Mobile Application Security Solutions
Securing mobile applications across an agency’s mobile assets is complex and challenging due to the rapidly changing technical environment. Apps downloaded from an app store have specific code written that automatically integrates other device data such as contacts, GPS information, and email.
Due to constant upgrades being made by the app developer, vetting a mobile apps' security posture is a continual process.
For agencies interested in outsourcing their app vetting processes there are two main options; first is to contact DHS carwash for assistance at Carwash@hq.dhs.gov; second is to purchase the services from a supplier. GSA has compiled a list of potential sources of supply that identifies app vetting solution providers used by one or more federal government agencies. In addition, GSA's OCSIT has provided sample language that an agency can use for an SOW. Any DOD entities should also contact the DOD Mobility Program run by DISA.
For agencies with the technical expertise and resources to stand up an in-house capability, a potential list of app vetting tools (both vendor-based and open source) is also provided. Since organizations must use several tools to implement their security requirements (code review, static and dynamic testing, etc.), an open-source application, AppVet, developed by NIST, can help integrate and automate the app vetting process. NIST has produced an excellent guideline for the app vetting process that agencies performing their own vetting should use.
Mobile application security is a highly specialized, niche market due to how early it is in its development cycle. Although some vendors may appear on GSA IT Schedule 70, most have opted to partner with larger IT integrators. Many excellent app vetting tools are open-source, and therefore, do not require licensing arrangements.
Leaders in mobile app security within the government, include DHS, DOJ, and DISA. These and other agencies are active participants in the Mobile App Security Vetting Tiger Team, an excellent resource for collaboration.