DOCUMENT
3 MAS - Industry Day - PM Brief.pdf
OVERVIEW
Description
Mobile Application Security (MAS) Industry Day Slides and Q&A
Original Source
Contract Opportunity
Related Opportunity
Related Agency
Posted
June 23, 2016
Type
.pdf
Size
1.46MB
DOCUMENT PREVIEW
EXTRACTED TEXT
Mobile Application Security
(MAS) R&D
Broad Agency Announcement HSHQDC-16-R-B0006 Industry Day June 09, 2016
Vincent Sritapan
Program Manager
Cyber Security Division
Science and Technology Directorate
Mobility Today
USA and Worldwide
DHS and Government-wide
Approximately 200M mobile
devices in the U.S. (Statista)
Approximately 90,000 mobile
devices in use across DHS (MI-5)
1.8B globally (Statista)
64% of all U.S. adults own and
use smartphones (Pew Research)
38% of DHS employees have
mobile GFE
Approximately 4M unique mobile
apps across legitimate
marketplaces (iTunes, Google
Play, Windows Phone Store)
Approximately 300 government
mobile apps built for public
(Federal Government Mobile Apps
Directory)
~200 Public Safety Apps (APCO
International)
Initial security focus has been on mobile
device management, but attack vector is
applications
Rise of Mobile Apps in the Enterprise
Approximately 300 government mobile apps
built for public
(Federal Government Mobile Apps Directory)
Public safety community ~200 mobile apps
(APCO International)
Multiple mission-specific apps under
development
DHS Mobile Car Wash
CBP United Program Emphasis on requirements
and development of mobile apps
USCIS Case Tracker & Searcher / ICE Mission Apps
FEMA Apps (Disaster Reporter) /
TSA Apps (My TSA), continue to develop mission
critical apps (internal/external)
DoD, Federal Government, and Private Sector
DHS Citizen Mobile Apps
Mobile app security is now a primary
focus area, but market is immature
Mobile Application Security (MAS)
Problem: Securing Mobile Apps is Hard!
Increased use of mobile technologies
makes mobile apps the new target for
cyber attacks
Security state of apps is unknown may be
benign, malicious or potentially unsafe
Broad and Varied Attack Surface
Constant Change
New apps, app updates, new device
OS updates, service provider updates
New threats, vulnerabilities, and exploits
Need Security Assurance Evaluate
Security throughout Mobile App
Lifecycle
Zero-day
Exploits
3rd Party
Libraries
Data in Transit
& at Rest
Dev Platform
Authentication
Attack
Surface
Permission
Levels
Security Evaluation
Mobile Application Security (MAS)
Problem: Securing Mobile Apps is Hard!
Increased use of mobile technologies
makes mobile apps the new target for
cyber attacks
Security state of apps is unknown may be
benign, malicious or potentially unsafe
July 2015
Broad and Varied Attack Surface
October 2015
Constant Change
New apps, app updates, new device
OS updates, service provider updates
New threats, vulnerabilities, and exploits
Need Security Assurance Evaluate
Security throughout Mobile App
Lifecycle
November 2015
Validation through Gaps/Alignment
Todays incomplete/disjointed
solutions leave missions exposed to
mobile app attacks
MAS Program Aligned to DHS
Priorities
Continuous Assurance - Mobile App
Development Platforms
Availability of security capabilities
varies by vendor and app focus
(enterprise or consumer)
Mobile App Vetting
Tools/services often point solutions
that require retest/vetting if app is
changed; criteria are proprietary vs.
standards-based
Continuous Monitoring for Mobile Apps
Nascent in marketplace; no known
Identified by the Joint Requirements Council
(JRC) as 2015 high priority new capability
Aligned with DHS Information Technology
Strategic Plan 2015-2018
Federal CIO Councils Mobile Technology
Tiger Team focus App Reciprocity
Reporting 2015-2016
National Information Assurance Partnership
Mobile App Protection Profile
Capability gaps prioritized by mi-5 and CSD
Mobile Security Sub-IPT:
Automate Security in Mobile App
Lifecycle Management
Continuous Monitoring of Mobile Apps
Integration of Mobile Security
Technologies with CDM
MAS Program Approach
Enabling the secure use of mobile applications for the mission
Develop
innovative
secure mobile
technologies
SME,
Advisor, &
Tech
Champion
Strategic
Partnerships
Landscape Awareness
Lead Mobility CoP
Impact Policy
Support Procurement
Outreach
FED CIO Council
CTIA Wireless Association
Requirements NIST/NIAP
Pilots & Transition Partners
MAS Technical Approach
GFARSRCS/SN
Prior Work: Enable Enterprise Integration of
Mobile App Vetting & Archiving
Performer: KryptoWire through LRBAA
Partners: DOJ, DHS HQ, FRG, NIST, US-CERT, CBP
TTA I: Continuous Validation & Threat
Protection for Mobile Applications
Partners: DHS, NPPD US-CERT, NIST, NSA,
DISA, Commercial Market, Academia
Transition:
Pilot &
Adoption
TTA II: Integrating Security throughout the
Mobile Application Lifecycle
Partners: DHS HQ, CBP, TSA, ICE & FEMA +
Commercial Market, Academia
Transition:
Pilot &
Adoption
PAH
PAH
BEGIN: FY17
END: FY20
Immediate Need
Fed CIO Councils Mobile
Technology Tiger Team
App Reciprocity Report
Immediate Need
Mobile App Development
for internal/mission critical
use; security evaluation
needed
MDM 2017 MAS 2018Continuous Diagnostic &
Mitigation covering mobile
(hardware/software asset
management & security)
2018-2019US-CERT requirement for
correlation of mobile apps to
known vulnerabilities/threat
indicatorsDoD/Federal Government
requirement for vetting of
mobile apps met by
commercial market
Mobile App Security R&D TTA I
Continuous Validation & Threat Protection for Mobile Applications
Looking for novel approaches to solve:
Continuous monitoring of mobile apps and the need to continually vetting
of mobile applications to support business and mission operations
Safeguard against known and unknown vulnerabilities; sources include
government and industry mobile threat intelligence and vulnerability
databases (e.g. National Vulnerability Database, US-CERT Alerts, etc.)
Protect against future threats (e.g. predictive security for mobile, use
mobile app security to detect rogue bay stations, etc.)
Additional considerations:
Integration with existing environments (e.g. Integration with enterprise
mobility management solutions, continuous diagnostic and mitigation
tools, security operation center activities)
Business process to notify mobile app developers to fix security issues
Mobile App Security R&D TTA II
Integrating Security throughout the Mobile Application Lifecycle
Mobile OS Platform
App Type (Native, HTML)
Users
Functional Requirements
Concept
App Updates
App Security
Monitoring
Monitoring &
Remediation
Threat & Vulnerability
App Vetting
Authorization
Decision
App Store
Deployment
Maintain
Mobile Lifecycle
Develop/
Deploy
App Dev Platform
Data Requirements
Authentication
Usage Environment
Iterative Testing
Transition Targets
Integration with Existing Ecosystems
Enterprise Mobility Management Solutions
Mobile Application Development Platforms
Mobile Application Management Solutions/ Mobile App Stores
Adoption by Government/Private Sector
Security Operations Centers/Network Operations Centers
US-CERT / DHS Mobile CarWash
Mobile Application Development Offices
Department & Agency/DoD Mobility Offices
Project Schedule & Milestones
Year 1
Year 2
Year 3
Year 4
Type I Award
Pilot
Option
Type II Award
Pilot
Option
Type III Award
Pilot
Option
Technical & Managerial Events:
Kickoff once >60 days after award
Go/No-Go Demo every 6 months
Review/PI Meetings twice per year
CSD PI Meeting once per year
Pilots 1 or 2 based on award type and
if pilot option is exercised
Program Metrics
Technical Topic
TTA 1: Continuous
Validation & Threat
Protection for Mobile
Applications
Objective
Outcomes
Safeguard the enterprise from
vulnerabilities and threats through:
Innovative tools and technologies that
monitor commercial and federal threat
intelligence sources and correlate
across app stores
New/improved methods to provide
actionable responses to developers
12 months Assessment tool
for correlation against known
vulnerabilities
18 months Federal pilot
24 months Full integration with
commercial tools
36 months Public/private pilots
TTA 2: Integrating
Security throughout
the Mobile
Application Lifecycle
Enable security throughout the mobile
app lifecycle through development and
integration of robust security framework
that addresses multiple security profiles
and use cases
12 months Security
framework developed
18 months Integration with
development platforms
24 months Federal pilot
36 months Commercial
integration
Summary
R&D aims to enable the secure use of mobile applications for the
mission
This BAA intends to advance mobile app security by working with
industry & research community to:
Develop innovative mobile app security solutions to meet the
Enterprises needs
Align government & industry standards and Best Practices
Develop robust mobile app security framework for mobile app lifecycle
management applicable to industry and government
Identify / develop methods for identification, notification and alerting on
new and emerging threats and vulnerabilities
Converge mobile technology landscape (e.g., integration with EMM,
MAM, mobile development platforms, & mobile infrastructure services)
15
(MAS) R&D
Broad Agency Announcement HSHQDC-16-R-B0006 Industry Day June 09, 2016
Vincent Sritapan
Program Manager
Cyber Security Division
Science and Technology Directorate
Mobility Today
USA and Worldwide
DHS and Government-wide
Approximately 200M mobile
devices in the U.S. (Statista)
Approximately 90,000 mobile
devices in use across DHS (MI-5)
1.8B globally (Statista)
64% of all U.S. adults own and
use smartphones (Pew Research)
38% of DHS employees have
mobile GFE
Approximately 4M unique mobile
apps across legitimate
marketplaces (iTunes, Google
Play, Windows Phone Store)
Approximately 300 government
mobile apps built for public
(Federal Government Mobile Apps
Directory)
~200 Public Safety Apps (APCO
International)
Initial security focus has been on mobile
device management, but attack vector is
applications
Rise of Mobile Apps in the Enterprise
Approximately 300 government mobile apps
built for public
(Federal Government Mobile Apps Directory)
Public safety community ~200 mobile apps
(APCO International)
Multiple mission-specific apps under
development
DHS Mobile Car Wash
CBP United Program Emphasis on requirements
and development of mobile apps
USCIS Case Tracker & Searcher / ICE Mission Apps
FEMA Apps (Disaster Reporter) /
TSA Apps (My TSA), continue to develop mission
critical apps (internal/external)
DoD, Federal Government, and Private Sector
DHS Citizen Mobile Apps
Mobile app security is now a primary
focus area, but market is immature
Mobile Application Security (MAS)
Problem: Securing Mobile Apps is Hard!
Increased use of mobile technologies
makes mobile apps the new target for
cyber attacks
Security state of apps is unknown may be
benign, malicious or potentially unsafe
Broad and Varied Attack Surface
Constant Change
New apps, app updates, new device
OS updates, service provider updates
New threats, vulnerabilities, and exploits
Need Security Assurance Evaluate
Security throughout Mobile App
Lifecycle
Zero-day
Exploits
3rd Party
Libraries
Data in Transit
& at Rest
Dev Platform
Authentication
Attack
Surface
Permission
Levels
Security Evaluation
Mobile Application Security (MAS)
Problem: Securing Mobile Apps is Hard!
Increased use of mobile technologies
makes mobile apps the new target for
cyber attacks
Security state of apps is unknown may be
benign, malicious or potentially unsafe
July 2015
Broad and Varied Attack Surface
October 2015
Constant Change
New apps, app updates, new device
OS updates, service provider updates
New threats, vulnerabilities, and exploits
Need Security Assurance Evaluate
Security throughout Mobile App
Lifecycle
November 2015
Validation through Gaps/Alignment
Todays incomplete/disjointed
solutions leave missions exposed to
mobile app attacks
MAS Program Aligned to DHS
Priorities
Continuous Assurance - Mobile App
Development Platforms
Availability of security capabilities
varies by vendor and app focus
(enterprise or consumer)
Mobile App Vetting
Tools/services often point solutions
that require retest/vetting if app is
changed; criteria are proprietary vs.
standards-based
Continuous Monitoring for Mobile Apps
Nascent in marketplace; no known
Identified by the Joint Requirements Council
(JRC) as 2015 high priority new capability
Aligned with DHS Information Technology
Strategic Plan 2015-2018
Federal CIO Councils Mobile Technology
Tiger Team focus App Reciprocity
Reporting 2015-2016
National Information Assurance Partnership
Mobile App Protection Profile
Capability gaps prioritized by mi-5 and CSD
Mobile Security Sub-IPT:
Automate Security in Mobile App
Lifecycle Management
Continuous Monitoring of Mobile Apps
Integration of Mobile Security
Technologies with CDM
MAS Program Approach
Enabling the secure use of mobile applications for the mission
Develop
innovative
secure mobile
technologies
SME,
Advisor, &
Tech
Champion
Strategic
Partnerships
Landscape Awareness
Lead Mobility CoP
Impact Policy
Support Procurement
Outreach
FED CIO Council
CTIA Wireless Association
Requirements NIST/NIAP
Pilots & Transition Partners
MAS Technical Approach
GFARSRCS/SN
Prior Work: Enable Enterprise Integration of
Mobile App Vetting & Archiving
Performer: KryptoWire through LRBAA
Partners: DOJ, DHS HQ, FRG, NIST, US-CERT, CBP
TTA I: Continuous Validation & Threat
Protection for Mobile Applications
Partners: DHS, NPPD US-CERT, NIST, NSA,
DISA, Commercial Market, Academia
Transition:
Pilot &
Adoption
TTA II: Integrating Security throughout the
Mobile Application Lifecycle
Partners: DHS HQ, CBP, TSA, ICE & FEMA +
Commercial Market, Academia
Transition:
Pilot &
Adoption
PAH
PAH
BEGIN: FY17
END: FY20
Immediate Need
Fed CIO Councils Mobile
Technology Tiger Team
App Reciprocity Report
Immediate Need
Mobile App Development
for internal/mission critical
use; security evaluation
needed
MDM 2017 MAS 2018Continuous Diagnostic &
Mitigation covering mobile
(hardware/software asset
management & security)
2018-2019US-CERT requirement for
correlation of mobile apps to
known vulnerabilities/threat
indicatorsDoD/Federal Government
requirement for vetting of
mobile apps met by
commercial market
Mobile App Security R&D TTA I
Continuous Validation & Threat Protection for Mobile Applications
Looking for novel approaches to solve:
Continuous monitoring of mobile apps and the need to continually vetting
of mobile applications to support business and mission operations
Safeguard against known and unknown vulnerabilities; sources include
government and industry mobile threat intelligence and vulnerability
databases (e.g. National Vulnerability Database, US-CERT Alerts, etc.)
Protect against future threats (e.g. predictive security for mobile, use
mobile app security to detect rogue bay stations, etc.)
Additional considerations:
Integration with existing environments (e.g. Integration with enterprise
mobility management solutions, continuous diagnostic and mitigation
tools, security operation center activities)
Business process to notify mobile app developers to fix security issues
Mobile App Security R&D TTA II
Integrating Security throughout the Mobile Application Lifecycle
Mobile OS Platform
App Type (Native, HTML)
Users
Functional Requirements
Concept
App Updates
App Security
Monitoring
Monitoring &
Remediation
Threat & Vulnerability
App Vetting
Authorization
Decision
App Store
Deployment
Maintain
Mobile Lifecycle
Develop/
Deploy
App Dev Platform
Data Requirements
Authentication
Usage Environment
Iterative Testing
Transition Targets
Integration with Existing Ecosystems
Enterprise Mobility Management Solutions
Mobile Application Development Platforms
Mobile Application Management Solutions/ Mobile App Stores
Adoption by Government/Private Sector
Security Operations Centers/Network Operations Centers
US-CERT / DHS Mobile CarWash
Mobile Application Development Offices
Department & Agency/DoD Mobility Offices
Project Schedule & Milestones
Year 1
Year 2
Year 3
Year 4
Type I Award
Pilot
Option
Type II Award
Pilot
Option
Type III Award
Pilot
Option
Technical & Managerial Events:
Kickoff once >60 days after award
Go/No-Go Demo every 6 months
Review/PI Meetings twice per year
CSD PI Meeting once per year
Pilots 1 or 2 based on award type and
if pilot option is exercised
Program Metrics
Technical Topic
TTA 1: Continuous
Validation & Threat
Protection for Mobile
Applications
Objective
Outcomes
Safeguard the enterprise from
vulnerabilities and threats through:
Innovative tools and technologies that
monitor commercial and federal threat
intelligence sources and correlate
across app stores
New/improved methods to provide
actionable responses to developers
12 months Assessment tool
for correlation against known
vulnerabilities
18 months Federal pilot
24 months Full integration with
commercial tools
36 months Public/private pilots
TTA 2: Integrating
Security throughout
the Mobile
Application Lifecycle
Enable security throughout the mobile
app lifecycle through development and
integration of robust security framework
that addresses multiple security profiles
and use cases
12 months Security
framework developed
18 months Integration with
development platforms
24 months Federal pilot
36 months Commercial
integration
Summary
R&D aims to enable the secure use of mobile applications for the
mission
This BAA intends to advance mobile app security by working with
industry & research community to:
Develop innovative mobile app security solutions to meet the
Enterprises needs
Align government & industry standards and Best Practices
Develop robust mobile app security framework for mobile app lifecycle
management applicable to industry and government
Identify / develop methods for identification, notification and alerting on
new and emerging threats and vulnerabilities
Converge mobile technology landscape (e.g., integration with EMM,
MAM, mobile development platforms, & mobile infrastructure services)
15
Show All