 |
|||||||||||||||||||||
|
|||||||||||||||||||||
| January 14th , 2008 ___________________________________________ Windows Mobile Devices and Security, Part 6 Hi everyone – This is the final post in my series on improving the security of mobile devices. We’ve talked about identify, categorizing, and prioritizing our mitigation efforts. If you’ve missed any of that discussion, you can start the series here. In this part, we’re going to put together a security plan. All threats should be entered into Excel or database software. There are also tools that help you capture the data. For example, Microsoft has a free Threat Modeling tool that you can download - visit www.bsquare.com/getthreattool for more information. This tool allows you to easily sort the threats. Your mitigation plan for each threat should directly translate into coding work items. Just as a design document translates directly into development work, your security mitigation plan needs to do the same. Your mitigation plan is merely a specialized design document. Threats can also be addressed through coding techniques, such as passwords, local authentication, encryption, secure networking, trust levels, access controls, digital certificates, in-ROM provisioning, digital rights management, and secure boot loaders. Sometimes, you may need to integrate other software products or components like anti-virus, firewall, anti-spyware, anti-phishing, intrusion detection and behavior blocking products or virtual private networking and smart card technologies. Make sure that you create work items for even minor items – items that you may not have time to address. I’ve had great success entering the mitigation plan into a bug database. You should still enter minor items. You can repeatedly postpone work on them, just as you would a minor bug. By entering it into the database, however, you will not be able to forget about it. That’s especially important if the design or feature set changes and that issue becomes more of a problem in the future. Also, make sure you share your mitigation plan with your quality assurance engineers. This plan will give them valuable information to design tests that cover the most important issues. Mobile security threats are growing – not shrinking – and a comprehensive solution resulting from solid research and implemented by all players is the only effective way to respond. It’s impossible to make any system completely secure, but a comprehensive security analysis during the design and development phases of a project allows you to direct your efforts where they will have the greatest impact and will also ensure that you don’t overlook major holes. . . . . . . . . . . . . . . . . . . . . . . . |
|||||||||||||||||||||
