[Owasp-mobile-security-project] Top 10 Risks and Controls

[Jack Mannino]

All,

We've posted a few informal lists to the wiki regarding the top 10 risks and
top 10 controls for mobile development.

http://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_Ten_Mobile_Risks

Things admittedly got a bit hectic for a few of us over the past few months,
but heading into the holidays and a slightly lighter Q1 than Q4, we should
be picking up the pace quite a bit.  Mike Zusman and myself have ben
chatting it up whenever we had a little bit of downtime, but we've both been
slammed pretty hard with each of our workloads.

Credit to Mike Zusman, Jim Manico, and David Lindner for helping to hash out
some of these ideas.  In the coming days, I'll also <finally> be posting
some solid threat modeling material and pretty diagrams to the wiki itself.
 This material drove our conversations, and in conjunction with our
respective experiences in the space, we derived the top 10 risks and
controls from it.

We'd love some feedback on our first crack at this.  Still plenty of work to
be done, but good material for discussion =)

http://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_Ten_Mobile_Risks

Just a few other things we've started to work on and think about in
conjunction with the risks, controls, and threat modeling:

Mobile Assessment Methodologies
Mobile Application Security Verification Standards
Device Security Checklist/Baseline

We feel that the top 10 lists should be development-centric, while the other
sub-projects and guidance can tackle the mobile platforms and hardening.

Happy Holidays to all of you.

*Jack Mannino
*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-mobile-security-project/attachments/20101222/3bc71f7a/attachment.html