European Union Agency for Network and Information Security

New cyber security information service launched today by ENISA

Thu, 06/15/2017 - 10:50

“Cyber Security Info Notes” are short papers produced by ENISA on information security topics, which aim at highlighting assessed facts regarding information security related incidents and developments. The main focus is on providing an independent and ‘calm’ opinion and on advising stakeholders targeted by these incidents/developments.

The philosophy and goals of the Agency’s information service are to provide an expert point of view that is not driven by urgency. “Cyber Security Info Notes” deliver a neutral, balanced and comprehensive point of view, together with recommendations. This work consists of a synthesis of both publicly available material and own experience.

ENISA has updated and enhanced its existing “Info Notes” service with the aim of producing useful information for its stakeholder communities based on all of the Agency’s work. The content covers a wide range of cybersecurity information e.g. vulnerabilities, threats, incidents, developments etc.

In addition ENISA aims to establish context out of security information. This contribution will be achieved by putting current events, incidents and news into the context of internal and external work.

ENISA’s Cyber Security Info Notes will be published on a regular basis (1-2 per month) and on a per request basis such as during the event of important cyber security incidents.

For more information visit ENISA’s Cyber Security Info Notes section.

“Disinformation operations in cyber-space”

The first Cyber Security Info Note titled “Disinformation operations in cyber-space” outlines the emergence of disinformation campaigns in cyber-space. In the context of disinformation operations, the note provides an overview of the trending threat of "tainted leaks" and depicts the mitigation approach used against a recent disinformation campaign.

For the full note: Disinformation operations in cyber-space


Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:


CSIRT maturity evaluation process - How is CSIRT maturity assessed?

Mon, 06/12/2017 - 14:30

CSIRTs will find in ENISA's new report a comprehensive overview about assessment parameters which was also translated into an online survey tool for a direct maturity self-assessment.

The CSIRT maturity improvement process includes a survey with questions and answers for all the parameters of the commonly used SIM3 (Security Incident Management Maturity Model) model, which makes it considerably easier for any CSIRT team to self-assess their maturity in the terms of SIM3. The survey is complete with a mapping to the proposed CSIRT maturity scale (with the steps basic, intermediate and certifiable), so that a team member who use the survey can self-assess their maturity on that scale.

As an additional element of the evaluation process ENISA suggests a peer review methodology. A methodology for how to do peer reviews between trusted teams, complementary to the self-assessment approach and intended as a form  of intra-community mutual support aimed at further enhancing all teams' maturity. The proposed peer review approach is a flexible one, that is expected to suit the needs of all teams involved.

For the full report: Study on CSIRT Maturity – Evaluation Process

For the survey tool (beta version): CSIRT Maturity - Self-assessment Survey

The EU Network and Information Security Directive  (NISD) creates a CSIRTs network "to contribute to developing confidence and trust between the Member States and to promote swift and effective operational cooperation". The Directive states that each Member State shall designate one or more CSIRTs which shall comply with the requirements set out in point (1) of Annex I (requirements), covering at least the sectors referred to in Annex II and the services referred to in Annex III, responsible for risk and incident handling in accordance with a well-defined process.

The Directive gives high-level requirements that designated CSIRTs must observe, and tasks that they must perform.

ENISA has carried out a considerable amount of work in the CSIRT area, and this work contributes by sharping the role of ENISA in helping CSIRTs on their way to a higher maturity level. With this new practical guide CSIRTs will be better prepared to protect
their constituencies and improve team's maturity.


Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:


Opening the ENISA Annual Privacy Forum 2017

Tue, 06/06/2017 - 15:11

With a view to stimulate interactive discussions, identify new trends and produce compelling input to policy making, APF17 brings together representatives from policy, academia and the industry as well as the law enforcement community (Europol / EC3), the EDPS and civil society.

Notable speakers in this year's edition of the ENISA APF include: Wojciech Wiewiórowski (EDPS), Prof. Reinhard Posch, (TU Graz & Austria Chief Information Officer), Peter Fleischer (Google) and many more. Compelling discussions are expected in the interactive panels that include Privacy regulation in a global context and Lawful interception and PETs.

ENISA's Head of Stakeholders Relations and administration department, Mr. Paulo Empadinhas, will open the conference tomorrow at 9.00 a.m. together with the Dean of University of Vienna, Prof. Paul Oberhammer, and Prof. Erich Schweighofer.

APF17 is for the first time streamed live at: .

Stay connected with #APF17: follow @PrivacyForum_EU and @ENISA_eu on twitter, and the dedicated site



Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:


“Mastering the Power of Connectivity”: Udo Helmbrecht speaks about 5G infrastructure & connectivity at the Connected Citizens Summit 2017

Wed, 05/31/2017 - 20:15

The summit, which was co-hosted by newspapers Politico and Welt, gathered more than 100 participants from private and public sectors; European institutions, national ministries, international organizations, city governments, civil society organizations and companies across major sectors.

Udo Helmbrecht together with MEP Pilar del Castillo, joined the discussion on infrastructure and answered the question “Are we equipped to master connectivity?’’. Udo Helmbrecht mentioned that cyber security is still underdeveloped specifically for IoT components and that there is still a need for investment in digital skills and infrastructure from the EU level, member States and private sector. Talking about security improvements through the new Telecom Code, which is expected to be adopted by end of 2017 or early 2018, ENISA’s Executive Director said: “The new improvements will certainly contribute to a more secured and harmonised telecommunications environment across Europe”.

For more information about the Connected Citizens Summit 2017:

Related material:
ENISA study on Analysis of security measures deployed by e-communication providers




Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:


Visit to ENISA by the Agency's Management Board Chair and Vice-Chair

Wed, 05/17/2017 - 22:00

The objective of the visit was the exchange of views on a variety of different subjects associated with the ENISA's work programme 2018, the review of the  Agency mandate and the challenges and opportunities associated with it.

In addition the programme during the visit included:

  • Meeting with ENISA’s Executive Director Udo Helmbrecht and staff, for an update on the Wannacry outburst and ENISA's role in the collaboration among EU Member States.
  • A discussion on matters related to ENISA's Management Board activities.
  • Meeting with the Agency's staff.

For more information:  ENISA Management Board


Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:


National Liaison Officers meet today at ENISA

Wed, 04/26/2017 - 14:59

During the meeting, NLOs exchanged views with ENISA experts and elaborated on the objectives of the year.

The meeting included discussions on the future role of NLOs following the implementation of the NIS Directive and the new ENISA mandate, as well as updates on upcoming events by ENISA such as the European Cyber Security Month (ECSM), the European Cyber Security Challenge (ECSC), and ENISA’s role in the NIS Directive Co-operation Group and the CSIRTs Network.

National Liaison Officers are the first point of contact of ENISA in the Member States, acting as ‘facilitators’ for ENISA activities within their countries. The Network currently comprises thirty-five members of the EU Member States, EEA countries and the European Institutions.

For more information visit ENISA NLOs Network page.




Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:


Danish assessment of the cyber threat against Denmark

Fri, 04/21/2017 - 16:46
The report addresses the threat from cyber activities against Danish authorities and private companies. The main threat emanates from state-sponsored cyber espionage and from cyber crime. State and criminal hackers are continuously developing their skills and their attack methods are growing ever more sophisticated.


For the full report: The cyber threat against Denmark


Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:


'Secure the communications of mail servers'- new factsheet by NCSC

Thu, 04/20/2017 - 15:52

Traditionally, connections between mail servers have hardly been secured. STARTTLS is an extension to provide existing protocols with connection security. If you only use STARTTLS to secure connections between mail servers, this will protect against so-called passive attackers. An active attacker can easily undo the use of STARTTLS. The DANE protocol allows you to verifiably indicate that your server offers a secure connection.

The NCSC recommends enabling STARTTLS and DANE for all your organisation’s incoming and outgoing email traffic.

The National Council Digital Government has decided in September 2016 to include STARTTLS and DANE for email traffic in the list of compulsory open standards. Therefore, it is compulsory for Dutch government bodies to apply these standards when investing in email systems.

The standards STARTTLS and DANE are also part of the initiative 'Secure E-mail Coalition', a partnership of businesses, trade associations and governments. This initiative is aimed at broader adoption of email security and up-to-date standards. This factsheet supports organisations that want to start using these standards.

For more information:



Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:


ENISA wins award for Excellence in innovation-transformation at EU Ombudsman Award for Good Administration

Fri, 03/31/2017 - 10:08

The Agency’s project on Redefining European cyber cooperation, is a cyber-crisis simulation executed in real-time (over 48 hours) following two years of planning.

This achievement reflects the continuous efforts of ENISA in innovation, creativity and effectiveness in achieving its goals. It also reflects the Agency work towards developing projects that highly impact and involve the Member states and bring added value to the EU.

Launched in October 2016, the initiative aims to highlight efforts and share best practice within the wider administration of Member States, recognising the contribution of staff at an individual and team level.

The project brings together top IT experts from banks, cybersecurity, transport and energy companies from all Member States. Over the project’s lifetime, more than 1000 participants were trained and benefited from the program.

Ninety (90) projects were nominated from EU Institutions, agencies and other bodies. ENISA competed with sixteen (16) projects under the innovation and transformation category.

Cybersecurity is an area which relies upon the cooperation of all involved parties and the exchange of best practices.

The award also reflects the collaboration across all the Member States in their efforts to respond against cyber threats, and is as much theirs to pride. We urge all partners to continue their commitment and hard work together in ensuring cyber excellence, awareness and security across the EU.  

EU Ombudsman press release

Follow updates on #Eoaward @EUombudsman

Find out more about Cyber Europe 2016 organised by ENISA



Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:


Celebrating #EU60 years of the Treaties of Rome

Thu, 03/23/2017 - 22:00

On March 25th 1957, the Treaties of Rome was signed by the governments of Belgium, France, Germany, Italy, Luxembourg and the Netherlands. The Commission is celebrating the 60th anniversary with a number of events and activities.

European Commission: The main event organised by the Commission will be Citizens' Dialogue with the HRVP Mogherini on 24 March between 12.00 and 13.30 in the Acquario di Roma in central Rome. The Dialogue, to be attended by 250-300 citizens and (mainly) Erasmus students in Rome, will be focused on the options for the future of the EU, and the difference that the EU should make for the future generations.

The Directorate-General for Education and Culture organises a Jean Monnet Seminar "The Future of Europe: a commitment for You(th)" on 23 and 24 March. The Seminar will be attended by around 100 participants, mainly Jean Monnet professors and youth representatives.

The Directorate-General for Communications Networks, Content and Technology (CNECT) organise the Digital Day, a high-level event with five Commissioners and ministers from all Member States, on 23 March. Check the agenda:

In all EU Member States events are being organised by the EC Representations. A list of these events is available on the inter-institutional webpage dedicated to the 60th Anniversary  in the section "Find events in your country".

EU Institutions: Events will be organised also by other EU Institutions. A list of these events is available on the inter-institutional webpage dedicated to the 60th Anniversary  .The Italian Government will host and organise different events to promote the 60th anniversary. A list of such events is available on the website of the Italian department for European Politics.

Furthermore, don’t miss:

  • Video  testimonials about Europe reflecting the diversity of  citizens and languages in all Member States and three EU Delegations (Bangkok, UN-New York, Rabat).
  • GIF competition – EU GIF story: Participants are invited to create a GIF based upon AV Service's archive material, which will depict a series of historical moments in the EU's history. All #EU60 GIFs will ultimately be shared with the Commission's social media and ultimately be hosted on the European Commission's Giphy Profile.  Winners to be announced on 23 March

  • EU60in60: a 60 second time-lapse video clip giving a glimpse of EU history, spanning from today until the signing of the Treaty of Rome. The clip features the main political milestones of EU integration, as well as major social-cultural events over that period. Link to the clip:
  • Documentary  clip  telling the story of the EU's integration since the signing of the      Treaties of Rome.

All above audio-visual material will be hosted and available for download on the European Commission's Audiovisual Service focus page.


Get active on social media -  Share, Update, Tweet!

Share the EU Flag
via Instagram from 25 March! Share pictures, paintings, photos of the EU flag under a common hashtag.  Update profile pictures to one, bearing the EU60 Visual Identity. When tweeting the hashtag #EU60 an EU flag will appear.

Follow        #DigitalDay17

Related material

Inter-institutional  page about the 60th anniversary (available in all EU languages)

European Commission's Audiovisual Service focus page about the 60th anniversary (in EN and FR).

Website of the Italian Government about the 60th anniversary (available in IT, EN and FR)

The European Story – 60 years of shared progress (available in EN)

Europe's future is digital: EU countries to commit in Rome to go deeper and further on digital



Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:


ENISA at CeBIT: The role of cybersecurity within the new digital environment

Wed, 03/22/2017 - 13:55

image c CeBIT

ENISA participates at this year’s CeBIT event with its own booth for the first time. With its presence the Agency aims to raise awareness on cybersecurity and the work it delivers on key themes such as:

  • The Internet of Things
  • Smart homes
  • Smart cars and smart hospitals
  • Critical infrastructure
  • Blockchain technology and mobile payments
  • Standardisation and certification
  • Trainings
  • privacy and virtualisation
  • And much more

ENISA experts on-site liaised with visitors providing insights on ENISA’s work generating interest and participation.

ENISA’s Head of Core Operations, Dr Steve Purser delivered the keynote address  at the Global Industry Club at CeBIT’s International Cybersecurity Conference taking place in Hannover. Speaking to German industry representatives on ‘Dealing with technology evolution - from policy development to implementation’ Purser gave an overview on:

  • Economic considerations and how cybersecurity can act as an economic enabler
  • How ENISA works with stakeholders to influence policy development. Key focus areas involved the implementation of the NIS requirements, GDPR and data breach reporting and the new eIDAS regulation on security incidents
  • Aligning skill-sets with industry needs, looking into exercises and the cybersecurity challenge
  • Implementation, and specifically on identifying and spreading good practices using SMART approaches as an example
  • Challenges and opportunities within cybersecurity  

The discussion with Purser continued during the day at the panel on ‘New experiences, challenges and changes in some global conditions - how to manage Cyber Security?’  with representatives from the public, academic and industry sector.


Visit ENISA’s booth

To find out more about the Agency’s work on cybersecurity visit  ENISA  at Hall 6 - Stand E16.

Related material by ENISA:

ENISA's work on IoT and Smart Infrastructures including smart homes, smart cities, smart airports, smart cars, smart hospitals and more

ENISA report on blockchain technology and security

Security of Mobile Payments and Digital Wallets

How to protect critical infrastructures

ENISA study on the security aspects of virtualization

Smartphone Development Guidelines

ENISA online training material

Gaps in NIS standardisation

Challenges of security certification in emerging ICT environments

PETs control matrix: A systematic approach for assessing online privacy tools



Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:


Getting ready for the next European Cyber Security Challenge

Fri, 03/17/2017 - 10:20

The first meeting of the representatives that participate in the European Cyber Security Challenge 2017 (ECSC'2017) took place in Brussels on the 15th and16th March.

A number of topics were addressed during the two days relating to the governance of the ECSC competitions, the lessons learned from ECSC'2016 as well as the planning for the ECSC'2017 final event which will take place in November in Spain.

For further information on the European Cyber Security Challenge please refer to



Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:


Gaps in NIS standardisation: Mapping the requirements of the NIS Directive to specific standards

Wed, 03/15/2017 - 13:30

The aim of the study is to provide a mapping of the technical requirements of the NIS Directive to existing standards, to identify gaps and overlaps in related standardisation and provide recommendations for the future work in this area.

The report identifies a relatively small number of gaps and areas of overlap in standardisation where there is no clear best practice to be adopted partly due to the diversity of the current standardisation ecosystem. This allows for several recommendations:

a)      It is recommended that the European Commission adopt a standards based framework for the exchange of threat and defensive measure information, that impacts the functioning of Network Information Infrastructure (NII), with the support of the Member States pursuant to the NIS Directive. The capabilities from this framework underscore NII as a Critical Infrastructure of the EU and its Member States and can further act a manual and reference point.

b)     ENISA urges to adopt open standards in threat exchange. This translates into increased interoperability and improved cooperation and information sharing. In this context, the risk analysis and defensive measures capabilities defined in current standards should be extended, to allow Member States to address the Network Information Infrastructure and NIS provisions necessary to mitigate risk both at a national and regional level.

c)      At another level, it will be useful to highlight the similarities between the USA Cybersecurity Act and the NIS Directive and promote possible synergies in the application of standards.

The publication coincides with the announcement of the European Commission’s Rolling Plan for ICT Standardisation, which aims at providing a bridge between EU policies and standardisation activities in the area of ICT.

Full report available online
For more on the subject
and press enquiries please contact  Tel. +302814409576



Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:


#APF17: Call for Papers

Thu, 03/09/2017 - 10:15

This year’s edition is organised in the light of the implementation of the newly promulgated General Data Protection Regulation (GDPR), and, the recent EC proposal for a Regulation on Privacy and Electronic Communications. Even the best legislative efforts face the challenge of keeping up to speed with the pace of innovative technology and business models that challenge the way personal data is processed and privacy is protected across the EU and beyond; therefore examining what is at stake and where threats thereto originate from becomes of paramount importance.

Get involved to:

  • learn from the professionals in the field
  • participate in a high level debate
  • discover the trends for the future
  • network with key players in privacy and NIS

The call for papers is open until 31th March. To submit your paper please use the conference’s EasyChair page.

Call for papers: At APF 2017, we invite papers presenting original work on the themes of data protection and privacy and their repercussions on technology business, government, law, society, policy and on law enforcement. An inter-disciplinary approach is high in demand to contribute to bridging the gap between research, business models and policy much like proposing new models and interpretations are.

Multidisciplinary papers are particularly welcome, making explicit how the presented work can contribute to bridging the gap between research and policy.

Contributions from policy makers, representatives of competent authorities, such as Data Protection Authorities, industry experts, NGOs and civil society associations are particularly welcome. For detailed information and the aspects with which research and opinion papers should deal with are available at:

Submissions must be written in English, should not succeed 8000 words and, need to comply with the Springer LNCS style guide. Authors must submit their papers by the deadline indicated on the conference web site and follow the requirements stated there. Papers will be published in the proceedings of the conference with a publishing house soon to be selected and announced.

Related material:

  • APF 2016 report
  • Last year in Frankfurt at APF 2016, ENISA and its partners proposed a technology readiness platform for privacy enhancing technologies. A report on the current situation and the roadmap of the ongoing project available online

To receive the latest news and updates sign up for the RSS feeds, follow #APF17  and #PrivacyForum_EU on twitter and the dedicated site

About APF 2017:
ENISA, DG CONNECT, and the Law Faculty of the University of Vienna, Arbeitsgruppe Rechtsinformatikis jointly organise the two-day event with the objective of providing a forum to academia, industry and policy makers.

For information please contact the APF Committee via the following link

For press enquiries please contact,  Tel. 2814 409576



Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:


ENISA and national supervisory bodies agree reporting scheme on security incidents for European TSPs

Wed, 03/01/2017 - 10:55

ENISA publishes its security incident reporting framework for TSPs (Trusted Service Providers)  in the context of the new European eIDAS regulation.

ENISA supports supervisory bodies with the implementation of national incident notification schemes. The objective of this proposal is to support efficient and harmonized incident notification schemes across the European Union.

 The document is produced in close collaboration with representatives from the European Commission, National supervisory bodies and other competent authorities in the field of trusted services.

The Agency has also developed a tool which enables supervisory bodies to submit their national reports to ENISA and the Commission. For the next year, ENISA will further work on the analysis of the collected data by developing a visualisation tool.


Full report available here

For interviews  and press enquiries please contact , Tel. +30 2814 409576




Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:


Guidelines on Incident Notification for Digital Service Providers

Tue, 02/28/2017 - 10:42

The EU’s first DSP mandatory incident notification requirements as part of the first EU-wide set of rules on cyber-security, are a major step towards achieving a common level of cyber-security across the Union. ENISA’s comprehensive technical guideline supports stakeholders in addressing mandatory incident notification for Digital Service Providers (DSPs) in the context of the NIS Directive. Based on the requirements of the Directive and valuable input from Member States and DSPs directly impacted by the Directive, this guideline touches the following topics:

  • identifying types of incidents to be reported
  • definitions and clarifications on parameters and thresholds
  • defining substantial incidents
  • description of the incident reporting process and the stakeholders involved
  • cross border sharing of incidents
  •  identification of DSPs

This report represents an outline technical proposal used as input for the discussions regarding the implementation of article 16 of the NIS Directive, concerning mandatory incident notification for DSPs.

The full report is available here

For media and press enquiries please contact, Tel: +30 2814 409576



Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:


ENISA participates at first formal CSIRT Network Meeting

Thu, 02/23/2017 - 14:35

The CSIRT Network, as defined by the NIS Directive, conducts the first formal CSIRT Network Meeting, organised by the Maltese Presidency in Sliema Malta, on February 22nd and 23rd . ENISA along with representatives from the European CSIRT Community, CERT-EU and the European Commission:

  • Presented  work relevant to the group capabilities and betterment of these
  • Adopted the Terms or Reference and Rules of Procedures that define the group

Among others, the CSIRT Network adopted the short term goals that will be taking place in the next 18 months, and formed the Working Groups for the execution of these.

 More about the meeting available here.




Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:


Security Measures for Digital Service Providers

Thu, 02/16/2017 - 13:55

ENISA issues this report to assist Member States and DSPs in providing a common approach on the security measures for DSPs. The study describes the high-level security objectives by providing security measures and examples of implementation concerning DSPs and in particular:

  • Cloud computing service providers
  • Online marketplaces
  • Online search engines

With this study ENISA tries to:

  • Define common baseline security objectives for Digital Service Providers (DSPs). 
  • Describe different levels of sophistication of security measures which fulfil the abovementioned security objectives
  • Map the security objectives against well-known industry standards, national frameworks and certification schemes.

The report together with other relevant technical standards have been used as input to the discussions on the implementation of article 16(1) of the NIS Directive concerning the security measures of the DSPs.

The NIS Directive aims to develop cybersecurity capabilities across EU Member States. Commonly defined security measures can support harmonised security practices across Member States and potentially enhance the overall level of NIS in the EU.

Full report available online

For interviews and press enquiries please contact Tel +302814409576

Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:


ENISA study on the security aspects of virtualization

Fri, 02/10/2017 - 13:32

The final objective is to provide the basis to understand the main issues and challenges related to the security in virtualization, and provide a look at common best practices to implement a secure virtualised environment.

Virtualization, is referred to as the set of activities aimed to create a virtual version of real components including, computer-hardware platforms, operating systems, storage, and networking. It is present nowadays at the basis of server and desktop infrastructures, cloud computing, networking, and containerization.

Virtualized environments are pervasively adopted and therefore increasingly becoming targets of cyber-attacks. More and more elaborated and specialized attacks are currently devised to exploit vulnerabilities and weaknesses at the virtualization layer. The recent and widespread adoption of virtualization technologies has changed the traditional view of ICT, as virtualization can provide a dramatic increase in the efficiency and effectiveness of complex organizations and communities. It is also expected to constitute an important technological pillar of a thriving data-driven economy and the European single digital market.

However, virtualization technologies bear a number of different security risks, some of them shared with traditional computing environments including issues affecting operating systems, communication protocols, and applications, which can be even exacerbated by the presence of virtualized components, producing a greater security impact.  On the other side, virtualization also introduces a number of specific security issues requiring ad hoc solutions.

Full report
 is available online

For interviews and press enquiries please contact Tel. +30 2814409576



Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:


ENISA issues Smartphone Development Guidelines

Fri, 02/10/2017 - 08:42

The document is written for developers of smartphone applications as a guide for developing secure mobile applications and defending against mobile attacks.

Every day, new applications are built for different mobile platforms, bringing along also new attacks.

Poorly built applications could lead to a data theft and/or financial loss[1] . To secure end users, and to ensure safe and secure communications, security of mobile applications is one key priority for mobile application developers.

Following the success of the first edition of the Smartphone Development Guidelines, ENISA publishes an update to the document, and adds new sections to address recent developments, such as the use of biometric sensors, application integrity, and client side injections.  The guidelines aim to cover the entire spectrum of attacks which developers of smartphone applications should consider when building mobile apps. These include:

  • Identify and protect sensitive data
  • User authentication, authorization and session management
  • Handle authentication and authorization factors securely on the device
  • Ensure sensitive data protection in transit
  • Secure the backend services and the platform server and APIs
  • Secure data integration with third party code
  • Consent and privacy protection
  • Protect paid resources
  • Secure software distribution
  • Handle runtime code interpretation

In addition, new sections have been added to cover new attacks, abusing biometrics and clients:

  • Device and application integrity
  • Protection from client side injections
  • Correct usage of biometric sensors


Full report is available online

For interviews and press enquiries please contact Tel. +30 2814409576




Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items: