search cancel

Appthority MTP and Industry Standards FAQ

book

Article ID: 173314

calendar_today

Updated On:

Products

Endpoint Protection Mobile

Issue/Introduction

Appthority recognizes and works with industry standards to provide device- and app-level threat detection and protection. These standards include Common Vulnerabilities and Exposures (CVEs) for devices and the Common Vulnerability Scoring System (CVSS) for apps.

Resolution

Common Vulnerabilities and Exposures (CVEs)

The Common Vulnerabilities and Exposures system is a publicly-accessible reference of common and currently-known security vulnerabilities. Appthority MTP can cross-reference this information with a monitored device. For example, in the Device ID tab, a link opens the list of CVEs for that device, if any.

DeviceIDTab_CVEsLink.png

If a CVE is discovered, it links directly to the NIST information about the vulnerability.

CVEListWithCVSSScore.png

In addition to the NIST link, some CVE listings include the CVSS score and a description of the CVE, when available.

Common Vulnerability Scoring System (CVSS)

Threat Indicator Risk Levels and policy scoring are intended to align as much as possible with the Common Vulnerability Scoring System (CVSS) open industry standard. Scores range in order of ascending threat from 0 to 10, with 0 being considered an Informational level and 10 considered the highest risk level.

While the CVSS system uses a more granular numbering scheme, for ease-of-use in dashboard and reporting features the Appthority system uses whole numbers.

The Appthority Mobile Threat Team sets the Threat Indicator Risk Levels by category and ranks those categories by impact to real enterprises. In addition the team considers the severity of compromise in measurable ways, such as confidentiality/availability/integrity, which aligns with the CVSS approach. MTT incorporates confidence values by rating TIs resulting from static analysis, which indicate what an app can do, versus TIs resulting from dynamic analysis, which indicate what an app actually does.

MTP risk categories include:

  • Malicious
  • Data Leakage
  • Vulnerability
  • Suspicious
  • Informational

MTT Researchers individually score each Threat Indicator according to the the level of risk they represent. You can change the default score for non-malicious TI’s in MTP Manager.

Common Weakness Enumerations (CWEs)

CVEs are closely related to Common Weakness Enumerations (CWEs). For more discussion see TIs for CWEs.

Open Web Application Security Project (OWASP) and Mobile Top 10 

The Open Web Application Security Project (OWASP) publishes documents that represent "broad consensus about the most critical security risks to web applications." The OWASP Mobile Top Ten categories list is relevant to mobile app security. 

For a mapping of the OWASP Mobile Top 10 to Threat Indicators see Tips for OWASP Mobile Top 10 Apps

Markets in Financial Instruments Directive (MIFID II)

The Markets in Financial Instruments Directive (MIFID II) of the European Union defines regulations for data security. Appthority supports these standards with a set of Threat Indicators. These are discussed at Tips for TIs Related to Sensitive Communications.

See also TIs for MIFID II Compliance

National Information Assurance Partnership (NIAP)

NIAP is an important standard for government agencies. Customer Success can provide you with information about the Threat Indicators that are relevant to the NIAP standard. Appthority has mapped these standards to Threat Indicators.  

See also TIs for NIAP Protection Profile v1.2, and the NIAP Protection Profile standard.

General Data Protection Regulation (GDPR)

The General Data Protection Regulation 2016/679 (GDPR) regulates data protection and privacy for all people within the European Union and the European Economic Area. See the Wikipedia article for many more details. 

For suggested TIs related to GDPR, see TIs for GDPR Compliance