Appthority recognizes and works with industry standards to provide device- and app-level threat detection and protection. These standards include Common Vulnerabilities and Exposures (CVEs) for devices and the Common Vulnerability Scoring System (CVSS) for apps.
Common Vulnerabilities and Exposures (CVEs)
The Common Vulnerabilities and Exposures system is a publicly-accessible reference of common and currently-known security vulnerabilities. Appthority MTP can cross-reference this information with a monitored device. For example, in the Device ID tab, a link opens the list of CVEs for that device, if any.
If a CVE is discovered, it links directly to the NIST information about the vulnerability.
In addition to the NIST link, some CVE listings include the CVSS score and a description of the CVE, when available.
Common Vulnerability Scoring System (CVSS)
Threat Indicator Risk Levels and policy scoring are intended to align as much as possible with the Common Vulnerability Scoring System (CVSS) open industry standard. Scores range in order of ascending threat from 0 to 10, with 0 being considered an Informational level and 10 considered the highest risk level.
While the CVSS system uses a more granular numbering scheme, for ease-of-use in dashboard and reporting features the Appthority system uses whole numbers.
The Appthority Mobile Threat Team sets the Threat Indicator Risk Levels by category and ranks those categories by impact to real enterprises. In addition the team considers the severity of compromise in measurable ways, such as confidentiality/availability/integrity, which aligns with the CVSS approach. MTT incorporates confidence values by rating TIs resulting from static analysis, which indicate what an app can do, versus TIs resulting from dynamic analysis, which indicate what an app actually does.
MTP risk categories include:
MTT Researchers individually score each Threat Indicator according to the the level of risk they represent. You can change the default score for non-malicious TI’s in MTP Manager.
Common Weakness Enumerations (CWEs)
CVEs are closely related to Common Weakness Enumerations (CWEs). For more discussion see TIs for CWEs.
Open Web Application Security Project (OWASP) and Mobile Top 10
NIAP is an important standard for government agencies. Customer Success can provide you with information about the Threat Indicators that are relevant to the NIAP standard. Appthority has mapped these standards to Threat Indicators.
The General Data Protection Regulation 2016/679 (GDPR) regulates data protection and privacy for all people within the European Union and the European Economic Area. See the Wikipedia article for many more details.