R&D TTA II10 Integration with Existing EcosystemsEnterprise Mobility Management SolutionsMobile Application Development PlatformsMobile Application Management Solutions/ Mobile App StoresAdoption by Government/Private SectorSecurity Operations Centers/Network Operations CentersUS-CERT / DHS Mobile CarWashMobile Application Development OfficesDepartment & Agency/DoD Mobility OfficesTransition Targets11 Project Schedule & MilestonesPilotOptionYear1Year2Year3Year4Type I AwardPilotOptionType II AwardPilotOptionType III Award12Technical & Managerial Events:•Kickoff –once >60 days after award•Go/No-Go Demo –every 6 months•Review/PI Meetings –twice per year•CSD PI Meeting –once per year•Pilots –1 or 2 based on award type and if pilot option is exercised Program MetricsTechnicalTopicObjectiveOutcomesTTA 1: Continuous Validation & Threat Protection for Mobile ApplicationsSafeguard the enterprise from vulnerabilitiesand threats through:•Innovative tools and technologiesthat monitorcommercial and federal threat intelligence sources and correlate across app stores•New/improved methods to provide actionable responses to developers•12 months –Assessment tool for correlation against known vulnerabilities•18 months–Federal pilot•24 months –Full integration with commercial tools•36 months–Public/privatepilots TTA 2: Integrating Security throughout the Mobile Application LifecycleEnable security throughout the mobile app lifecycle through development and integration of robust security framework that addresses multiple security profiles and use cases•12 months –Security framework developed•18 months–Integration with development platforms•24 months –Federal pilot •36 months–Commercial integration13 R&D aims to enable the secure use of mobile applications for the missionThis BAA intends to advance mobile app security by working with industry & research community to:Develop innovative mobile app security solutions to meet the Enterprise’s needsAlign government & industry standards and Best PracticesDevelop robust mobile app security framework for mobile app lifecycle management –applicable to industry and governmentIdentify / develop methods for identification, notification and alerting on new and emerging threats and vulnerabilitiesConverge mobile technology landscape (e.g., integration with EMM, MAM, mobile development platforms, & mobile infrastructure services)Summary14 15