NIST said Wednesday the “Technical Considerations for Vetting 3rd Party Mobile Applications” document covers test requirements, tools and techniques used in vetting apps, software assurance issues, sample findings and security weaknesses of apps.
Tom Karygiannis, a NIST computer scientist, said the guide “describes tests that allow software security analysts to discover and understand vulnerabilities and behavior before the app is approved for use.”
Tests should also be based on the organizations that will deploy the apps as well as their particular security requirements, user environment and context of use, NIST said.
The agency added that users should balance the benefit of apps to employee productivity with the potential vulnerabilities they bring to sensitive and personal data.
The draft guidance also recommends organizations to train employees on mobile app security and privacy issues, create a mobile app vetting system and implement vetting throughout the app life cycle.
NIST will accept comments through Sept. 18.