This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Projects/OWASP Mobile Security Project - Secure Development Guidelines"
Giles Hogben (talk | contribs) |
Giles Hogben (talk | contribs) |
||
| Line 1: | Line 1: | ||
==Objective== | ==Objective== | ||
| − | The OWASP/ENISA Mobile Secure Development Guidelines will be | + | The OWASP/ENISA Mobile Secure Development Guidelines will be living, open source documents, that provide knowledge and guidance for developers for creating secure mobile |
| − | documents, that provide knowledge and guidance for developers for creating secure mobile | ||
applications. | applications. | ||
==Target audience== | ==Target audience== | ||
The output will be: | The output will be: | ||
| − | + | * A main document aimed at developers and software architects | |
| − | + | * A CIO/CSO/CEO/CTO-level document motivating the use of the guidlines. | |
==Main document skeleton== | ==Main document skeleton== | ||
===Executive summary=== | ===Executive summary=== | ||
| − | Why this document. A convincing argument to c-level for why they should give priority to | + | Why this document. A convincing argument to c-level for why they should give priority to security in mobile dev projects. FUD goes here. |
| − | security in mobile dev projects. FUD goes here. | ||
===Colofon=== | ===Colofon=== | ||
| Line 18: | Line 16: | ||
===Architecture and design principles=== | ===Architecture and design principles=== | ||
| − | Starting from a risk-based approach; Starting from ENISA/OWASP/Veracode top ten risks (extended, modified) (for example see | + | Starting from a risk-based approach; Starting from ENISA/OWASP/Veracode top ten risks (extended, modified) (for example see the Veracode top ten risks and eventual OWASP top 10 risks), we state architecture and design principles, that address these risks. |
| − | the Veracode top ten risks and eventual OWASP top 10 risks), we state architecture and design | ||
| − | principles, that address these risks. | ||
| − | * Architecture and design principles and examples of what they mean for secure | + | * [[Architecture and design principles]] and examples of what they mean for secure |
mobile/smartphone applications,- e.g. minimal disclosure, minimal on-device storage, | mobile/smartphone applications,- e.g. minimal disclosure, minimal on-device storage, | ||
don’t allow untrusted update of add-ons, do not allow access to sensor data from other | don’t allow untrusted update of add-ons, do not allow access to sensor data from other | ||
Revision as of 11:44, 10 May 2011
Objective
The OWASP/ENISA Mobile Secure Development Guidelines will be living, open source documents, that provide knowledge and guidance for developers for creating secure mobile applications.
Target audience
The output will be:
- A main document aimed at developers and software architects
- A CIO/CSO/CEO/CTO-level document motivating the use of the guidlines.
Main document skeleton
Executive summary
Why this document. A convincing argument to c-level for why they should give priority to security in mobile dev projects. FUD goes here.
Colofon
Who we are, who wrote it, where an online version can be found, how people can contribute.
Architecture and design principles
Starting from a risk-based approach; Starting from ENISA/OWASP/Veracode top ten risks (extended, modified) (for example see the Veracode top ten risks and eventual OWASP top 10 risks), we state architecture and design principles, that address these risks.
- Architecture and design principles and examples of what they mean for secure
mobile/smartphone applications,- e.g. minimal disclosure, minimal on-device storage, don’t allow untrusted update of add-ons, do not allow access to sensor data from other applications, authenticate backend.
Coding techniques
- Code level controls (based on the principles) - What to look for in the code. E.g. checklist
for persistent storage code, identifier schemes, authentication mechanisms, etc...
- Platform-specific how-to’s and how not to’s, common errors and vulnerabilities, sample
code (on how to implement common control), how not-to app (mobile version of WebGoat).
- Optionally (stage 2) - open source libraries - mobile version of ESAPI
