Categories: NationalNews

S&T, NSA Test Automated Security Vetting For Mobile Apps

WASHINGTON— Ensuring the security of mobile application (app) software for use within the federal government no longer needs to be time consuming or expensive.  Under a joint pilot program, the Department of Homeland Security (DHS) Science and Technology Directorate (S&T) and National Information Assurance Partnership (NIAP) within the National Security Agency (NSA)  cybersecurity mission have demonstrated that the process can be automated. 

Assessing whether mobile apps are compliant to a NIAP Protection Profile (PP) has traditionally been a long and costly process. By automating that process, S&T and NIAP offer agencies the ability to quickly, affordably, and reliably determine if their apps meet NIAP’s stringent security requirements.

“Automated testing will help bring the speed of NIAP evaluations to keep pace with the rapid, agile development and release cycles of today’s modern mobile app ecosystem,” said Mary Baish, Director of NIAP.

For the pilot, researchers worked with S&T Mobile Security and Emergency Communications (Mobile SEC) partners Kryptowire and Intelligent Waves, using Kryptowire’s vetting infrastructure to perform an automated analysis of the Android and Apple iOS versions of Intelligent Waves’ Hypori® app. 

The Leidos Common Criteria Testing Laboratory then analyzed Kryptowire’s results to determine if they were consistent with a conventional evaluation. Separately, NIAP experts provided additional analysis. Evaluators determined that automated testing accurately met NIAP requirements while requiring less time, personnel, and money.

“The pilot’s success is significant in that automating these evaluations to deliver accurate and trustworthy results will lower the barrier to entry by reducing the burden needed for NIAP PP Mobile App Vetting certifications,” said Vincent Sritapan, Mobile SEC Program Manager. “This increased testing will raise the security posture of the government’s mobile app ecosystem and at the same time raise confidence among app end-users, primarily the tax-paying public.”

The pilot also produced findings that show how NIAP certifications and app vetting can be designed and conducted in the future, including the following:

  • Automated vetting against NIAP requirements allows for faster testing and fielding of app updates.
  • Apps can be assessed for basic compliance before a formal NIAP evaluation, providing risk reductions for several stakeholders including agencies, software vendors, and end-users.
  • Apps can be accurately vetted, even if analysts and evaluators do not have access to source code.
  • Apps can be vetted against updated requirements without undergoing a full NIAP recertification.
  • The results bode well for other security automation efforts, some of which already are underway.

The pilot testing report, titled Automating National Information Assurance Partnership Requirements Testing for Mobile Apps, demonstrates that automated testing tools and methodologies are reliable and efficient.

Share
Published by
Staff

Recent Posts

San Marcos City Council reviews Sidewalk Maintenance and Gap Infill Program

The San Marcos City Council received a presentation on the Sidewalk Maintenance and Gap Infill…

2 years ago

San Marcos River Rollers skate on and rebuild

The San Marcos River Rollers have skated through obstacles after taking a two-year break during…

2 years ago

After 8 Years, San Marcos Corridor News Bids Our Readers Farewell

San Marcos Corridor News has been reporting on the incredible communities in the Hays County…

2 years ago

High bacteria levels at Jacobs Well halts swimming season

Visitors won't be able to swim in the crystal clear waters of the Jacobs Well Natural…

2 years ago

Pets of the Week: Meet Sally & Nutella!

Looking to adopt or foster animals from the local shelter? Here are the San Marcos…

2 years ago

Texas still leads in workplace deaths among Hispanics

The Lone Star State leads the nation in labor-related accidents and especially workplace deaths and…

2 years ago

This website uses cookies.