CompTIA and exam development partner viaForensics, a leading mobile security firm, are setting an industry standard for secure mobile app development with the release of the new CompTIA Mobile App Security+ exams. Beta exams are available as of today, and the formal exam release is expected late this summer.
The CompTIA Mobile App Security+ exam has two editions (one for iOS, one for Android) to certify that the successful candidate has the knowledge and skills required to develop secure native mobile applications that ensure secure network communications and backend Web services. Only one exam is required for certification.
"This certification isn't validating skills in developing mobile apps," said CompTIA Vice President of Products Tom Reilly. "It validates that the individual can create secure mobile apps."
Prerequisite knowledge recommended for taking the exams includes Objective-C programming (for the iOS exam), Java programming (for the Android exam), plus SDK, SQL coding, mobile and app security essentials, and encryption implementation for the exam's specific operating system platform.
The Mobile App Security+ exams will test a candidate's knowledge and skill regarding:
- Security principles, secure development life cycles, and threat models
- Security features of software development kits and APIs
- Service and network security
- Data security and implementing encryption
- Application hardening and reverse engineering
- Secure coding practices
You can download the full exam objectives for free.
Beta Testers Needed
Mobile application developers with two years of experience are encouraged to validate their security skills by participating in the beta test for either the iOS edition, exam code "MAPS iOS EB beta"; or Android edition, exam code "MAPS ADR EB beta". The beta tests are free and if test-takers receive a passing score, they will become certified when the formal exam launches.
The beta exam period will remain open until 150 people have registered and taken each exam through CompTIA testing partner Pearson VUE.
A Life Cycle Approach to Security
Guided by CompTIA's exam development team, Oak Park, Illinois-based viaForensics developed the Mobile App Security+ objectives and exam questions. The effort included input from a team of industry subject matter experts with government, corporate and academic experience. The team included experts from viaForensics, as well as Kenneth R. Van Wyk of KRvW Associates, Dominic Chell of MDSec Labs, Jorgen Hjort of Maersk Line, author and consultant Jeff Six, and senior security architect/developer Jared Carlson.
viaForensics regularly educates its clients' developers, security teams and executives on how to write more secure mobile apps, but the company opted to partner with CompTIA rather than brand its own exam and certification. "CompTIA's focus, relationships and reputation in IT skills certification made them a great partner for this from our perspective," said Ted Eull, viaForensics' vice president of mobile services.
In addition, the small- and medium-sized businesses sector served by CompTIA and CompTIA members greatly needs the knowledge and skills certified by the credential. "Small- and medium-sized businesses are driving innovation in this country because in many cases they can adapt far more quickly than the larger companies," said viaForensics CEO Andrew Hoog. "With data as the new gold standard, small and medium-sized companies are just as much at risk."
"Cybercriminals and state-sponsored hackers cast a very wide net, trying to capture intellectual property, strategic information and financial vulnerabilities," Hoog added. "They're interested in whatever they can get their hands on."
The Mobile App Security+ certification will help ensure developers know how to integrate mobile app security into product lifecycles, said Eull, who helped manage the subject matter experts developing the test. "That is the best place to solve these problems: Consumers get more secure apps, and the company saves money because they don't have to retroactively fix security problems."
Preparing Candidates for Future Threats
Timed with the launch of the Mobile App Security+ exam, CompTIA Authorized Learning Content Partner Logical Operations will release instructor-facilitated courseware for the iOS and Android editions. The courseware will be available through the CompTIA Store and Logical Operations' e-commerce store.
"Two huge and growing segments of the information technology sector — mobile application development and security — have been brought together in the Mobile App Security+ curriculum," said Logical Operations Vice President of Content Nancy Curtis, adding that the company will market the courseware to commercial training centers, the corporate/government market, and the continuing education sector.
The CompTIA Mobile App Security+ courseware will cover fundamental theory but be "very hands-on," said Brian Wilson, Logical Operations' Senior Instructional Designer. "The training will build on students' current development skills with a focus on secure app development."
Instructor documentation will recommend setting up a server with mobile device simulators commonly used in Android and iOS app development. In addition, Logical Operations recommends instructors provide some activated mobile devices for students to work with.
"We're making this course very strategic—teaching students how to respond to the most common threats, but also giving them the concepts and procedures necessary to identify and mitigate new threats in an ongoing fashion," added Wilson.