Posted by: Robert Westervelt
mobile applications, mobile security
Security assessment reviews an organization’s mobile security policies and technologies, evaluating the mobile security posture against a set of 15 core elements.
Symantec’s consulting team is launching a mobile security assessment service, designed to assess a business’ mobile security policies and defensive technologies.
The new service is an extension of the Symantec Security Program Assessment. Symantec created a Mobile Security Framework that is designed to evaluate how a business addresses mobile device security from a governance, intelligence and infrastructure perspective. Among the 15 core elements that make up the framework are policies, standards and awareness, asset inventory and ownership, application security and monitoring and reporting metrics.
Symantec’s mobile assessment service is one of many available to enterprises. Security vendors have been quick to offer a variety of mobile services and products because businesses have been inundated with employees bringing in personal devices that they expect to connect to the corporate network. For example, McAfee, Verizon Business, IBM and other firms provide a variety of consulting services that can evaluate security programs and more specifically, an organization’s mobile security posture. Experts have been touting ways to write effective mobile security policies to address the influx. Technologies are available to address policy enforcement across platforms and control access to sensitive data.
In an interview with SearchSecurity.com, Franklin Witter, manager of security business practices at Symantec, said his consulting team will use a series of surveys, workshops and interviews to understand the organization’s risk tolerance and practices and technologies already in place. “We want to understand the business use case for mobile technology in the enterprise,” Witter said.
The goal is to lay out a security plan that addresses the strengths and weaknesses inherent in each mobile platform, Witter said. Organizations will get a better understanding of the gaps in their current state of maturity.
Witter said Symantec clients that have undergone a full security program assessment have been asking for a more focused mobile evaluation. “Our advisory team takes a product agnostic approach,” Witter said. “We’re not solely focused on Symantec products.”
The Symantec Mobile Security Assessment Suite costs about $40,000. Organizations that undergo the review are given a final written report and scorecard illustrating the organization’s mobile security readiness. The report also provides recommendations and an action plan to address existing gaps.
Mobile Application Assessment Service
Symantec also rolled out an application assessment service designed to test mobile apps for a variety of coding errors that could lead to data leakage or a costly data breach. Witter said the testing will be offered in either a white-box or black-box testing. The cost of the evaluation will depend on the scope of the project, he said.
The application assessment service has been operating for about a year. Symantec is seeing an increase in businesses designing custom applications for either employee use or for their customers.
The assessment can identify issues with authentication and authorization, data validation, session management, encryption, auditing and logging and the business logic of a mobile application. It can be performed in conjunction with a penetration assessment to provide a more deeper view of vulnerabilities.