Automated testing with Q-MAST means your Engineering, Security and DevOps teams spend less time and fewer resources on mitigating security, privacy and compliance risks and more time developing your apps.
BOD-2301 - Recently released, Binding Operational Directive 2301 states, “Continuous and comprehensive asset visibility is a basic precondition for any organization to effectively manage cybersecurity risk. Accurate and up-to-date accounting of assets residing on federal networks is also critical for CISA to effectively manage cybersecurity for the Federal Civilian Executive Branch (FCEB) enterprise.”
While BOD 23-01 addresses more of the attack surface and outlines new requirements for cloud assets, operational technology and more in order to reduce cyber risk. The directive requires all Federal civilian agencies to report detailed data about vulnerabilities to CISA at timed intervals using automated tools.
Read the BlogBOD-2301 - Recently released, Binding Operational Directive 2301 states, “Continuous and comprehensive asset visibility is a basic precondition for any organization to effectively manage cybersecurity risk. Accurate and up-to-date accounting of assets residing on federal networks is also critical for CISA to effectively manage cybersecurity for the Federal Civilian Executive Branch (FCEB) enterprise.”
While BOD 23-01 addresses more of the attack surface and outlines new requirements for cloud assets, operational technology and more in order to reduce cyber risk. The directive requires all Federal civilian agencies to report detailed data about vulnerabilities to CISA at timed intervals using automated tools.
Read the Blog
CISA MAV or Mobile App Vetting (powered by Quokka), can perform the needed vulnerability identification in mobile assets automatically, helping Federal Civilian Executive Branch (FCEB) agencies meet the mobile specific requirements in the BOD. Our comprehensive reporting and analysis engine pinpoints potential risks down to the exact line of code with an application, giving developers actionable steps to address and patch their code before it can be used against them.
CISA MAV or Mobile App Vetting (powered by Quokka), can perform the needed vulnerability identification in mobile assets automatically, helping Federal Civilian Executive Branch (FCEB) agencies meet the mobile specific requirements in the BOD. Our comprehensive reporting and analysis engine pinpoints potential risks down to the exact line of code with an application, giving developers actionable steps to address and patch their code before it can be used against them.
”As new mobile threats continue to emerge, businesses are constantly looking for ways to safeguard their data and mobile infrastructures. This NCCoE guide can help businesses feel more confident about securing their mobility programs while continuing to provide their employees with the flexibility of mobile device use.
GEMA HOWELLNIST Computer Scientist
Quokka, formerly Kryptowire, is working with the NCCoE in the Mobile Device Security: Bring Your Own Device NIST SP 1800-22 Practice Guide Second Draft (released November 29, 2022) Use Case/Building Block to develop practical, interoperable cybersecurity approaches that address the real-world needs of complex Information Technology (IT) systems. By accelerating dissemination and use of these integrated tools and technologies for protecting IT assets, the NCCoE will enhance trust in U.S. IT communications, data, and storage systems; reduce risk for agencies and civilians using IT systems; and encourage development of innovative, job-creating cybersecurity products and services.
Securing mobile devices is critical as agencies and businesses extend from office environments to connecting and working from anywhere in the world. Quokka, then Kryptowire, worked closely with NIST as they developed detailed guidelines to address the challenges of securing corporate-owned personally – enabled devices.
NIST does not evaluate commercial products under this Consortium and does not endorse any product or service used.
NIST Special Publication 800-53 [5] provides an extensive catalog of security and privacy controls designed for federal information systems. In addition, the document clearly outlines the process agencies and organizations can take for selecting controls to defend IT systems, individuals and other organizational assets from a variety of exploitable threats, such as hostile cyber-attacks, natural disasters, structural failures and human errors.
”As new mobile threats continue to emerge, businesses are constantly looking for ways to safeguard their data and mobile infrastructures. This NCCoE guide can help businesses feel more confident about securing their mobility programs while continuing to provide their employees with the flexibility of mobile device use.
GEMA HOWELLNIST Computer Scientist
Quokka, formerly Kryptowire, is working with the NCCoE in the Mobile Device Security: Bring Your Own Device NIST SP 1800-22 Practice Guide Second Draft (released November 29, 2022) Use Case/Building Block to develop practical, interoperable cybersecurity approaches that address the real-world needs of complex Information Technology (IT) systems. By accelerating dissemination and use of these integrated tools and technologies for protecting IT assets, the NCCoE will enhance trust in U.S. IT communications, data, and storage systems; reduce risk for agencies and civilians using IT systems; and encourage development of innovative, job-creating cybersecurity products and services.
Securing mobile devices is critical as agencies and businesses extend from office environments to connecting and working from anywhere in the world. Quokka, then Kryptowire, worked closely with NIST as they developed detailed guidelines to address the challenges of securing corporate-owned personally – enabled devices.
NIST does not evaluate commercial products under this Consortium and does not endorse any product or service used.
NIST Special Publication 800-53 [5] provides an extensive catalog of security and privacy controls designed for federal information systems. In addition, the document clearly outlines the process agencies and organizations can take for selecting controls to defend IT systems, individuals and other organizational assets from a variety of exploitable threats, such as hostile cyber-attacks, natural disasters, structural failures and human errors.
CVE-2021-41848: Due to multiple flaws in Simo’s software update process, a third-party app that the user downloads and grants write access to external storage, can provide fake Simo software update files that will be treated as authentic to achieve persistent command and code execution as the root user.
Read MoreCVE-2021-0706: All Android devices running Android versions 10 and 11 allowed third-party apps to disable arbitrary app components, allowing third-party apps to cause the device to persistently crash at startup (requiring the user to wipe the device), create ransomware, bypass third-party lock screens, and weaken platform security. This vulnerability resided in the core Android code (known as Android Open Source Project or AOSP).
Read MoreCVE-2022-22292: Affecting all Samsung Android devices running versions 9 through 12, third-party apps co-located on the device could programmatically install apps, uninstall apps, wipe the device, make phone calls, and install certificate authorities due to a vulnerable pre-installed app.
CVE-2022-27250: Various Android devices with UNISOC chipsets SC9863A, SC9832E, and SC7731E contain a pre-installed app that allows third-party apps to execute arbitrary commands as the system user, obtain the unique device identifiers, leak GPS coordinates, leak various Personally Identifiable Information (PII) such as text messages and call log, wipe the device, record audio, read arbitrary files, and more.
CVE-2021-41848: Due to multiple flaws in Simo’s software update process, a third-party app that the user downloads and grants write access to external storage, can provide fake Simo software update files that will be treated as authentic to achieve persistent command and code execution as the root user.
Read MoreCVE-2021-0706: All Android devices running Android versions 10 and 11 allowed third-party apps to disable arbitrary app components, allowing third-party apps to cause the device to persistently crash at startup (requiring the user to wipe the device), create ransomware, bypass third-party lock screens, and weaken platform security. This vulnerability resided in the core Android code (known as Android Open Source Project or AOSP).
Read MoreCVE-2022-22292: Affecting all Samsung Android devices running versions 9 through 12, third-party apps co-located on the device could programmatically install apps, uninstall apps, wipe the device, make phone calls, and install certificate authorities due to a vulnerable pre-installed app.
CVE-2022-27250: Various Android devices with UNISOC chipsets SC9863A, SC9832E, and SC7731E contain a pre-installed app that allows third-party apps to execute arbitrary commands as the system user, obtain the unique device identifiers, leak GPS coordinates, leak various Personally Identifiable Information (PII) such as text messages and call log, wipe the device, record audio, read arbitrary files, and more.
CISA is proud to expand access to the Mobile App Vetting (MAV) service. CISA granted MAV an Authorization to Operate on February 8th, 2023, acknowledging the service’s key role in combating a growing risk of mobile app vulnerabilities threatening Federal Civilian Executive Branch (FCEB) agencies. Moreover, it is available at no cost to the user.
Read More
Federal agencies are being mandated to deploy a Zero Trust model by 2024 however many overlook the importance of mobile application security. This whitepaper outlines how to avoid this pitfall and exponentially reduce your threat landscape.
Read More
When security, privacy, and discretion are key, federal agencies lean on Q-MAST to establish trust.
Read MoreSubscribe today for news, updates, and insights for your work and live anywhere world.
