Published Date: April 2019
Region: United States
NIST Special Publication 800-163 is intended for use by organizations intending to disseminate applications on employee end devices. SP 800-163 encompasses standards and best practices for secure app development (in accordance with their intended use case), as well as the formulation of procedures to vet those applications. Guidance is given on the selection of appropriate tools to assess and validate application security, as well as methods for assessing whether an application can be securely deployed on the end-user organization’s hardware.
The primary motivation of the standard is app security verification, which the document recognizes can take place during application development, post-development but prior to deployment, and during the dissemination of an application on an organization’s smartphones. Therefore, the application development requirements detailed have been chosen as part of a broader verification strategy, with robust development practices giving confidence in the deployed application, as well as the testing methods and tools employed before and during application dissemination.
A combination of general and specific application development requirements are stated by SP 800-163. General development standards referenced by SP 800-163 are National Information Assurance Partnership Protection Profiles (NIAP PPs), OWASP Mobile Risks, Controls, and App Testing, MITRE App Evaluation Criteria and NIST SP 800-53. These standards are selected either due to the universality of their scope, or their flexibility, allowing sufficient customization to the end-user developer’s/deployer’s need.
Guidance is also given to support the formulation of organization-specific app development requirements, with policies and regulation being informed by a number of criteria, including the provenance of the app, the sensitivity of the data stored and processed, the mission-criticality of the app, the intended hardware platform, and the intended deployment environment.
Alongside development practices to give confidence that the application has been developed securely, SP 800-163 sets out a workflow for app verification. The process begins with the app intake, in which named personnel responsible for the app analysis decompose the app to extract vital meta-data (app name, version number, etc.) The application developer can also submit verification data related to previous versions of the app. The received app can then be submitted for analysis by an appropriate tool or testing service, which can use different methodologies to produce a report listing any vulnerability, and an associated probability that these vulnerabilities will be exploited. Methodologies include static analysis, a breakdown of the application code into an intermediate code for system analysis, and dynamic analysis, in which the application is installed and executed on a hardware emulator, so that the behavior of the app can be observed. A security analyst and named official are then responsible for reviewing the report and either approving or rejecting the application.
Organizations are encouraged to define conditions that would prompt the re-vetting of an application. This could include the availability of an updated and more robust testing tool/service, or an update of the application by the developer, in which case the updated app may be vetted as though it were a completely new application.
The scope of this standard includes apps deployed to employee devices by an organization. This should, therefore, be carefully considered by any OEM developing a smart mobility service based on contractor drivers using app-enabled devices.