Federal mobile apps lack standard security processes

Wednesday - 6/26/2013, 5:18am EDT

Jason Miller, executive editor, Federal News Radio

Download mp3

The pace of the mobile revolution is causing some in government to ask for more standards, especially around testing the security of apps.

Agencies are creating separate processes and procedures to vet software tools that run on smartphones or tablet computers. But history has shown the lack of a governmentwide process leads to inconsistencies and extra costs.

Robert Palmer, the director of information assurance in the Information System Development Office at the Homeland Security Department, said the technology to test these apps exists, but no common criteria exists.

"What I'd like to see is alignment across the federal government around what are those criteria so we could potentially get to some kind of federal government app store," Palmer said Monday at the AFCEA Washington, D.C., chapter event in Arlington, Va. "The heavy lift is the distribution model. How do we get around the privacy problems? How do we get around the legal and terms of reimbursement and personal use concepts that we haven't gotten folks engaged on. That's really the key."

The obvious choice would be for the National Institute of Standards and Technology to create the governmentwide standard for securing mobile apps.

NIST is developing a new document to help agencies test the security of mobile software, but it's not a standard or guidance, said Tom Karygiannis, a computer scientist at the bureau.

Two years of work

He said NIST has been working with industry sectors, such as banking, over the last two years for how to best secure mobile apps.

"We are hoping to translate some of that expertise into these documents we are publishing. We are coming out, hopefully within a month, a draft mobile app testing guideline," Karygiannis said. "Basically, it's voluntary guidelines for government agencies for how to vet and test mobile apps before you deploy them. It doesn't give you a go or no-go or red light, green light type of thing, but it gives you an idea of what you should test for. Then, in turn, you would need your own security analyst to decide in your environment whether that's acceptable or not."

Some of the criteria include permissions, cryptography, privacy issues and the types of services the mobile app provides, he said.

He added NIST also evaluated various commercial, open source and government tools for app testing.

Karygiannis added the use of app stores could help improve the security of the software, because agencies could screen them before being added to the store and device.

Additionally, NIST is developing standards about using a derived credential on mobile devices. This is part of the effort to better integrate the Homeland Security Presidential Directive-12 smart identification card with mobile devices.

Karygiannis said several industry sectors are interested in the standard, including the banking industry, which would create a root of trust on the phones.

The Office of Management and Budget and Chief Information Officer's Council released the government mobile and wireless security baseline under the Digital Government Strategy in May. The document contains the mobile security baseline and explains its relationship to the reference architecture, the Mobile Computing Decision Framework and other Digital Government Strategy mobile security activities.

It also includes core mobile device management and mobile application management controls, and initial controls for identity and access management.

But these controls are voluntary, not mandated like a NIST special publication or Federal Information Processing Standard would be.

Wash, rinse and spin cycle for code

And with the baseline controls just a month old, agencies already have gone down a path to create their own processes and procedures.

DHS, for example, is testing a new approach to making sure mobile apps are secure.

Palmer said DHS named the process, the car wash, which still is in the proof of concept stage.

"Code goes in, gets cleaned and comes out on the other end and it's washed, usable and ready to go," he said. "It's really all about orchestration. The automation piece is orchestrating whatever tools you may have available. For us, we took what we had licensed in house. We took some open source. We worked with our friends at the General Services Administration. We worked with the National Security Agency Center for Assured Software and we worked with our own software assurance folks and came up with some good candidates to get out of the gate."

Palmer said the goal is to automate the approval process as much as possible so it can happen more quickly. He said developers can create an app in a matter of hours, so the agency can't take months to approve it for use.