This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Projects/OWASP Mobile Security Project/Roadmap"

From OWASP
Jump to: navigation, search
(Created page with '__NOTOC__ == Overview == The OWASP Mobile Security Project should be a one-stop shopping source of information for mobile application security. The ultimate vision for this pr…')
 
 
(8 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
__NOTOC__  
 
__NOTOC__  
  
== Overview ==
+
== Overview ==
  
The OWASP Mobile Security Project should be a one-stop shopping source of information for mobile application security. The ultimate vision for this project is that anyone seeking guidance on creating or assessing mobile applications should be able to find all the answers they need through OWASP resources. Beginning with a broad Threat Model and followed by a generic initial Mobile Top 10, additional sub-projects would be expected to be spun off. After initial guidance is provided to the community to help guide development initiatives, it would be expected that increasingly detailed technical guidance would follow through a series of sub projects.
+
The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation.  
  
The development of tools and efficiency-enhancing resources would be highly encouraged at all phases of the project. Standalone tools as well as extensions to existing tools (OWASP and open-source) would be of great use. Possible projects that are naturally related and would be ideal to promote and encourage development for in a mobile context include ESAPI and O2.
+
Our primary focus is at the application layer. While we take into consideration the underlying mobile platform and carrier inherent risks when threat modeling and building controls, we are targeting the areas where the average developer can make a difference. Additionally, we focus not only on the mobile applications deployed to end user devices, but also on the broader server-side infrastructure which the mobile apps communicate with. We focus heavily on the integration between the mobile application, remote authentication services, and cloud platform specific features.  
  
The entire roadmap spans a duration of 12-18 months for beta releases of each task. The concurrence of sub projects will help facilitate and increase the rate at which other sub projects mature.
+
== Project Components  ==
  
== Generic Threat Model ==
+
<u>'''In Progress'''</u>
  
'''Timeline - 3 months for initial release'''  
+
'''''Threat Model'''''  
* Should be considered in the context of mobile computing platforms;
 
* Individual devices shouldn't be considered, but instead devices intended for mobile use and the mobile style of data consumption (leverage web services and cloud services, minimal processing on client, etc);
 
* Threat model will shape the Top 10.
 
  
== Generic Top 10 ==
+
*Platform-agnostic mobile threat model
 +
*Platform-/technology specific elements
 +
*Threats (e.g. App-store Curators or Carriers)
 +
*Attack Surface (e.g. Android IPC or Apple iCloud)
 +
*Define and trace ''who'' attacks ''what'', ''where'' and ''how''<br>
  
'''Timeline - 3 months for initial release'''
+
'''''Top 10 Mobile Risks'''''
* Using threat model as a base;
 
* Perform an assessment of the standard top 10 to determine which threats are applicable, not applicable, or applicable in a modified context;
 
* Perform gap analysis of both standard and mobile top 10 lists to demonstrate differentiation, and provide this document to the community;
 
* Create the Top 10.
 
  
== Fork Into Each Platform ==
+
*Intended to raise awareness and help prioritize security efforts
 +
*Presented in a platform-agnostic format
 +
*Focuses on areas of risk instead of specific vulnerabilities
  
* iOS Project
+
'''''Top 10 Mobile Controls'''''
* Android Project
 
* webOS Project
 
* Windows Mobile Project
 
* Blackberry Project
 
  
== Alternate Development Environments For Mobile (Besides Java and Objective-C)==
+
*10 broad areas of control that solve many problems
 +
*Platform-agnostic where possible
 +
*Can be used as a checklist
  
* Flash
+
'''''Platform-Specific Guidance'''''
* AIR
 
* MonoDroid
 
* MonoTouch
 
* MacRuby
 
* Perl
 
  
== What each platform project could contain ==
+
*Build around the Top 10 Risks and Controls
 +
*Explains how an issue pertains to a specific platform  
 +
*Provides good and bad code examples
  
* Description of the security model
+
'''''Training'''''
* Assessment checklist
 
* Wikis on individual vulnerabilities relevant to the platform
 
* Defensive coding techniques
 
* API security features
 
* References to related OWASP projects and resources
 
* Attacks and historic vulnerability information for each platform in "lessons learned" format
 
  
== Mobile Development Guide ==
+
*GoatDroid- A fully self-contained training environment for performing security testing against Android applications. &nbsp;Includes several Android apps, embedded RESTful web services, databases, and a GUI featuring several tools for automating common testing tasks.
Using the threat model, Mobile Top 10, and other major areas identified through each other sub project, create a mobile development guide. The guide could follow the same general format as the regular development guide, or deviate slightly due to the vast differences between platforms.
+
*iGoat- A modular training platform for iOS applications. &nbsp;iGoat includes an XCode project that can be loaded into the iOS simulator for live testing of apps. &nbsp;Developers can apply code fixes and instantly observe the results to demonstrate their effectiveness.
 +
 
 +
'''''Cheat Sheets'''''
 +
 
 +
*Easy to consume, straight-to-the-point tutorials
 +
*Practical guidance for a variety of issues and mobile platforms
 +
 
 +
'''''Security Testing Methodologies'''''
 +
 
 +
*Approaches for static and dynamic security analysis
 +
*Covers what to look for and how to look for it
 +
 
 +
<br>
 +
 
 +
<u>'''Future Initiatives'''</u>
 +
 
 +
*Formal Secure Development Guide
 +
*Secure Libraries (ESAPI for Android, ESAPI for iOS, etc.)
 +
 
 +
<br>

Latest revision as of 04:46, 1 July 2012


Overview

The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation.

Our primary focus is at the application layer. While we take into consideration the underlying mobile platform and carrier inherent risks when threat modeling and building controls, we are targeting the areas where the average developer can make a difference. Additionally, we focus not only on the mobile applications deployed to end user devices, but also on the broader server-side infrastructure which the mobile apps communicate with. We focus heavily on the integration between the mobile application, remote authentication services, and cloud platform specific features.

Project Components

In Progress

Threat Model

  • Platform-agnostic mobile threat model
  • Platform-/technology specific elements
  • Threats (e.g. App-store Curators or Carriers)
  • Attack Surface (e.g. Android IPC or Apple iCloud)
  • Define and trace who attacks what, where and how

Top 10 Mobile Risks

  • Intended to raise awareness and help prioritize security efforts
  • Presented in a platform-agnostic format
  • Focuses on areas of risk instead of specific vulnerabilities

Top 10 Mobile Controls

  • 10 broad areas of control that solve many problems
  • Platform-agnostic where possible
  • Can be used as a checklist

Platform-Specific Guidance

  • Build around the Top 10 Risks and Controls
  • Explains how an issue pertains to a specific platform
  • Provides good and bad code examples

Training

  • GoatDroid- A fully self-contained training environment for performing security testing against Android applications.  Includes several Android apps, embedded RESTful web services, databases, and a GUI featuring several tools for automating common testing tasks.
  • iGoat- A modular training platform for iOS applications.  iGoat includes an XCode project that can be loaded into the iOS simulator for live testing of apps.  Developers can apply code fixes and instantly observe the results to demonstrate their effectiveness.

Cheat Sheets

  • Easy to consume, straight-to-the-point tutorials
  • Practical guidance for a variety of issues and mobile platforms

Security Testing Methodologies

  • Approaches for static and dynamic security analysis
  • Covers what to look for and how to look for it


Future Initiatives

  • Formal Secure Development Guide
  • Secure Libraries (ESAPI for Android, ESAPI for iOS, etc.)


Retrieved from "https://wiki.owasp.org/index.php?title=Projects/OWASP_Mobile_Security_Project/Roadmap&oldid=132428"