App Vetting – The Ever Changing Battle Field

Government organizations and businesses are developing modern mobile apps to be engaged with their audience and to meet their objectives that range from increasing customer and employee loyalty, to sales and revenue generation. They however have to verify the compliance of mobile apps with security requirements of their organizations.

When it comes to app vetting, the job is to help users limit the attack surface and remain functional. Anything can be locked down to make it “the most” secure, but is it useful anymore? Cyber Security professionals work for their customers and make decisions for users to create limitations to balance risk.

When it comes to the process of app vetting, the decision of whether an app should be allowed starts way before the app itself is vetted. System limitations, technical or regulatory requirements, will commonly make that determination.

In an Enterprise System, if there is a clearly defined app approval process, this cuts down on the amount of time spent on approving each user app request. These can become overwhelming very quickly.

Human behavior can also help determine which apps are purchased and/or provided. It is optimal, if we have the resources in the beginning, to design a comprehensive app catalog to meet the needs of the organization. This means that the different portions of the organization were included in the process to help limit the number of requests outside of the existing catalog.

As an app is being vetted, keep in mind how it affects profile and policy management. The fewer profiles and policies that need to be managed, the easier it is to secure the system.

I think of it as a flow chart with different buckets at the bottom. As you move down the flow chart, it will determine which bucket the app falls in. These buckets represent what profile and policies a user gets. If we can limit the number of buckets, then we can limit the number of profiles and policies we need to put in place.

As we know, the needs of organizations change and new/better technologies are integrated all the time.

To help vet these new apps, it is important to know how much control the organization will have over the app itself and the data it can access. The following questions can help do this:

–          What functions can be turned on and off?

–          What type of device is it going on? Ex. Corporate owned or BYOD

–          Who made the app?

–          What monitoring or tools come with the app?

Another large consideration is whether there is another app already available to users that has the same function. Many app suites provide apps with the solutions to the same business problems. Limiting app function overlap and completing regular audits on use, can help determine whether apps are still needed.

App developers and cyber security professionals can tap into NIST Special Publication 800-163 “Vetting the Security of Mobile Applications” to obtain detailed information on the vetting process.

Jessica Clark is a Mobility Solutions Engineer at Vikheda and brings several years of network infrastructure and mobility management experience supporting large federal agencies such as the US Air Force, US Army Corps of Engineers, US Department of State and US Department of Homeland Security.