Mobile security flaws have been making headlines lately, first with the Whatsapp vulnerability, followed by a series of iMessage vulnerabilities, it’s no surprise the National Institute of Standards and Technology (NIST) saw the need to update its guidelines for application security vetting.
While the guidelines laid out by NIST are ideal and something to aim for, very few organizations have the resources to implement them across the board.
The issue is that application vetting and evaluation cannot be done in isolation. Additionally, it’s not always up to the security decision-maker. A business’s goals, risk tolerance and other factors outside the security function also need to be taken into consideration. Thus, the current framework is closer to an ideal set of standards but farther from a practical one.
Currently, NIST offers an outline of different classes of threats. What’s needed is a measurable model that generates guidelines based on requirements from specific organizations. The idea is to understand what needs to be protected, which devices have access to corporate applications, and then examine those applications within that specific context. It’s critical to stop looking at applications in isolation and instead view things more holistically.
The original NIST framework was published at a time when mobile devices were becoming more incorporated in the workplace. While this version of the framework includes integrity checks and suggests the re-vetting of applications once they’ve been allowed, it doesn’t factor in where the application will be used and excludes the subset of devices that now have access to sensitive information from the overall security equation.
While NIST represents the ideal for enterprises, it ultimately overlooks end-user behavior. Particularly when the user’s interests aren’t aligned with that of the company. So the question becomes how to use this idealistic and theoretical framework to improve the security posture of your own organization. To achieve this balance, it comes down to workflow and the conversation with the developer. Generally speaking, it’s the companies that keep an open line of communication with the developers that are best able to improve security and get applications on board that meet their requirements.
The key takeaway here is to get involved. Historically, time to market has been so important when it comes to application development that it’s come at the expense of security. Vetting applications after the fact won’t cut it. Know what you’re trying to deploy and undertake your own app vetting first. Since the initial NIST framework was released in February of 2014, application risk and platform security have evolved to the point where it was time for a reminder. You can’t achieve reliable mobile security without first covering the fundamentals of cybersecurity.