3 MAS - Industry Day - PM Brief.pdf
Mobile Application Security (MAS) Industry Day Slides and Q&A
Date Originally Posted
June 23, 2016, 9:32 a.m.
Vincent SritapanProgram ManagerCyber Security DivisionScience and Technology DirectorateMobile Application Security (MAS) R&DBroad Agency Announcement HSHQDC-16-R-B0006 –Industry Day June 09, 2016DHS and Government-wideApproximately 90,000 mobile devices in use across DHS (MI-5)38% of DHS employees have mobile GFEApproximately 300 government mobile apps built for public (Federal Government Mobile Apps Directory)~200 Public Safety Apps (APCO International)Mobility TodayInitial security focus has been on mobile device management, but attack vector is applicationsUSA and WorldwideApproximately 200M mobile devices in the U.S. (Statista)1.8B globally (Statista)64% of all U.S. adults own and use smartphones (Pew Research)Approximately 4M unique mobile apps across legitimate marketplaces (iTunes, Google Play, Windows Phone Store)2Approximately 300 government mobile apps built for public (Federal Government Mobile Apps Directory)Public safety community ~200 mobile apps (APCO International)Multiple mission-specific apps under developmentDHS Mobile Car WashCBP United Program –Emphasis on requirements and development of mobile appsUSCIS Case Tracker & Searcher / ICE Mission AppsFEMA Apps (Disaster Reporter) / TSA Apps (My TSA), continue to develop mission critical apps (internal/external)DoD, Federal Government, and Private SectorRise of Mobile Apps in the EnterpriseMobile app security is now a primary focus area, but market is immatureDHS Citizen Mobile Apps3Increased use of mobile technologies makes mobile apps the new target for cyber attacks Security state of apps is unknown –may be benign, malicious or potentially unsafeBroad and Varied Attack SurfaceConstant ChangeNew apps, app updates, new deviceOS updates, service provider updatesNew threats, vulnerabilities, and exploitsMobile Application Security (MAS) Problem: Securing Mobile Apps is Hard!Attack SurfaceAuthenticationData in Transit & at RestZero-day Exploits3rdParty LibrariesDevPlatformPermission LevelsNeed Security Assurance –Evaluate Security throughout Mobile App LifecycleSecurity Evaluation4Increased use of mobile technologies makes mobile apps the new target for cyber attacks Security state of apps is unknown –may be benign, malicious or potentially unsafeBroad and Varied Attack SurfaceConstant ChangeNew apps, app updates, new deviceOS updates, service provider updatesNew threats, vulnerabilities, and exploitsMobile Application Security (MAS) Problem: Securing Mobile Apps is Hard!Need Security Assurance –Evaluate Security throughout Mobile App LifecycleJuly 2015October 2015November 20155Validation through Gaps/AlignmentIdentified by the Joint Requirements Council (JRC) as 2015 high priority new capabilityAligned with DHS Information Technology Strategic Plan 2015-2018Federal CIO Council’s Mobile Technology Tiger Team focus –App Reciprocity Reporting 2015-2016National Information Assurance Partnership –Mobile App Protection ProfileCapability gaps prioritized by mi-5 and CSD Mobile Security Sub-IPT:Automate Security in Mobile App Lifecycle ManagementContinuous Monitoring of Mobile AppsIntegration of Mobile Security Technologies with CDM MAS Program Aligned to DHS PrioritiesContinuous Assurance -Mobile App Development Platforms Availability of security capabilities varies by vendor and app focus (enterprise or consumer)Mobile App VettingTools/services often point solutions that require retest/vetting if app is changed; criteria are proprietary vs. standards-basedContinuous Monitoring for Mobile AppsNascent in marketplace; no known R&DToday’s incomplete/disjointed solutions leave missions exposed to mobile app attacks6MAS Program Approach7SME, Advisor, & Tech ChampionStrategic PartnershipsR&DFED CIO CouncilCTIA Wireless AssociationRequirements NIST/NIAPPilots & Transition PartnersLandscape AwarenessLead Mobility CoPImpact PolicySupport ProcurementOutreachDevelop innovative secure mobile technologies“Enabling the secure use of mobile applications for the mission”FY19TTA II: Integrating Security throughout the Mobile Application LifecyclePartners: DHS HQ, CBP, TSA, ICE & FEMA + Commercial Market, Academia FY20Prior Work: Enable Enterprise Integration of Mobile App Vetting & ArchivingPerformer: KryptoWire through LRBAAPartners: DOJ, DHS HQ, FRG, NIST, US-CERT, CBPTTA I: Continuous Validation & Threat Protection for Mobile ApplicationsPartners: DHS, NPPD US-CERT, NIST, NSA, DISA, Commercial Market, AcademiaHSARPA/FRG/NIST/US-CERTHSARPABEGIN: FY17END: FY20Transition: Pilot & AdoptionTransition: Pilot & AdoptionFY18FY17FY16MAS Technical Approach31421234Fed CIO Council’s Mobile Technology Tiger Team –App Reciprocity ReportMobile App Development for internal/mission critical use; security evaluation neededContinuous Diagnostic & Mitigation covering mobile (hardware/software asset management & security)55US-CERT requirement for correlation of mobile apps to known vulnerabilities/threat indicatorsDoD/Federal Government requirement for vetting of mobile apps met by commercial marketImmediate NeedImmediate NeedMDM 2017 MAS 20182018-20192020HSARPA8Looking for novel approaches to solve:Continuous monitoring of mobile apps and the need to continually vetting of mobile applications to support business and mission operationsSafeguard against known and unknown vulnerabilities; sources include government and industry mobile threat intelligence and vulnerability databases (e.g. National Vulnerability Database, US-CERT Alerts, etc.)Protect against future threats (e.g. predictive security for mobile, use mobile app security to detect rogue bay stations, etc.)Additional considerations:Integration with existing environments (e.g. Integration with enterprise mobility management solutions, continuous diagnostic and mitigation tools, security operation center activities)Business process to notify mobile app developers to fix security issuesMobile App Security R&D TTA I9Continuous Validation & Threat Protection for Mobile ApplicationsMobile App Lifecycle–Mobile OS Platform–App Type (Native, HTML)–Users –Functional Requirements–App Dev Platform–Data Requirements–Authentication–Usage Environment–Iterative Testing–App Vetting–Authorization Decision–App Store Deployment–App Updates –App Security Monitoring –Threat & Vulnerability Monitoring & RemediationConceptDevelop/BuyMaintainDeployTestIntegrating Security throughout the Mobile Application LifecycleMobile App Security R&D TTA II10Integration with Existing EcosystemsEnterprise Mobility Management SolutionsMobile Application Development PlatformsMobile Application Management Solutions/ Mobile App StoresAdoption by Government/Private SectorSecurity Operations Centers/Network Operations CentersUS-CERT / DHS Mobile CarWashMobile Application Development OfficesDepartment & Agency/DoD Mobility OfficesTransition Targets11Project Schedule & MilestonesPilotOptionYear1Year2Year3Year4Type I AwardPilotOptionType II AwardPilotOptionType III Award12Technical & Managerial Events:•Kickoff –once >60 days after award•Go/No-Go Demo –every 6 months•Review/PI Meetings –twice per year•CSD PI Meeting –once per year•Pilots –1 or 2 based on award type and if pilot option is exercisedProgram MetricsTechnicalTopicObjectiveOutcomesTTA 1: Continuous Validation & Threat Protection for Mobile ApplicationsSafeguard the enterprise from vulnerabilitiesand threats through:•Innovative tools and technologiesthat monitorcommercial and federal threat intelligence sources and correlate across app stores•New/improved methods to provide actionable responses to developers•12 months –Assessment tool for correlation against known vulnerabilities•18 months–Federal pilot•24 months –Full integration with commercial tools•36 months–Public/privatepilots TTA 2: Integrating Security throughout the Mobile Application LifecycleEnable security throughout the mobile app lifecycle through development and integration of robust security framework that addresses multiple security profiles and use cases•12 months –Security framework developed•18 months–Integration with development platforms•24 months –Federal pilot •36 months–Commercial integration13R&D aims to enable the secure use of mobile applications for the missionThis BAA intends to advance mobile app security by working with industry & research community to:Develop innovative mobile app security solutions to meet the Enterprise’s needsAlign government & industry standards and Best PracticesDevelop robust mobile app security framework for mobile app lifecycle management –applicable to industry and governmentIdentify / develop methods for identification, notification and alerting on new and emerging threats and vulnerabilitiesConverge mobile technology landscape (e.g., integration with EMM, MAM, mobile development platforms, & mobile infrastructure services)Summary1415