Application development collection

This guidance provides advice on how to minimise the loss of data from applications running on devices handling sensitive data. It is primarily for risk assessors and application developers, and contains recommendations for the secure developmentprocurement and deployment of generic and platform-specific applications.

  • We recommend that you read the generic application development guidance in full, before you read the platform-specific guidance.
  • Note that the NCSC does not provide services for the assessment of third-party applications; organisations must undertake this work on an individual, per-application basis

About this guidance

This guidance will help you to:

  • ensure sensitive data is protected appropriately when stored and transmitted
  • minimise the opportunity for accidental data leakage across application boundaries
  • ensure only authorised parties can access sensitive information
  • maximise the usability of applications whilst maintaining security in the development phase
  • restrict access to sensitive data to those applications designed to handle such material in a secure manner

In achieving these goals, the following assumptions are made:

  • devices are configured in line with the NCSC End User Device guidance
  • devices could have other third-party applications installed
  • devices will be in a locked state if lost or stolen
  • attackers can gain total control of devices (such as through jailbreaking/rooting) or otherwise gaining administrative privileges

In addition, the following principles are followed throughout:

  • applications that store, process, handle, or have network access to sensitive information should be developed with security in mind from the start, and should be audited and assessed before use
  • use the functionality of modern platforms to enhance the security of applications (this is the focus of the platform-specific guidance)
  • if sensitive information is stored using the platform’s native functionality, then third-party applications may be able to access that information
  • the specific data that applications can access (and the constraints are involved) must be understood with respect to each platform’s security model

Source: NCSC

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!

/by
You might also like
Serviceteam IT Security News How do I stop old USB drives from infecting my new Windows PC?
Serviceteam IT Security News Protective DNS service for the public sector is now live
Serviceteam IT Security News Cyber insiders: network administrators (video)
Serviceteam IT Security News Subtitle Hack Leaves 200 Million Vulnerable to Remote Code Execution
Serviceteam IT Security News Myki data release breached privacy laws and revealed travel histories, including of Victorian MP
Serviceteam IT Security News WhatsApp spyware attack was attempt to hack human rights data, says lawyer