24
Solving for compliance: Mobile app security for banking and financial services

Solving for Compliance: Mobile app security for banking and financial services

Embed Size (px)

Citation preview

Page 1: Solving for Compliance: Mobile app security for banking and financial services

Solving for compliance:Mobile app security for banking and

financial services

Page 2: Solving for Compliance: Mobile app security for banking and financial services

© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.

NowSecure #MobSec5Weekly mobile security news update

SUBSCRIBE NOW:www.nowsecure.com/go/subscribe

Page 3: Solving for Compliance: Mobile app security for banking and financial services

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.

Brian LawrenceSolutions Engineer | NowSecure

Page 4: Solving for Compliance: Mobile app security for banking and financial services

© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.

Contents

● Overview of compliance regimes

● Overlap & mobile app security testing programs

● In action: customer case study

● Questions

Page 5: Solving for Compliance: Mobile app security for banking and financial services

© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.

A survey of compliance andmobile apps

Page 6: Solving for Compliance: Mobile app security for banking and financial services

© Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.http://www.arelaw.com/downloads/ARElaw_MobileDeviceApplications_KeyLawsChart_rev061815.pdf

Sample of Laws, regulations, rules applicable to mobile

GENERAL CONTENT FINANCIALHEALTH/MEDICAL MINORS OTHERS

FTC Act

Sarbanes-Oxley Electronic Communications Privacy Act (ECPA)

Computer Fraud and Abuse Act (CFAA)

NIAP (Common Criteria for app vetting)

Digital Millennium Copyright Act (DMCA)

Communications Decency Act (CDA)

Restore Online Shoppers’ Confidence Act (ROSCA)

Gramm-Leach-Bliley Act (GLBA)

FFIEC compliance standards

Payment card industry (PCI) standards

Health Insurance Portability and Accountability Act (HIPAA)

Health Information in Technology for Economic and Clinical Health Act (HITECH)

Food and Drug Administration Act (mobile medical apps)

FTC’s Health Breach Notification Rule

Children’s Online Privacy Protection Act (COPPA)

California Online Privacy and Protection Act (CalOPPA)

State data-breach notification, data security, and records disposal statutes

FCC’s Proprietary Network Information (CPNI) Breach Notification Rule

Page 7: Solving for Compliance: Mobile app security for banking and financial services

© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.

IANYA - I am not your auditor/assessor/accountant

● We are mobile app security experts

● We highlight relevant compliance items

● Compliance is a team sport

● Consult w/ governance, risk& compliance teams !

Page 8: Solving for Compliance: Mobile app security for banking and financial services

© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.

FFIEC IT Examination Handbook: Mobile Financial Services

Guidance that FFIEC examiners use in assessing financial institutions’ mobile offerings.

AppE.5.b Operational Risk Mitigation

● Secure coding● Rigorous security testing● Sensitive data storage● Multi-factor authentication● Third party risk

AppE.5.b(iii) Mobile Application Risk Mitigation

● Root/jailbreak detection● Security testing throughout the SDLC● Critical data storage● Secure back-end servers

Page 9: Solving for Compliance: Mobile app security for banking and financial services

© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.

Payment Card Industry Data Security Standard (PCI DSS)

PCI DSS Version 3.2

6 Develop and maintain secure systems and applications● 6.3 Develop internal and external software applications securely● 6.5 Address common coding vulnerabilities in software-development

processes [based on OWASP, SANS, CERT guidance]11 Regularly test security systems and processes● 11.3 Implement a methodology for penetration testing…● ...Defines application-layer penetration testis to include, at a

minimum, the vulnerabilities listed in Requirement 6.5

PCI Mobile Payment Acceptance Security Guidelines

Merchant-owned devices/apps used for payments (i.e., a POS system) are in scope for PA-DSS. Apps on a consumer’s device that facilitate payments are not in scope for PA-DSS, but development is in scope for PCI DSS.

Information security standard for organizations that handle payment cards. For a consumer-facing app that facilitates a merchant’s payment acceptance process, the development of the app is in scope.

Page 10: Solving for Compliance: Mobile app security for banking and financial services

© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.

Federal Information Security Management Act (FISMA)Framework for cost-effective, risk-based information security within the federal government. NIST defines standards, guidelines, and minimum requirements via a number of publications.

NIST FIPS 200: Minimum Security Requirements

● Certification, accreditation, and security assessments (CA)● Risk assessment (RA)

NIST SP 800-53: Security & Privacy Controls

● CA-2 Security Assessments● SA-11 Developer security testing and evaluation

NIST SP 800-163: Vetting the Security of Mobile Applications

● Preventing unauthorized functionality● Limiting permissions● Protecting sensitive data● Security app code dependencies● Testing app updates

Page 11: Solving for Compliance: Mobile app security for banking and financial services

© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.

Gramm-Leach-Bliley Act Safeguards RuleRequires financial institutions under FTC jurisdiction to protect the customer information they collect and ensure their affiliates and service providers do too.

PART 314—Standards for safeguarding customer information

Financial institutions must implement an information security program which includes:● Designating employee(s) to coordinate the program;● Identifying internal and external risks to the security, confidentiality,

and integrity of customer information and assessing any safeguards in place to control the risks;

● Designing and implementing safeguards to address the risks and monitor the effectiveness of these safeguards;

● Selecting and retaining service providers that are capable of maintaining appropriate safeguards for the information and requiring them, by contract, to implement and maintain such safeguards;

● Adjusting the information security program in light of developments that may materially affect the program.

Page 12: Solving for Compliance: Mobile app security for banking and financial services

© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.

NY Cybersecurity Reqs. for Financial Services CompaniesRequires companies to certify yearly that they have a program in place to secure nonpublic information both on their own systems and those of any third party that has access to that information.

Section 500.03 Cybersecurity Policy

Implement and maintain written policies and procedures for the protection of information systems addressing (among other items):● (a) information security● (i) systems and application development and quality assurance● (k) customer data privacy● (m) risk assessment

Section 500.05 Penetration Testing and Vulnerability Assessments

● Program shall include monitoring and testing developed in accordance with the risk assessment

● Include continuous monitoring or periodic penetration testing and vulnerability assessments

● Penetration testing annually● Vulnerability assessments bi-annually

Page 13: Solving for Compliance: Mobile app security for banking and financial services

© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.

Sarbanes-Oxley Act (SOX)The act lays out guidelines publicly traded companies (and their service providers in many cases) must follow to ensure the accuracy of financial information).

Section 404 — Assessment of internal control

● Understand the flow of transactions● Perform a fraud risk assessment

SSAE 18 — Statement on Standards for Attestation Engagements

● SSAE 18 helps service organizations comply with SOX● Service Organization Control (SOC) reports● SOC 2 reports report on controls that address:

○ Security○ Availability○ Processing integrity○ Confidentiality○ Privacy

Page 14: Solving for Compliance: Mobile app security for banking and financial services

© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.

Overlap: Regulations& mobile app security testing

Page 15: Solving for Compliance: Mobile app security for banking and financial services

© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.

FFIEC PCI DSS

FISMA GLBA

MAST PROGRAM

Page 16: Solving for Compliance: Mobile app security for banking and financial services

© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.

How to Ensure Your Mobile Testing Supports Compliance

● Risk Assessment● Encryption

○ Data at rest○ Data in transit

● Secure coding practices○ Mobile Best Practices○ Authentication○ Authorization

● Documentation● Testing methodology

Page 17: Solving for Compliance: Mobile app security for banking and financial services

© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.

Elements of a Mobile App Security Testing Program

Page 18: Solving for Compliance: Mobile app security for banking and financial services

© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.

NowSecure WORKSTATIONDeep Pen Testing Analysis

for Security Analysts

NowSecure AUTOMATEDOnDemand Cloud Analysis

for Dev, QA & Security teams

NowSecure INTELLIGENCEAlwaysOn Cloud Analysisfor EMM & Security teams

NOWSECURE PLATFORM for 360º COVERAGE OF MOBILE APP SECURITY TESTING

Page 19: Solving for Compliance: Mobile app security for banking and financial services

© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.

In action: Mobile app compliancein financial services

Page 20: Solving for Compliance: Mobile app security for banking and financial services

Case study: MEA Financial

● SOC Type II reports

● NowSecure platform for assessments

● Archive assessment reports

● Provided to auditors upon request

“NowSecure helps us be pro-active as an organization and gives us confidence that any security concerns we can control truly are in order when we let an app through to production.”

—Travis Swinford, product manager

MEA is a national leader in the provision of innovative software solutions to the

financial services marketplace around the nation.https://www.nowsecure.com/case-studies/mea-financial-instills-trust-in-mobile-banking-apps/

Page 21: Solving for Compliance: Mobile app security for banking and financial services

© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.

Summary & next steps

Page 22: Solving for Compliance: Mobile app security for banking and financial services

© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.

Three key takeaways

1

2

3

Set standards, assess against those standards

Ensuring proper testing and validation accomplishes many compliance requirements

Maintain documentation

Page 23: Solving for Compliance: Mobile app security for banking and financial services

© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.

Practical next steps

Next week:

Refresh your knowledge of your app inventory and relevant compliance regimes

Next month:

Work with governance/risk/compliance teams to identify gaps in reporting

Next quarter:

Implement adjustments to your current methodology to fill any gaps

Page 24: Solving for Compliance: Mobile app security for banking and financial services

Let’s talk

NowSecure+1 312.878.1100

@NowSecureMobilewww.nowsecure.com

Subscribe to #MobSec5 A digest of the week’s mobile security news that matters

https://www.nowsecure.com/go/subscribe