The pace of the mobile revolution is causing some in government to ask for more standards, especially around testing the security of apps.
Agencies are creating separate processes and procedures to vet software tools that run on smartphones or tablet computers. But history has shown the lack of a governmentwide process leads to inconsistencies and extra costs.
Robert Palmer, the director of information assurance in the Information System Development Office at the Homeland Security Department, said the technology to test these apps exists, but no common criteria exists.
“What I’d like to see is alignment across the federal government around what are those criteria so we could potentially get to some kind of federal government app store,” Palmer said Monday at the AFCEA Washington, D.C., chapter event in Arlington, Va. “The heavy lift is the distribution model. How do we get around the privacy problems? How do we get around the legal and terms of reimbursement and personal use concepts that we haven’t gotten folks engaged on. That’s really the key.”
The obvious choice would be for the National Institute of Standards and Technology to create the governmentwide standard for securing mobile apps.
NIST is developing a new document to help agencies test the security of mobile software, but it’s not a standard or guidance, said Tom Karygiannis, a computer scientist at the bureau.
Two years of work
He said NIST has been working with industry sectors, such as banking, over the last two years for how to best secure mobile apps.
“We are hoping to translate some of that expertise into these documents we are publishing. We are coming out, hopefully within a month, a draft mobile app testing guideline,” Karygiannis said. “Basically, it’s voluntary guidelines for government agencies for how to vet and test mobile apps before you deploy them. It doesn’t give you a go or no-go or red light, green light type of thing, but it gives you an idea of what you should test for. Then, in turn, you would need your own security analyst to decide in your environment whether that’s acceptable or not.”
Some of the criteria include permissions, cryptography, privacy issues and the types of services the mobile app provides, he said.
He added NIST also evaluated various commercial, open source and government tools for app testing.
Karygiannis added the use of app stores could help improve the security of the software, because agencies could screen them before being added to the store and device.
Additionally, NIST is developing standards about using a derived credential on mobile devices. This is part of the effort to better integrate the Homeland Security Presidential Directive-12 smart identification card with mobile devices.
Karygiannis said several industry sectors are interested in the standard, including the banking industry, which would create a root of trust on the phones.
The Office of Management and Budget and Chief Information Officer’s Council released the government mobile and wireless security baseline under the Digital Government Strategy in May. The document contains the mobile security baseline and explains its relationship to the reference architecture, the Mobile Computing Decision Framework and other Digital Government Strategy mobile security activities.
It also includes core mobile device management and mobile application management controls, and initial controls for identity and access management.
But these controls are voluntary, not mandated like a NIST special publication or Federal Information Processing Standard would be.
Wash, rinse and spin cycle for code
And with the baseline controls just a month old, agencies already have gone down a path to create their own processes and procedures.
DHS, for example, is testing a new approach to making sure mobile apps are secure.
Palmer said DHS named the process, the car wash, which still is in the proof of concept stage.
“Code goes in, gets cleaned and comes out on the other end and it’s washed, usable and ready to go,” he said. “It’s really all about orchestration. The automation piece is orchestrating whatever tools you may have available. For us, we took what we had licensed in house. We took some open source. We worked with our friends at the General Services Administration. We worked with the National Security Agency Center for Assured Software and we worked with our own software assurance folks and came up with some good candidates to get out of the gate.”
Palmer said the goal is to automate the approval process as much as possible so it can happen more quickly. He said developers can create an app in a matter of hours, so the agency can’t take months to approve it for use.
But at the same time, the apps have to be as secure as possible so someone in the agency will make the go or no go decision.
Palmer said so far DHS has put three apps through the car wash.
“We put My TSA through the car wash as well as Customs and Border Protection’s border wait times as well as a homegrown app we put together to prove out the concept,” he said. “It really is still in a proof of concept stage and we have not operationalized this yet. Those apps that have gone through it, they have worked out very well. We are hoping it will grow. Right now, there are no enterprise class apps that we have taken through it.”
Palmer didn’t say when DHS would be ready to take the car wash into a production environment and out of the beta or test stage.
Commercial apps go first
The car wash approach focuses on quickness and security. Other approaches are just focused on security.
The Defense Information Systems Agency is using a multi-step process for commercially developed mobile apps.
“The apps come in via a request form from the services or internal to DISA. We have a few tools in house right now that we are using. These tools vary, some are Android, some are [Apple] IOS, but mostly Android. We need more tools for IOS right now to get these apps through,” said Christine Dillman, the lead application engineer in the mobility program management office at DISA. “Once we run the apps through the tools, we then map it to the mobile security requirements guidelines, 71 checks.”
Dillman said the crosswalk of security requirements is broken down by IOS and Android devices.
“We then send it to our field security office for review. They will make a risk decision based on the app and data that we sent to them,” she said. “From there it goes to our designated approving authority and they make a decision whether or not we are going to deploy it or not.”
Dillman added DISA is gearing to begin vetting government-created apps in the coming months.
Meanwhile, GSA’s approach is focused on citizen facing apps.
Employee testers getting started
Jacob Parcell, the manager of mobility programs for GSA, said the agency is offering others testing tools that include security and privacy, accessibility, user experience or functionality and performance.
Parcell said GSA is about to launch a pilot to test apps that will be used by the public.
“We are looking at HTML 5 and mobile websites at the moment,” he said. “Right now, we have a good number, dozens of people signed up for testing. We are getting ready to start our first testing in a few weeks.”
Parcell said GSA and the customer agencies will give the federal employee testers an idea of what to test for, but also they will have leeway to explore the apps and find problems on their own.
One of the biggest challenges agencies face is testing apps against many different devices that are out there, including, but not limited to, the multi-generational iPhones or iPads and the assorted devices running the Android, BlackBerry or Windows operating systems.
“We actually have a number of different devices where we can say, ‘Test this because they are looking for this help on this device,'” Parcell said. “One person I’ve talked to who said they only had three devices to test, while there are counts of 80-to-100 difference devices out there right now.”