移动应用安全保障公共安全MobileApplicationSecurity

ms6022711
7 ℃
2019-04-15

整理文档很辛苦，赏杯茶钱您下走！

还剩 ... 页未读，继续阅读 >>

免费阅读已结束，点击下载阅读编辑剩下 ... 页

阅读已结束，您可以下载文档离线阅读编辑

资源描述

MobileApplicationSecurityforPublicSafetyMichaelOgataComputerScientist,NISTmichael.ogata@nist.govTradenamesandcompanyproductsmaybementionedduringthispresentation.InnocasedoessuchidentificationimplyrecommendationorendorsementbytheNationalInstituteofStandardsandTechnology,nordoesitimplythattheproductsarenecessarilythebestavailablefortheirstatedpurpose.Disclaimer/Disclosure•Whatarewegoingtodiscuss?NIST’seffortsindefiningandunderstandingmobileapplicationsecurityasitrelatestopublicsafety•Whoisinvolved?PublicSafetyCommunicationsResearch(PSCR)•NationalInstituteofStandardsandTechnology(NIST)•TheNationalTelecommunicationsandInformationAdministration(NTIA)FirstResponderNetworkAuthority(FirstNet)Federal,state,andlocalpublicsafetyorganizationsIntroduction•MiddleClassTaxReliefandJobCreationActof2012Nation’sfirstinteroperablePublicSafetyBroadBandNetwork(PSBN)LongTermEvolutionLTEnetwork•Manypublicsafetyorganizationalreadyuseappsoncommercialnetworks•PublicsafetyhasspecificdomainneedsandrequirementsIntroduction–WhyMobileAppSecurity?TheChangingLandscapeLMRPSBN•EngagingpublicsafetyprofessionalsWorkshopI:PublicSafetyMobileApplicationSecurityRequirementsWorkshopWorkshopII:IdentifyingandCategorizingDataTypesforPublicSafetyMobileApplications•MobileApplicationVettingServices•FutureWorkDiscussionTopics•Allocationoffiniteresources•Localcontrolandfinegrainconfiguration•Definingrolebasedneeds/profilesCommonThemesIdentifyingPublicSafety’sSecurityRequirementsforMobileAppsWorkshopI•HeldFebruary2014•NISTIR8018publishedJanuary2015•Identifysecurityconcernsspecifictopublicsafety•50publicsafetycommunitymembersLawenforcementEmergencyResponseApplicationDevelopersPublicSafetyMobileAppSecurityRequirements•PSBNwillempowerfirstresponders•PSBNcanbenefitfrommobileapplicationecosystem•PSBNwillhavedomainspecificsecurityrequirements•DevelopersmustbeempoweredbytheseImpetus•Identifymobileapplicationsecurityrequirementsforpublicsafety•IdentifyareasofrequiredfurtherresearchWorkshopGoalsAPCOKeyAttributesforPublicSafetyandEmergencyResponse•Operability•UserSupport•Security•Privacy/Confidentiality•Content•LocationInformation•UserExperience•Communicatingwith9-1-1•SendingDatatoPSAPS•InterfacingwithPSAPShttp://appcomm.org/wp-content/themes/directorypress/thumbs/AppComm_Key_Attributes.pdf•InscopeMobileapplicationdevelopmentpracticesMobileapplicationfunctionalrequirements•OutofscopeDevicemanagementApplicationwhitelistingDevicelevelanti-malware/anti-virustechniquesNetworksecurityrequirementsWorkshopScope•BatteryLife•UnintentionalDenialofService•DataProtection•LocationInformation•IdentityManagement•MobileApplicationVettingWorkshopDiscussionTopicsBatteryLifeBatteryLife•Impaired/varyingnetworkavailability•Requirementsforlocationservices•Highbandwidthmediastreams•Extensivefieldtime•ExtremetemperaturesDomainSpecificConsiderationsBatteryLife•DifferentRoleshavedifferentneeds•DifferentSituationshavedifferentneedsDomainSpecificConsiderations•Maximizingbatterylifeisessentialforpublicsafety•Improvingbatterytechnologywillhelp•Measuringapplicationbatteryimpactisnon-trivialApplication’sconstructionResidenthardwareHostoperatingsystemBatteryLifeBatteryLife•Applicationsshouldreportusageusingbatterymetrics•Batteryintensiveapplicationsshouldbeconfigurable•Powermanagementprofiles•Remotely•OndemandbyuserRecommendationsBatteryLife–NextSteps•Evaluateexistingbatteryusagemetrics•Evaluateeffectivenessofpowermanagementprofiles•EvaluatefeasibilityofremotepowermanagementNextStepsUnintentionalDenialofService•Asituationwhereaccesstoawebsite,server,orserviceisdenied,notduetoadeliberateattack,butasaresultofasuddenorsustainedspikeinusertrafficUnintentionalDenialofService(DoS)VoiceVideoLocationUnintentionalDoS•LocalcontrolRemotemonitoringandmanagementThrottleindividualapplicationsStratifyusersbycurrentneed•LTEQualityofServicefeaturesUnintentionalDoSUnintentionalDoS•PSCRPSBNresearchwork:identifyingthelimitationsofthenetwork•Modelingandmeasuringthroughput•ExtendingtherangeofLTEdeployments•Researchingmodelsfornetworkcongest•EvaluatingQoSfeaturesforondemandnetworkcontrolNextStepshttp://www.pscr.gov/projects/broadband/700mhz_demo_net/meetings/stakeholder_mtg_062015/index.htmUnintentionalDoS•Applicationsmustprovetheyusethenetworkinanefficientandresponsiblemanner.•Actionablemetricwhenselectingapps•Targetforappdevelopers•AidesprofilebasedmanagementstrategiesRecommendationsDataProtection•DividedintothreecategoriesConfidentialityIntegrityAvailability•RequirementsmotivatedbylawandpolicyHealthInsurancePortabilityandAccountabilityAct(HIPAA),CriminalJusticeInformationServices(CJIS)SecurityPolicyEvidenceProvenanceDataProtectionDataProtection-BaselineDatatypesFunctionsRolesDataProtection–TieredApproachDataProtection•Dataprotectionspecification•Pros:•EvaluateSDKsforcompliance•Evaluateappsforcompliance•Cons:•AppsmustbetestedImplementationStrategyDataProtection•Developadatadictionary•Applicationsshoulddeclare•Dataconsumed•Datastored•DatatransmittedRecommendationsLocationInformation•Anydatacol