How do you accommodate accessibility?
We have a dedicated page that explains how we make this site more accessible.
Why have you performed this work?
The UK Government commissioned Copper Horse to conduct a study to map the app security (and app store) standards landscape. The UK Government also commissioned Copper Horse to create a website that highlights the findings of this mapping in a clear and accessible way. We aimed to map as many open standards, guidelines and recommendations as possible in order to find commonalities but also the differences or any outliers. The study highlights the need for The UK Government’s Code of Practice because no standards were identified for app stores and there was no unifying standard that covered app security across all device categories. The website’s findings have been displayed using a thematic analysis so that it can helpfully inform stakeholders, such as developers, operators and other governments.
How did you decide the mapping topics?
We conducted a thematic analysis of the documents which resulted in the requirements being split into 14 different topics related to application security.
Will you develop the mapping further?
We plan to update the website regularly as and when applicable document become available. The space is constantly moving and as such, new and updated documentation is always emerging. We’ll keep tracking it as much as possible!
Standards and recommendations are constantly being updated. How up-to-date are these mappings?
Copper Horse’s study was completed in August 2022. We have therefore used the findings of this study to create the website, but we plan to update this site regularly based on newly published and submitted material.
Why didn’t you include x standard or recommendation?
Some documents were reviewed and judged to be out-of-scope. The reasons for this included that the document wasn’t publicly available, hadn’t been published at the time of review, did not include security or privacy requirements, had no specific recommendations, or that the specification was at too much of a specific low level to be practical as a reference. In some cases the standards were pay-to-view and as such we couldn’t access or map them.
Submissions of other documentation for future consideration are welcomed at: appsecuritymapping[@]copperhorse.co.uk.
Why didn’t you update to new version x of our recommendation?
We have observed in some cases, newer versions of recommendations have been issued but on review, the updates have been editorial in nature or are not related to app security mapping work. For those recommendations, we’ve left the mapping at the version we mapped previously. We do however try to keep up-to-date where we can. Please contact us if you feel we’ve missed something.
Is there a downloadable copy of the data available?
Yes, all the data is available as open data on this site in JSON, CSV and ODS formats.
What platform was used to create the visual mappings?
We used MindMeister to provide the visual mappings.
How can I contact you?
Questions related to this site and its contents should be submitted to: appsecuritymapping[@]copperhorse.co.uk .
The standards we’ve mapped against are all free to use, the following list of standards supplied by BSI are considered out-of-scope of this mapping exercise as they require the user to purchase a licence to use them.
- BS ISO/IEC 27034-1
- BS ISO/IEC 27034-2
- BS ISO/IEC 27034-3
- BS ISO/IEC 27034-4 Note this is a draft from 2020. As of August 2020 this is most recent document, although it has not gone to the formal published stage.
- BS ISO/IEC 27034-5
- BS ISO/IEC 27034-6
- BS ISO/IEC 27034-7
- BS ISO 5055