Regulatory requirements are a key driver in adopting mobile app security tools and practices. However, many of these regulations aren’t mobile app specific and have vague language, leaving their application up to interpretation. This lack of actionable guidance makes it challenging for developers to convert these regulations into clear requirements and security tests.
We dove into this topic, in our webinar: The Rise of Mobile Application Security Standards: Driving Adoption Through Automation. Ryan Lloyd, Guardsquare’s Chief Product Officer, shared industry trends and critical emerging resources that can help developers achieve their security goals.
The need for security guidance was driven home by the results of a live poll, in which only 2% of attendees said they have the necessary security expertise within their team.
Check out Guardsquare’s tips for leveraging industry standards and the power of automation to drive mobile app security strategy.
Mobile app security standards are developed and maintained by industry experts, and they’re a valuable resource for developers wanting to improve the security posture of their mobile application. Not to be confused with industry regulations, which are backed by governing bodies, these standards focus on how to build a security strategy and develop security expertise within existing teams.
OWASP is a global coalition of security experts who are pooling their expertise to create open source security standards and resources. They’ve published many useful resources, but we’ll start with the Mobile App Security Verification Standard (MASVS). The MASVS framework offers practical and detailed guidance for secure mobile app design and helps developers determine what they need to verify in their app’s security posture.
MASVS establishes three security levels that correspond to the level of protection that a mobile app may need. Upcoming improvements to the MASVS will introduce a more tailored approach, with profiles for different security contexts. Developers should use data from threat modeling exercises, threat monitoring (from apps already in use), and relevant regulations to determine which MASVS level or profile applies to their mobile app.
The MASVS levels include:
Another of OWASP’s vital resources is the Mobile Application Security Testing Guide (MASTG), a comprehensive manual for mobile app security testing. It’s a companion resource that describes the technical processes for verifying the controls listed in the OWASP MASVS.
Essentially, it translates MASVS into practical, concrete test cases. In other words, MASVS is the what, and MASTG is the how.
The App Defense Alliance, backed by Google, is an organization striving to improve the integrity of the Google Play App Store. Recently, they launched the Mobile Application Security Assessment (MASA), which is built upon the OWASP MASVS & MASTG frameworks.
MASA provides a program for Android developers to partner with authorized third-party testing providers. Developers can submit their mobile app to these Google Authorized Lab partners for testing. When the security of their application has been validated, , they’ll be able to display a badge in the Google Play Store.
MASA is helpful, but it isn’t practical to submit your app after every build for an external scan. These manual assessments will be time consuming and expensive, making them impractical to use every few weeks.
Development teams are often understaffed and over committed. With so much on their plates, they don’t need to add another manual, clunky task on top of their current workload. This is where automated security testing comes in handy. An automated testing tool facilitates the smooth integration of security testing and ensures it’s a consistent, repeatable, and scalable process.
A significant amount of time, resources, and expertise has been invested into security standards like OWASP’s MASVS and MASTG and ADA’s MASA. They provide actionable guidance based on real-world use cases and common vulnerabilities, a vital tool for developers working to meet complex regulatory requirements.
By leveraging both the free industry standards and a powerful mobile app security testing tool, developers will be better equipped to protect their app, their customers, and their brand from malicious actors.
OWASP MAST requirements are baked into Guardsquare’s mobile app security testing solution, Appsweep. Schedule a demo to see how automated security testing can benefit your mobile application.Executive Summary (TL;DR)