Upload
nowsecure
View
302
Download
0
Embed Size (px)
Citation preview
Solving for compliance:Mobile app security for banking and
financial services
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
NowSecure #MobSec5Weekly mobile security news update
SUBSCRIBE NOW:www.nowsecure.com/go/subscribe
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Brian LawrenceSolutions Engineer | NowSecure
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
Contents
● Overview of compliance regimes
● Overlap & mobile app security testing programs
● In action: customer case study
● Questions
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
A survey of compliance andmobile apps
© Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.http://www.arelaw.com/downloads/ARElaw_MobileDeviceApplications_KeyLawsChart_rev061815.pdf
Sample of Laws, regulations, rules applicable to mobile
GENERAL CONTENT FINANCIALHEALTH/MEDICAL MINORS OTHERS
FTC Act
Sarbanes-Oxley Electronic Communications Privacy Act (ECPA)
Computer Fraud and Abuse Act (CFAA)
NIAP (Common Criteria for app vetting)
Digital Millennium Copyright Act (DMCA)
Communications Decency Act (CDA)
Restore Online Shoppers’ Confidence Act (ROSCA)
Gramm-Leach-Bliley Act (GLBA)
FFIEC compliance standards
Payment card industry (PCI) standards
Health Insurance Portability and Accountability Act (HIPAA)
Health Information in Technology for Economic and Clinical Health Act (HITECH)
Food and Drug Administration Act (mobile medical apps)
FTC’s Health Breach Notification Rule
Children’s Online Privacy Protection Act (COPPA)
California Online Privacy and Protection Act (CalOPPA)
State data-breach notification, data security, and records disposal statutes
FCC’s Proprietary Network Information (CPNI) Breach Notification Rule
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
IANYA - I am not your auditor/assessor/accountant
● We are mobile app security experts
● We highlight relevant compliance items
● Compliance is a team sport
● Consult w/ governance, risk& compliance teams !
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
FFIEC IT Examination Handbook: Mobile Financial Services
Guidance that FFIEC examiners use in assessing financial institutions’ mobile offerings.
AppE.5.b Operational Risk Mitigation
● Secure coding● Rigorous security testing● Sensitive data storage● Multi-factor authentication● Third party risk
AppE.5.b(iii) Mobile Application Risk Mitigation
● Root/jailbreak detection● Security testing throughout the SDLC● Critical data storage● Secure back-end servers
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
Payment Card Industry Data Security Standard (PCI DSS)
PCI DSS Version 3.2
6 Develop and maintain secure systems and applications● 6.3 Develop internal and external software applications securely● 6.5 Address common coding vulnerabilities in software-development
processes [based on OWASP, SANS, CERT guidance]11 Regularly test security systems and processes● 11.3 Implement a methodology for penetration testing…● ...Defines application-layer penetration testis to include, at a
minimum, the vulnerabilities listed in Requirement 6.5
PCI Mobile Payment Acceptance Security Guidelines
Merchant-owned devices/apps used for payments (i.e., a POS system) are in scope for PA-DSS. Apps on a consumer’s device that facilitate payments are not in scope for PA-DSS, but development is in scope for PCI DSS.
Information security standard for organizations that handle payment cards. For a consumer-facing app that facilitates a merchant’s payment acceptance process, the development of the app is in scope.
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
Federal Information Security Management Act (FISMA)Framework for cost-effective, risk-based information security within the federal government. NIST defines standards, guidelines, and minimum requirements via a number of publications.
NIST FIPS 200: Minimum Security Requirements
● Certification, accreditation, and security assessments (CA)● Risk assessment (RA)
NIST SP 800-53: Security & Privacy Controls
● CA-2 Security Assessments● SA-11 Developer security testing and evaluation
NIST SP 800-163: Vetting the Security of Mobile Applications
● Preventing unauthorized functionality● Limiting permissions● Protecting sensitive data● Security app code dependencies● Testing app updates
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
Gramm-Leach-Bliley Act Safeguards RuleRequires financial institutions under FTC jurisdiction to protect the customer information they collect and ensure their affiliates and service providers do too.
PART 314—Standards for safeguarding customer information
Financial institutions must implement an information security program which includes:● Designating employee(s) to coordinate the program;● Identifying internal and external risks to the security, confidentiality,
and integrity of customer information and assessing any safeguards in place to control the risks;
● Designing and implementing safeguards to address the risks and monitor the effectiveness of these safeguards;
● Selecting and retaining service providers that are capable of maintaining appropriate safeguards for the information and requiring them, by contract, to implement and maintain such safeguards;
● Adjusting the information security program in light of developments that may materially affect the program.
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
NY Cybersecurity Reqs. for Financial Services CompaniesRequires companies to certify yearly that they have a program in place to secure nonpublic information both on their own systems and those of any third party that has access to that information.
Section 500.03 Cybersecurity Policy
Implement and maintain written policies and procedures for the protection of information systems addressing (among other items):● (a) information security● (i) systems and application development and quality assurance● (k) customer data privacy● (m) risk assessment
Section 500.05 Penetration Testing and Vulnerability Assessments
● Program shall include monitoring and testing developed in accordance with the risk assessment
● Include continuous monitoring or periodic penetration testing and vulnerability assessments
● Penetration testing annually● Vulnerability assessments bi-annually
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
Sarbanes-Oxley Act (SOX)The act lays out guidelines publicly traded companies (and their service providers in many cases) must follow to ensure the accuracy of financial information).
Section 404 — Assessment of internal control
● Understand the flow of transactions● Perform a fraud risk assessment
SSAE 18 — Statement on Standards for Attestation Engagements
● SSAE 18 helps service organizations comply with SOX● Service Organization Control (SOC) reports● SOC 2 reports report on controls that address:
○ Security○ Availability○ Processing integrity○ Confidentiality○ Privacy
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
Overlap: Regulations& mobile app security testing
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
FFIEC PCI DSS
FISMA GLBA
MAST PROGRAM
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
How to Ensure Your Mobile Testing Supports Compliance
● Risk Assessment● Encryption
○ Data at rest○ Data in transit
● Secure coding practices○ Mobile Best Practices○ Authentication○ Authorization
● Documentation● Testing methodology
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
Elements of a Mobile App Security Testing Program
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
NowSecure WORKSTATIONDeep Pen Testing Analysis
for Security Analysts
NowSecure AUTOMATEDOnDemand Cloud Analysis
for Dev, QA & Security teams
NowSecure INTELLIGENCEAlwaysOn Cloud Analysisfor EMM & Security teams
NOWSECURE PLATFORM for 360º COVERAGE OF MOBILE APP SECURITY TESTING
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
In action: Mobile app compliancein financial services
Case study: MEA Financial
● SOC Type II reports
● NowSecure platform for assessments
● Archive assessment reports
● Provided to auditors upon request
“NowSecure helps us be pro-active as an organization and gives us confidence that any security concerns we can control truly are in order when we let an app through to production.”
—Travis Swinford, product manager
MEA is a national leader in the provision of innovative software solutions to the
financial services marketplace around the nation.https://www.nowsecure.com/case-studies/mea-financial-instills-trust-in-mobile-banking-apps/
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
Summary & next steps
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
Three key takeaways
1
2
3
Set standards, assess against those standards
Ensuring proper testing and validation accomplishes many compliance requirements
Maintain documentation
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
Practical next steps
Next week:
Refresh your knowledge of your app inventory and relevant compliance regimes
Next month:
Work with governance/risk/compliance teams to identify gaps in reporting
Next quarter:
Implement adjustments to your current methodology to fill any gaps
Let’s talk
NowSecure+1 312.878.1100
@NowSecureMobilewww.nowsecure.com
Subscribe to #MobSec5 A digest of the week’s mobile security news that matters
https://www.nowsecure.com/go/subscribe