PreEmptive logo

Latest NIST Publications Reinforce the Importance of Application Hardening in Securing Data

Now is the time to seriously look at how you are protecting and securing your applications

The U.S. National Institute of Standards and Technology (NIST) has published two data-security-focused documents in as many months. 

In June 2018, NIST published guidance on assessing requirements for securing unclassified information (NIST Special Publication 800-171A Assessing Security Requirements for Controlled Unclassified Information). 

In July 2018, SPECIAL PUBLICATION 1800-1, Securing Electronic Health Records on Mobile Devices, was published. It offers a practical guide to meeting the specialized security and privacy obligations associated with managing health records on mobile devices. 

Not surprisingly, both include increasingly prescriptive obligations for application developers. In particular, the recommendations and guidelines continue to stress the importance of including anti-tamper and rooted device detection and response controls—core features of application hardening solutions (like PreEmptive’s Dotfuscator and DashO). A few trends are worth noting.

  • Both documents give special attention to preventing the unauthorized execution of code. Identity management, network security, and personnel training all get their proper due, but it is clear that operations alone cannot meet these challenges alone. Scalable security must be built into our systems—by default and by design.
  • Layered security requires a multidisciplinary practice to ensure consistent, effective, and integrated controls. Development participation is essential.
  • Prevention is not enough. Incident detection and response behaviors (like tampering) cannot be ignored by development and are left for operations to improve. Application controls must be fully integrated into the SDLC and DevOps toolchain.

The referenced NIST documents are long—and even longer if you review all the supporting documents. For illustration, here are some excerpts highlighting these trends (italics are my added comments). 

800-171A Assessing Security Requirement

3.13.13 SECURITY REQUIREMENT Control and monitor the use of mobile code. (downloading unauthorized code or running tampered code)

ASSESSMENT OBJECTIVE Determine if:

      3.13.13[a] use of mobile code is controlled.

      3.13.13[b] use of mobile code is monitored.

3.14.4 SECURITY REQUIREMENT Update malicious code protection mechanisms when new releases are available. (bad actors invest in evading root detection and other detective controls—continuous improvement is required here in much the same fashion as anti-virus software)

ASSESSMENT OBJECTIVE Determine if malicious code protection mechanisms are updated when new releases are available. (included later is the obligation to respond—both in real-time and in logging when detected)

1800 1a Executive Summary: Securing Electronic Health Records on Mobile Devices

Our risk assessments focused on identifying threats that might lead to: (they focus on exploits that lead to operational, financial, and legal jeopardy)

  • Loss of confidentiality: Unauthorized disclosure of sensitive information
  • Loss of integrity: Unintended or unauthorized modification of data or system functionality
  • Loss of availability: Impact on system functionality and operational effectiveness

Based on our risk assessment, the major threats to confidentiality, integrity, and availability concerning EHRs using mobility are:

  • A lost or stolen mobile device
  • Deliberate misuse: a user who:
    • Roots/jailbreaks device (development responsibility that includes detect and respond behaviors that only development can engineer)
    • Walks away from a logged-on mobile device
    • Downloads viruses or other malware (the first act of malware is often rooting/jailbreaking the device—see above)
    • Uses an insecure Wi-Fi network
  • Inadequate
    • Privilege management (which permits unauthorized rooting and tampering)
    • Access control and/or enforcement
    • Change management (NIST includes application code changes in this category)
    • Configuration management
    • Data retention, backup, and recovery

Do not be lulled into complacency. Protect and secure your Applications. Even if you don’t do business with the US federal government, don’t need to meet HIPAA requirements, or aren’t focused on mobile apps. With each passing day, these obligations are crystallizing across the financial, supply chain, and general risk frameworks. Every development organization must have a well-documented set of controls and processes to prevent, detect, and respond to runtime attacks and environmental compromises. Are you prepared to demonstrate your viability to business owners, regulators, investors, or customers?

Our implementation of anti-tamper, anti-debug, rooted devices, and other real-time checks have been focused on these exact demands. Want to know more? Contact us or review the following resources.

Resources

Other NIST Publications

In This Article:

Try a Free Trial of PreEmptive Today!