SecureApp Launch Part 2 | How to become a SecureApp certified app

Earlier this year, Secarma and Secured by Design (SBD), a Police Crime Prevention Initiative, launched SecureApp.

SecureApp is an application security certification designed to help businesses demonstrate that their web and mobile applications meet a recognised security standard.

During our recent webinar, Jennifer Williams, Secarma Managing Director and project lead for SecureApp, spoke with Michelle Kradolfer, National Secured by Design Manager for the Police Crime Prevention Initiative, to discuss the growing urgency for SecureApp.

SBD accreditation ensures that physical security products and services, such as locks, doors, windows and fences, have met a recognised standard.

However, advances in technology have introduced an Internet of Things (IoT) and cybersecurity element to the mix. This means the wider ecosystem must now be secured in its entirety, helping to protect users from cyber risks that could otherwise be left unchecked.

SecureApp and Secure Connected Device certifications have been added to the SBD accreditation to ensure that IoT and cybersecurity products and services are tested, certified and police approved.

Did you miss the SecureApp Launch blog part 1? Catch up here.

How does a business become Secured by Design and SecureApp accredited?

Not every product will require all three certifications. To understand the testing needs of a particular product, the SBD team will assess:

• Is it an IoT device?
• Does it have an app attached to it?
• Does it have a physical element that needs to be tested?

Michelle explained:

“For example, if we look at a smart lock, we would require that it be tested against the physical standard. Then we would look at the IoT component, where it would have to be tested against ETSI EN 303 645, which they can also do with Secarma. Then there is the app that would need to achieve SecureApp with Secarma.

“Once we identify the necessary certification level, we assess the level of risk associated with the app itself and send recommendations for the certification routes that the product needs to achieve.”

When Secarma has tested and certified the web or mobile application, the product can become a police approved SBD member.

How does an app become SecureApp certified?

Secarma evaluates the app against a set of controls, created from best practice guidelines for developing apps.

Traditionally, when penetration testing applications, there is no limit to the testing other than the tester’s creativity and determination. Our consultants explore the application to discover potential routes to compromise, which may be guided by the customer if there is a particular outcome they want to test.

In contrast, SecureApp introduces a set of specific testing criteria and constraints, against which there are clear pass or fail scenarios.

Jennifer said:

“We need to know that if this app accepts file uploads, for example, that we can’t upload malicious code as part of that file, and that the app will only accept specific file types.

“If we try to bypass that, then we’re stopped. Or, if we try and upload one of those file types, the app still recognises if malicious code is injected into it, and that appropriate protections are in place.”

All controls must be fully implemented for the app to gain SecureApp recognition. Secarma works with the organisation to remediate any areas that need bringing up to standard, before retesting and awarding SecureApp certification.

The result is peace of mind that the app is secure, with a clean bill of health to share with customers.

Jennifer said:

“It really is a collaborative, consultative approach to getting the app to a good standard. Then we can pass that back to Michelle and her team to give it the seal of approval.”

What is the business benefit of SecureApp and SBD accreditation?

Secured by Design is police endorsed, acting as a testament to the app’s credibility and helping to establish customer trust.

Many apps fail baseline security checks, exposing users to risks that could affect their personal safety. SecureApp accreditation helps reduce the app’s attack surface, supports protection against common cyber attacks, improves consumer confidence and reduces risk to the business’s reputation.

Michelle said:

“It helps position that app competitively because compliance doesn’t only send a clear message to the wider industry that you have taken the importance of app security very seriously, but it also makes your app one of the very few that can confidently be recommended by police, government, statutory bodies and even charities that are recommending it to the public.”

Where to watch the SecureApp webinar

If you have yet to watch the SecureApp launch webinar with Jennifer and Michelle, you can catch up on demand here.

We’ll be sharing more extracts from the webinar in the final instalment of our blog series, where we’ll discuss the customers already using SecureApp and their experiences becoming fully accredited SBD members.