NIST SP800-163r1：移动应用安全审核指南

下载需积分: 5 | PDF格式 | 1.48MB | 更新于2024-07-16 | 183 浏览量 | 举报

NIST SP800-163r1，《vetting the Security of Mobile Applications》（评估移动应用的安全性）是美国国家标准与技术研究院（NIST）发布的一份特别出版物。该文档针对组织在部署新的移动技术时面临的潜在安全挑战提供指导，尤其是移动应用程序的使用可能带来的风险。随着企业利用智能手机、平板电脑等移动设备及其相关应用提升业务流程，如增强员工间的连接、实时信息共享、无限制的移动性和功能增强，这些技术确实带来了生产力的显著提升。然而，移动应用程序的安全问题不容忽视。由于它们可能包含软件漏洞，这些漏洞可能被攻击者利用，窃取数据或控制用户的设备。为了减轻软件漏洞带来的风险，组织应实施软件保障流程，确保软件免受有意或无意插入的漏洞，并且能按预期方式运行。传统的软件保证方法可能不适用于移动计算环境，因为这可能不支持传统的软件测试和验证手段。 NIST SP800-163r1提供了关于如何评估和管理移动应用安全的具体准则，包括对应用程序开发过程中的需求、标准和程序进行规划和系统的审查。它强调了软件生命周期管理的重要性，包括需求分析、设计、编码、测试、维护和退役阶段，以减少漏洞的存在并确保软件质量。这份出版物还指出，尽管过去几十年在软件保证领域取得了进步，出现了专门的工具和服务市场，但许多组织的实际操作中仍存在手动活动，这些活动耗费时间、成本高且难以量化和重复。该文档的作者包括来自NIST的多位专家，他们关注的是如何在移动计算的背景下，制定有效的策略来确保移动应用的安全性。对于企业和组织来说，这份指南不仅提供了理论框架，还提供了可操作的建议，帮助他们在享受移动技术带来的便利的同时，降低潜在的安全风险。因此，理解和遵循NIST SP800-163r1的指导原则，对于任何考虑部署移动应用的机构来说都是至关重要的。

NIST SP 800-163 REV. 1 VETTING THE SECURITY OF MOBILE APPS

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-163r1

Finally, it should be noted that mobile apps, and the devices they run on, communicate using a

variety of network infrastructures: Wi-Fi, cellular networks, Bluetooth, etc. These networks

represent possible failure points for the security of an app. A deep evaluation of each of these

network infrastructures is out of scope for this document.

1.3 Intended Audience

This document is intended for public- and private-sector organizations that seek to improve the

software assurance of mobile apps deployed on their mobile devices. More specifically, this

document is intended for those who are:

• Responsible for establishing an organization’s mobile device security posture,

• Responsible for the management and security of mobile devices within an organization,

• Responsible for determining which apps are used within an organization, and

• Interested in understanding what types of assurances the app vetting process provides.

1.4 Document Structure

The remainder of this document is organized into the following sections:

• Section 2—App Security Requirements

• Section 3—App Vetting Process

• Section 4—App Testing Approaches and Vulnerability Classifiers

• Section 5—App Vetting Considerations

• Section 6—App Vetting Systems

• Appendix A—Threats to Mobile Applications

• Appendix B—Android App Vulnerability Types

• Appendix C— iOS App Vulnerability Types

• Appendix D—Acronyms and Abbreviations

• Appendix E—Glossary

• Appendix F—References

1.5 Document Conventions

Applications written specifically for a mobile platform are referred to as “apps” throughout this

special publication.

NIST SP 800-163 REV. 1 VETTING THE SECURITY OF MOBILE APPS

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-163r1

2 App Security Requirements

Before vetting a mobile app for security, an organization must define the security requirements

that an app must meet in order to be approved for use by the organization. In this document, we

define two types of app security requirements that organizations should develop: general and

organization-specific.

2.1 General Requirements

General app security requirements define the software and behavioral characteristics of an app

that should or should not be present in order to ensure the security of the app. These

requirements are considered “general” since they can be applied across all mobile applications

and tailored to meet the security needs and risk tolerance of an organization. General app

security requirements may be derived from a number of available standards, best practices, and

resources including those specified by NIAP, OWASP, MITRE and NIST

2.1.1 National Information Assurance Partnership (NIAP)

The NIAP Protection Profiles (PPs) specify an implementation-independent set of security

requirements for a category of information technology (IT) products that meet specific federal

customer needs. Specifically, the NIAP PPs are intended for use in certifying products for use in

national security systems to meet a defined set of security requirements. NIAP PP certified

products are also used by federal organizations in non-national security systems. The NIAP PPs

define in detail the security objectives, requirements and assurance activities that must be met for

a product evaluation to be considered International Organization for Standardization (ISO)/

International Electrotechnical Commission (IEC) 15408 certified [6]. While many mobile apps

fall outside the defined scope for requiring ISO/IEC 15408 certification, security analysis of

these apps is still useful. For these apps, the NIAP recommends a set of activities and evaluations

defined in Requirements for Vetting Mobile Apps from the Protection Profile for Application

Software [7]. The requirements defined in this document are divided into two broad categories:

1) Functional Requirements—Declarations concerning the required existence or absence of

particular software behavior or attributes.

2) Assurance Requirements—Declarations concerning actions the evaluator must take or

stipulations that must be true for vetting to successfully execute.

Table 1 summarizes the NIAP functional requirements

Additional threats and vulnerabilities can be found in Appendices A, B, and C.

For brevity, many, but not all the functional requirements are listed in Table 1. Some are high-level descriptions of multiple

related controls. See NIAP Protection Profile for the full list [7].

剩余54页未读，继续阅读

艾米的爸爸

粉丝: 811

NIST SP800-163r1：移动应用安全审核指南

NIST SP800-68r1：Windows XP安全配置指南

NIST SP800-124r1：企业移动设备安全管理指南

NIST SP800-126r1：SCAP 1.1技术规范与安全内容自动化协议标准

NIST SP800-68r1.pdf

NIST SP800-88r1.pdf

NIST SP800-101r1.pdf

NIST SP800-83r1.pdf

NIST SP800-46r1.pdf

NIST SP800-48r1.pdf

NIST SP800-177r1.pdf

最新资源