Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The To "Win" at application security, stay off the High/Medium/Low Treadmill. It is natural for security teams to tackle High Severity issues first, and then migrate to Medium and Low, as necessary; however, be careful as this might be a trap, as it could appear you are very busy, but you might not be going anywhere. Conversely, take a data driven approach, where the top priority issues are addressed first, such as the issues that expose the most data (P1), or issues that have the biggest compliance impact (Regulatory Compliance), or issues might cause the app to be unavailable to download (App Store Blockers).  When working with developers, speak of the Secure Code first. Address the Secure Code is often a quicker way to get things fixed, rather than to dwell on the severity, likelihood, or even the risk of an issue, as the latter can be quite subjective where the ability to take the Secure Code and to implement it is often tactical.   The following steps will help you "Win" at Mobile App Security. 

Step-by-step

...

Guide

...

hiddentrue

...

  1. Reduce the number of P1 issues to Zero

    1. P1 issues allow remote attacks to export data. As a golden rule, we do not want to have any P1 issues on public apps, as it directly impacts the safety of end-user data.

  2. Reduce the number of App Store/Google Play Blockers to Zero

    1. Both

      Apple and Google

      have a small list of security criteria that they require of each app on

      both require all apps in the App Store or Google Play to comply with a specific set of security requirements. While the

      exception

      requirement list may not be enforced

      very often

      consistently, both

      companies

      organizations do clearly state that any app’s

      updates

      update can be blocked if any of the

      app store’s

      security criteria is not met

      ; therefore,

      . In order to ensure your app is not at the mercy of Apple and Google, ensure all app store blockers is reduced to zero.

  3. Open Source Software/SDK Issues (OSS/SDK)

    1. Any open source library and/or 3rd party SDK has total control over your apps data, including the TLS sessions connecting the app to server side APIs. While there is a sandbox between each app in an iOS or Android device, there is no sandbox between your app and 3rd party libraries or SDKs. For this reason we recommend each OSS/SDK is carefully reviewed by the security team. If the OSS/SDK has a security or privacy issue that does not comply with your policies, it should be removed or updated asap.

  4. Regulatory Compliance Issues

    1.  Compliance and standards can often have a

      worst

      bigger impact to your

      apps

      app than Security P1 or Blocker issues; thus, we recommend to review each compliance policy that your organization must adhere to and

      close

      fix that items as soon as possible. 

  5. App Protection

    1. App Protection allows security and risk management teams to apply proactive security measures directly into mobile apps; thus, reducing the overall attack surface of the product. Protecting your apps using well known and respected security measures will not only give it a long term advantage over current & future security vulnerabilities, but will show end-users the organization’s long-term commitment to mobile application security.

    2. To show your customers your commitment to security, ensure your app shows up on the App Protection Leaderboard

      1. Login → select app → App Protection (scroll to the bottom of screen to see leaderboard) 

...

Filter by label (Content by label)
showLabelsfalse
max5
spacescom.atlassian.confluence.content.render.xhtml.model.resource.identifiers.SpaceResourceIdentifier@135a7
showSpacefalse
sortmodified
reversetrue
typepage
cqllabel = "kb-how-to-article" and type = "page" and space = "PKB"
labelskb-how-to-article