CSA Mbile Applicatin Security Testing (MAST) Initiative Revised Prject Charter 14 th March, 2018
Table f Cntents INITIATIVE EXECUTIVE OVERVIEW 3 PROJECT RESPONSIBILITIES 4 SCOPE 4 DELIVERABLES/ACTIVITIES 5 Q2 2018 5 Q3 2018 5 Q4 2018 6 PROJECT MEMBERSHIP 6 Sub-Wrk Grups 7 Cmmunicatins Methds 7 Infrastructure & Resurce Requirements 8 Wrk Grup Cnference Calls and In-persn Meetings 8 Decisin-making Prcedures 8 Operatins 9 Advisry 9 Research Lifecycle 9 Peer Review 9
INITIATIVE EXECUTIVE OVERVIEW Mbile Applicatins are becming an integral part f nt just mdern enterprises but als f human existence and a huge part f this shift is due t the emergence f clud cmputing. Clud cmputing has allwed fr the instantaneus utilizatin f applicatins which imparts tremendus agility t the enterprise. Accmpanying such cnvenience are risk management challenges due t a lack f transparency, leading t security cncerns that include applicatins. 1 CSA released the initial Mbile Applicatin Security Testing (MAST) whitepaper in June 2016 which defines a framewrk fr secure mbile applicatin develpment, achieving privacy and security by design. Implementatin f MAST will result in clearly articulated recmmendatins and best practices in the use f mbile applicatins. Mbile applicatin security testing and vetting prcesses utilized thrugh MAST invlve bth static and dynamic analyses t evaluate security issues f mbile applicatins fr platfrms such as Andrid, ios and Windws. These prcesses cver permissins, expsed cmmunicatins, ptentially malicius functinalities, applicatin cllusins, bfuscatins, excessive pwer cnsumptins and traditinal sftware vulnerabilities. Testing and vetting prcesses will als cver internal cmmunicatins such as debug flag and activities, as well as external cmmunicatins such as Glbal Psitining System (GPS), Bluetth, Near Field Cmmunicatin (NFC) and Glbal System fr Mbile cmmunicatin (GSM) accesses. Apart frm mbile applicatin security testing and vetting, a mbile applicatin security incident respnse plan will als be develped. The WG will aim t create a safer clud ecsystem fr mbile applicatins by creating systematic appraches t applicatin testing and vetting that helps integrate and intrduce quality cntrl and cmpliance t mbile applicatin develpment and management. The WG hpes that mre research int mbile applicatin security vetting and testing will help reduce the risk and security threats that rganizatins and individuals expse themselves t by using mbile applicatins. 1 https://dwnlads.cludsecurityalliance.rg/assets/research/mbile/mast_white_paper.pdf
PROJECT RESPONSIBILITIES Specific fields f actin f the WG culd include: T develp a reference dcument that fits int the OCF framewrk/star Prgram and is independent frm prprietary / implementatin details;. T develp a testing / vetting tlkit (i.e. apprval-rejectin basis) fr mbile applicatins, including a framewrk f cntrls and testing mechanisms based n the high level requirements included in the MAST white paper. T determine whether CSA can develp a certificatin scheme fr mbile applicatin security; T eventually develp a certificatin scheme fr mbile applicatin security t be included in the CSA STAR Prgram. SCOPE The app security testing and vetting prcess uses bth static and dynamic analysis t analyse the applicatin. The testing and vetting prcess cvers: Permissins (Culd be segregated int mandatry and ptin Authenticatin and authrizatin Expsed cmmunicatins Data prtectin (Encryptin In Mtin, at Rest and In Use, etc.) Ptentially dangerus functinality Applicatin cllusin Cde bfuscatin Excessive pwer cnsumptin Auditing and lgging Input validatin Passwrd management Applicatin cnfiguratin Access cntrl mechanisms Traditinal sftware vulnerabilities
In additin t security testing and vetting, the prject will als develp prcesses and prcedures fr security incidence respnse pertaining t a mbile breach. DELIVERABLES/ACTIVITIES Q2 2018 Deliverables: Charter- Peer reviewed and final versin f the Charter Deliverables: Prject Plan- with the estimated start date and the finish date f the prject deliverables Deliverables: Mbile Applicatin Vetting Whitepaper- Develp a reference dcument that fits int the OCF Framewrk / STAR Prgram and is independent frm prprietary / implementatin detail. The reference dcument shuld detail cntrls (analgus t CCM) and assertins (analgus t CAIQ) that are transparent and nn-prprietary, s that it can serve as basis fr the next step, which is t develp a certificatin prgram fr inclusin in STAR. Mbile app develpers can use this as a basis fr self-assessment (like in OCF level 1), and tlkit develpers & certificatin bdies can develp testing tls and certify mbile app (like in OCF level 2) Q3 2018 Activities: Prject Executin and Outreach Activities: Prject Executin- Develp a testing / vetting tlkit (i.e. apprval-rejectin basis) fr mbile applicatins, including a framewrk f cntrls and testing mechanisms based n the high level requirements included in the MAST white paper Q4 2018 Deliverable: Prpsed Applicatin Testing / Vetting Tlkit
PROJECT MEMBERSHIP The MAST WG is structured as fllws: Tw r mre c-chairs (and their alternates) wrking grup members a representative f the CSA / subject matter expert a representative f the CSA / OCF Secretariat (T be intrduced during the certificatin develpment phase) Only CSA Crprate Members are eligible fr the rle f c-chairs. If a crprate member is nt available fr nminatin r an individual with a unique skill-set is required, an exceptin can be filed fr nn-member nminees by cntacting exec@cludsecurityalliance.rg. The rle f MAST c-chairs entails the fllwing respnsibilities: Define the wrk plan fr each year (e.g., meetings and expected deliverables) Ensure prgress f wrk accrding t the wrk plan Reprt t the CSA Executive Team n executin risks and suggest pssible slutins Cnvene meetings when necessary and act as Chairpersn f MAST WG. Lead the preparatin f draft deliverables, r identify a suitable persn within the MAST WG wh will take the rle f main editr/rapprteur f the deliverable Ensure that guidance prvided in the current MAST WG charter is fllwed Ensure that relevant dcuments are circulated t MAST WG members The rle f CSA Subject Matter Expert(s) entails the fllwing respnsibilities: Can be either a CSA Staff member r an expert nminated by the CSA Prvide subject matter expertise, in the frms f cntributin t deliverables and advice t the MAST WG c-chairs The rle f CSA Secretariat entails the fllwing respnsibilities:
Will be a CSA Staff member Prvide secretariat and prject management supprt t the c-chairs (e.g. create the virtual shared wrkspace, manage the mailing list, cllect input frm members, assist the preparatin f the wrk plan, arrange fr lgistics f bth virtual and physical meetings, supprt meeting minutes preparatin, etc.) The rle f MAST WG Members entails the fllwing respnsibilities: Cntribute t the definitin f the wrk plan Cntribute t the definitin f the MAST deliverables Sub-Wrk Grups Ad hc sub-wrk grups cmprised f subject matter experts may be frmed t plan r execute any related utreach, awareness r research pprtunities. Such sub-wrking grups shall reprt directly t the main wrking grup. The initiative may als chse t allw resurce sharing between clud cmmunities and ther CSA wrking grups t assist in the timely cmpletin f prjects, prgrams and ther activities needed t supprt/enable the initiative s defined bdy f wrk. Cmmunicatins Methds Infrastructure & Resurce Requirements The initiative will be cmpsed f CSA vlunteers; it will have a steering cmmittee and c-chairs. The initiative will require typical prject management, nline wrkspace and technical writing assistance. Wrk Grup Cnference Calls and In-persn Meetings The initiative will hld cnference calls n less than bi-mnthly. Attendance by the Principal r Alternate is required. The Alternate must have full authrity t act n behalf f the Principal if the Principal is absent. In-persn meetings will happen nce a year in a lcatin t be determined. Decisin-making Prcedures Definitin f a majrity 1. A majrity shall cnsist f mre than half f the members present and vting. 2. In cmputing a majrity, members abstaining shall nt be taken int accunt. 3. In case f a tie, a prpsal r amendment shall be cnsidered rejected.
4. Fr the purpse under this Charter, a member present and vting shall be a member vting fr r against a prpsal, including prxy representative. Prxy where authrity is delegated thrugh a written statement r nn-repudiated email shuld be declared and inspected fr validity by the chair befre vting starts. Abstentins f mre than fifty percent 1. When the number f abstentins exceeds half the number f vtes cast (fr, against, abstentins), cnsideratin f the matter under discussin shall be pstpned t a later meeting, at which time abstentins shall nt be taken int accunt. Vting prcedures 1. The vting prcedures are as fllws: a. By a shw f hands as a general rule unless a secret ballt has been requested; if at least tw members, present and entitled t vte, s request befre the beginning f the vte and if a secret ballt under b) has nt been requested, r if the prcedure under a) shws n clear majrity b. By a secret ballt, if at least five f the members present and entitled t vte s request befre the beginning f the vte (nline vting is applicable) 2. The Chair(s) shall, befre cmmencing a vte, bserve any request as t the manner in which the vting shall be cnducted, and then shall frmally annunce the vting prcedure t be applied and the issue t be submitted t the vte. The Chair(s) shall then declare the beginning f the vte and, when the vte has been taken, shall annunce the results. 3. In the case f a secret ballt, the secretariat shall at nce take steps t ensure the secrecy f the vte. Operatins Advisry The CSA Wrking Grup will be advised by the CSA Subject Matter Expert (SME) Advisry Cuncil, Internatinal Standardizatin Cuncil (ISC), and CSA Executive Team t ensure that the research under this initiative is within the scpe f the CSA and aligns with ther industry partner research. The research will remain unique t industry and make reference t any redundant r replicated wrks. Research Lifecycle The CSA Wrking Grup will fllw the develpment f the CSA research lifecycle fr all prjects and initiatives: https://dwnlads.cludsecurityalliance.rg/initiatives/general/csa_research_lifecycle_final.pdf
Peer Review We will seek CSA s help in reaching ut t peers fr reviewing ur charter and ther dcumented activities f the initiative.