Solving for Compliance: Mobile app security for banking and financial services

Solving for compliance:
Mobile app security for banking and
financial services

© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
NowSecure #MobSec5
Weekly mobile security news update
SUBSCRIBE NOW:
www.nowsecure.com/go/subscribe

Brian Lawrence
Solutions Engineer | NowSecure

Contents
● Overview of compliance regimes
● Overlap & mobile app security testing programs
● In action: customer case study
● Questions

A survey of compliance and
mobile apps

http://www.arelaw.com/downloads/ARElaw_MobileDeviceApplications_KeyLawsChart_rev061815.pdf
Sample of Laws, regulations, rules applicable to mobile
GENERAL CONTENT FINANCIAL
HEALTH/
MEDICAL MINORS OTHERS
FTC Act
Sarbanes-Oxley
Electronic
Communications Privacy
Act (ECPA)
Computer Fraud and
Abuse Act (CFAA)
NIAP (Common Criteria
for app vetting)
Digital Millennium
Copyright Act (DMCA)
Communications
Decency Act (CDA)
Restore Online
Shoppers’ Confidence
Act (ROSCA)
Gramm-Leach-Bliley Act
(GLBA)
FFIEC compliance
standards
Payment card industry
(PCI) standards
Health Insurance
Portability and
Accountability Act
(HIPAA)
Health Information in
Technology for
Economic and Clinical
Health Act (HITECH)
Food and Drug
Administration Act
(mobile medical apps)
FTC’s Health Breach
Notification Rule
Children’s Online
Privacy Protection Act
(COPPA)
California Online Privacy
and Protection Act
(CalOPPA)
State data-breach
notification, data
security, and records
disposal statutes
FCC’s Proprietary
Network Information
(CPNI) Breach
Notification Rule

IANYA - I am not your auditor/assessor/accountant
● We are mobile app security experts
● We highlight relevant compliance items
● Compliance is a team sport
● Consult w/ governance, risk
& compliance teams
!

FFIEC IT Examination Handbook: Mobile Financial Services
Guidance that FFIEC examiners use in assessing financial institutions’ mobile offerings.
AppE.5.b Operational Risk Mitigation
● Secure coding
● Rigorous security testing
● Sensitive data storage
● Multi-factor authentication
● Third party risk
AppE.5.b(iii) Mobile Application Risk Mitigation
● Root/jailbreak detection
● Security testing throughout the SDLC
● Critical data storage
● Secure back-end servers

Payment Card Industry Data Security Standard (PCI DSS)
PCI DSS Version 3.2
6 Develop and maintain secure systems and applications
● 6.3 Develop internal and external software applications securely
● 6.5 Address common coding vulnerabilities in software-development
processes [based on OWASP, SANS, CERT guidance]
11 Regularly test security systems and processes
● 11.3 Implement a methodology for penetration testing…
● ...Defines application-layer penetration testis to include, at a
minimum, the vulnerabilities listed in Requirement 6.5
PCI Mobile Payment Acceptance Security Guidelines
Merchant-owned devices/apps used for payments (i.e., a POS system) are in
scope for PA-DSS. Apps on a consumer’s device that facilitate payments are
not in scope for PA-DSS, but development is in scope for PCI DSS.
Information security standard for organizations that handle payment cards. For a consumer-facing app
that facilitates a merchant’s payment acceptance process, the development of the app is in scope.

Federal Information Security Management Act (FISMA)
Framework for cost-effective, risk-based information security within the federal government. NIST defines
standards, guidelines, and minimum requirements via a number of publications.
NIST FIPS 200: Minimum Security Requirements
● Certification, accreditation, and security assessments (CA)
● Risk assessment (RA)
NIST SP 800-53: Security & Privacy Controls
● CA-2 Security Assessments
● SA-11 Developer security testing and evaluation
NIST SP 800-163: Vetting the Security of Mobile Applications
● Preventing unauthorized functionality
● Limiting permissions
● Protecting sensitive data
● Security app code dependencies
● Testing app updates

Gramm-Leach-Bliley Act Safeguards Rule
Requires financial institutions under FTC jurisdiction to protect the customer information they collect
and ensure their affiliates and service providers do too.
PART 314—Standards for safeguarding customer information
Financial institutions must implement an information security program
which includes:
● Designating employee(s) to coordinate the program;
● Identifying internal and external risks to the security, confidentiality,
and integrity of customer information and assessing any safeguards
in place to control the risks;
● Designing and implementing safeguards to address the risks and
monitor the effectiveness of these safeguards;
● Selecting and retaining service providers that are capable of
maintaining appropriate safeguards for the information and requiring
them, by contract, to implement and maintain such safeguards;
● Adjusting the information security program in light of developments
that may materially affect the program.

NY Cybersecurity Reqs. for Financial Services Companies
Requires companies to certify yearly that they have a program in place to secure nonpublic information
both on their own systems and those of any third party that has access to that information.
Section 500.03 Cybersecurity Policy
Implement and maintain written policies and procedures for the protection
of information systems addressing (among other items):
● (a) information security
● (i) systems and application development and quality assurance
● (k) customer data privacy
● (m) risk assessment
Section 500.05 Penetration Testing and Vulnerability Assessments
● Program shall include monitoring and testing developed in
accordance with the risk assessment
● Include continuous monitoring or periodic penetration testing and
vulnerability assessments
● Penetration testing annually
● Vulnerability assessments bi-annually

Sarbanes-Oxley Act (SOX)
The act lays out guidelines publicly traded companies (and their service providers in many cases) must
follow to ensure the accuracy of financial information).
Section 404 — Assessment of internal control
● Understand the flow of transactions
● Perform a fraud risk assessment
SSAE 18 — Statement on Standards for Attestation Engagements
● SSAE 18 helps service organizations comply with SOX
● Service Organization Control (SOC) reports
● SOC 2 reports report on controls that address:
○ Security
○ Availability
○ Processing integrity
○ Confidentiality
○ Privacy

Overlap: Regulations
& mobile app security testing

FFIEC PCI DSS
FISMA GLBA
MAST
PROGRAM

How to Ensure Your Mobile Testing Supports Compliance
● Risk Assessment
● Encryption
○ Data at rest
○ Data in transit
● Secure coding practices
○ Mobile Best Practices
○ Authentication
○ Authorization
● Documentation
● Testing methodology

Elements of a Mobile App Security Testing Program

NowSecure WORKSTATION
Deep Pen Testing Analysis
for Security Analysts
NowSecure AUTOMATED
OnDemand Cloud Analysis
for Dev, QA & Security teams
NowSecure INTELLIGENCE
AlwaysOn Cloud Analysis
for EMM & Security teams
NOWSECURE PLATFORM for 360º COVERAGE
OF MOBILE APP SECURITY TESTING

In action: Mobile app compliance
in financial services

Case study: MEA Financial
● SOC Type II reports
● NowSecure platform for assessments
● Archive assessment reports
● Provided to auditors upon request
“NowSecure helps us be pro-active as an
organization and gives us confidence that any
security concerns we can control truly are in order
when we let an app through to production.”
—Travis Swinford, product manager
MEA is a national leader in the provision of
innovative software solutions to the
financial services marketplace around the nation.
https://www.nowsecure.com/case-studies/mea-financial-instills-trust-in-mobile-banking-apps/

Summary & next steps

Three key takeaways
1
2
3
Set standards, assess against those standards
Ensuring proper testing and validation
accomplishes many compliance requirements
Maintain documentation

Practical next steps
Next week:
Refresh your knowledge of your app inventory and relevant compliance regimes
Next month:
Work with governance/risk/compliance teams to identify gaps in reporting
Next quarter:
Implement adjustments to your current methodology to fill any gaps

Let’s talk
NowSecure
+1 312.878.1100
@NowSecureMobile
www.nowsecure.com
Subscribe to #MobSec5
A digest of the week’s mobile security news that matters
https://www.nowsecure.com/go/subscribe

Solving for Compliance: Mobile app security for banking and financial services

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à Solving for Compliance: Mobile app security for banking and financial services

Similaire à Solving for Compliance: Mobile app security for banking and financial services (20)

Plus de NowSecure

Plus de NowSecure (20)

Dernier

Dernier (8)

Solving for Compliance: Mobile app security for banking and financial services