5 MAS - Industry Day - NIAP Briefing.pdf


Mobile Application Security (MAS) Industry Day Slides and Q&A
Original Source
Contract Opportunity
Date Originally Posted
June 23, 2016, 9:32 a.m.
Profiled People



Bob Clemons, Jeff BlankNational Information Assurance Partnership9 June 2016Automating Mobile Application Testing Background•CNSS Policy #11–National Policy Governing the Acquisition of Information Assurance (IA) and IA-Enabled Information Technology (IT) Products–IA and IA-Enabled IT products for use in National Security Systems (NSS) must be certified against a NIAP-approved Protection Profile•CNSS Policy #7–Policy on the Use of Commercial Solutions to Protect National Security Systems–Commercial Solutions for Classified (CSfC)–Products must comply with CNSSP #11. Mobile Access Capability Package (MACP)•“The Mobile Access (MA) Capability Package (CP) describes how to protect classified data in Mobile Access Solutions transiting Wired Networks, Domestic Cellular Networks, and Trusted Wireless Networks to include Government Private Cellular Networks and Government Private Wi-Fi networks.” MACP Architecture CSfCMobile Applications•IPSecVPN Clients•VoIP Applications•WLAN Clients•MDM Agents•TLS Software Applications–Email Clients–File Encryption–Web Browser Requirements for CSfCComponents•Certified against NIAP-approved Protection Profiles–With CSfCselections•Protection Profile Requirements–Single source—not scattered among competing documents–Technology-specific–Address documented threats–Include NIST security controls–Evolve with technology–Reflect industry best practices Application Software PP•Criteria against which a class of products (application software) can be evaluated.–Baseline security requirements for Apps used across USG–Achievable, Repeatable, Testable–Raise the security level of COTS IT products over time.•And the test activities (assurance activities)–SWApphas different AAs for different operating systems.–Not just for mobile apps•Developed by a technical community (industry & gov’t)•SWAppPP will become a cPPdeveloped by an iTC. The Problem•App S/W PP posted 21 Oct 2014•CSfCComponents List (as of 6 May 2016): –Application Software•TLS Software Application:2•Email Client:0•File Encryption2•Web Browser0•Redaction0•Not a stellar performance Why So Few Evaluated Apps?•Why do vendors have products certified?–Required for NSS, CSfC–Increased sales–Marketing traction–Improved products•Why do vendors not have products evaluated?–Evaluation time & cost•Applications are cheap (or free)•But they are not cheap to evaluate•Rapid update cycle•Vendor can’t see ROI. Sales can’t cover evaluation cost. How Does CSfCListing Work? •Vendor signs an MOA with the CSfCPMO•That is all. How Does Certification Work?•Vendor contracts with a certified Test Lab•Generates a Security Target and other documentation•Run the PP-specified tests•Submit test evidence to a validator•If all goes well, product listed on the PCL•Evaluations targeted for < 90 days A Potential Solution•Help App vendors make a business case for certification–Improve ROI•Reduce evaluation costs–Reduce time»Automate•App vetting vendors are showing interest in automating SWAppPP Testing–Driven by Interagency App Vetting efforts Automated Testing•Nuts and bolts–Test Labs run tools & conduct any remaining non-automatable Assurance Activities–Tools must produce meaningful evidence for validation•Not just pass/fail•We don’t want to get into the tool certification business–Some AAs may need to be modified to allow for automation•e.g. AAs that refer to documentation–Some AAs may not be automatable (e.g., AAs that refer to documentation)•Limitations–Not all OS platforms are likely to be supported•Tool Licensing–??? Takeaways•NIAP evaluation not required for all Apps–Only IA and IA-enabled Apps in NSS•But SWAppPP is suitable for other uses–Standard for organizations that evaluate Apps–Standard for organizations that build Apps–Standard for App vetting tools•Automation is necessary for cost-effective evaluation of Apps–Information about Apps useful for risk calculus More Takeaways•Government & Industry need a single source for security requirements•Automating testing for SW Apps is essential•Industry buy-in and collaboration are critical•Speed and agility are key to successfully procuring and deploying current COTS products Questions from the Past:•Is it working?•Are there more Apps on the list?•Are there more tools implementing the SWApprequirements?•How is the SWAppcPPgoing?•Am I going to win the lottery? Questions from the Present:•??