Appthority recognizes and works with industry standards to provide device- and app-level threat detection and protection. These standards include Common Vulnerabilities and Exposures (CVEs) for devices and the Common Vulnerability Scoring System (CVSS) for apps.
The Common Vulnerabilities and Exposures system is a publicly-accessible reference of common and currently-known security vulnerabilities. Appthority MTP can cross-reference this information with a monitored device. For example, in the Device ID tab, a link opens the list of CVEs for that device, if any.
If a CVE is discovered, it links directly to the NIST information about the vulnerability.
In addition to the NIST link, some CVE listings include the CVSS score and a description of the CVE, when available.
Threat Indicator Risk Levels and policy scoring are intended to align as much as possible with the Common Vulnerability Scoring System (CVSS) open industry standard. Scores range in order of ascending threat from 0 to 10, with 0 being considered an Informational level and 10 considered the highest risk level.
While the CVSS system uses a more granular numbering scheme, for ease-of-use in dashboard and reporting features the Appthority system uses whole numbers.
The Appthority Mobile Threat Team sets the Threat Indicator Risk Levels by category and ranks those categories by impact to real enterprises. In addition the team considers the severity of compromise in measurable ways, such as confidentiality/availability/integrity, which aligns with the CVSS approach. MTT incorporates confidence values by rating TIs resulting from static analysis, which indicate what an app can do, versus TIs resulting from dynamic analysis, which indicate what an app actually does.
MTP risk categories include:
MTT Researchers individually score each Threat Indicator according to the the level of risk they represent. You can change the default score for non-malicious TI’s in MTP Manager.
CVEs are closely related to Common Weakness Enumerations (CWEs). For more discussion see TIs for CWEs.
The Open Web Application Security Project (OWASP) publishes documents that represent "broad consensus about the most critical security risks to web applications." The OWASP Mobile Top Ten categories list is relevant to mobile app security.
For a mapping of the OWASP Mobile Top 10 to Threat Indicators see Tips for OWASP Mobile Top 10 Apps.
The Markets in Financial Instruments Directive (MIFID II) of the European Union defines regulations for data security. Appthority supports these standards with a set of Threat Indicators. These are discussed at Tips for TIs Related to Sensitive Communications.
See also TIs for MIFID II Compliance.
NIAP is an important standard for government agencies. Customer Success can provide you with information about the Threat Indicators that are relevant to the NIAP standard. Appthority has mapped these standards to Threat Indicators.
The General Data Protection Regulation 2016/679 (GDPR) regulates data protection and privacy for all people within the European Union and the European Economic Area. See the Wikipedia article for many more details.
For suggested TIs related to GDPR, see TIs for GDPR Compliance.