Security classification section contains a list and description of Netguru security levels, along with assets assigned to them. These descriptions and assignments were prepared to categorize applications according to the risk related with processed data and the way it is processed.
Security classification is based on the risk analysis and risk assessment of the project. The main purpose of this process is to select a correct security level based on the risk resulting from the assets being used. The classification and selected level is crucial in security requirements selection process.
This section contains description of all security levels used by Netguru in Security classification. Each level consists of three parts:
- General description
- Questions
- Example apps
General description provides only basic information about a level, whereas questions and popular examples may help reviewer in visualising the range thereof.
Level 0 describes only simple, offline applications, that do not require any input related directly with users. Applications with this level very often perform only simple, closed tasks (clock, alarm), as well as interpret some values or present hardcoded values and behaviours (RxMarbles, Libraries for developers).
Questions
- Does the application work offline?
- Does the application process only generic data (not related to user behavior)?
- Does the application require any kind of authorization or other input data related to the user?
Example apps
Calculator, simple games like 2048, Clock, Alarm, RxMarbles, libraries for developers, etc.
This level should be applied for all applications with only basic integrations and/or processing data related or unrelated to users and their behavior. This level should be also applied to applications which are connected to any kind of public APIs or process publicly available data.
Questions
- Does the application fulfill at least one condition from Level 1?
- Does the application have access to the Internet connection (or have INTERNET permission implemented on Android)?
- Does the application handle user credentials using external tools like oAuth with WebView?
- Does the application connect to any kind of public API?
- Does the application contain keys for public or dedicated API?
- Does the application require user's credentials like email, login, password?
- Does the application gather any kind of sensitive data from device sensors such as GPS location, wireless network data, device configuration data?
- Is the application responsible for managing any kind of private messages?
Example apps
AccuWeather, Wifi Analyzer, Speedtest, Open FM (online radio app), Flashlight (Android), Google Fit, Messenger, Slack, Gmail, YouTube, Calendar, etc.
Level 2 classifies applications that are responsible for processing data directly related to the user and his identity, with the exception of sensitive user data like medical records or bank account credentials. This level also covers applications responsible for processing commercial data and applications related to shopping but with transactions handled by third party providers – credentials related to transaction services like banks are handled outside the application.
Questions
- Does the application fulfill at least one condition from Level 2?
- Is the application responsible for any kind of commercial transactions, including the dedicated APIs, PayPal, in-app purchases, Stripe or any kind third party payment provider?
- Is the application designed for user profiling?
Example apps
Gmail, Facebook, Github, Twitter, Snapchat, Uber, Groupon, eBay, Allegro
Level 3 should be used to classify applications responsible for handling credentials for other systems, especially money related services like banks or credit cards. This level also concerns all applications that are responsible for processing particularly sensitive data related to critical risk like military data, national security data or internal company data. Disclosure of that data may have influence not only on a particular user, group of users, clients or systems but even on global population or large number of users of multiple services.
Questions
- Does the application fulfill at least one condition from Level 3?
- Does the application have any kind of user behavior monitoring like analytics, activity data (e.g. from Google Fit API or Apple Health)?
- Is the application responsible for storing credentials to other systems?
- Is the application working as password manager?
- Is the application responsible for Bank data managing?
- Is the application handling any Credit card credentials?
- Is the application responsible for handling military data?
- Is the application responsible for handling internal corporational data?
- Is the application responsible for handling database of many users locally?
Example apps
Internal applications of large corporations or institutions, banking apps, PayPal, 1Password, KeePass etc.
This specification contains a list of levels with associated assets for each one. This association is the key value of level definition. To better present levels definition, this table also contains overall risk associated with certain security levels. Furthermore, each level is applied to any asset covered by the lower level and needs to have at least one asset for a certain level to be classified with it.
Level | Overall Risk | Assets | ||||||||
0 | Low |
Data types
Access permissions
|
||||||||
1 | Medium |
Data types
|
||||||||
2 | High |
Data types
|
||||||||
3 | Very high |
Data types
|