Discover PerformanceHP Software's community for IT leaders // September 2012
Building mobile apps means a focus on cloud security
The rapidly growing number of cloud-based services for mobile apps is a godsend to developers. But what are the security ramifications? Here are four things to consider.
Mobile apps represent a kind of gateway drug to the cloud. This is due to developers increasingly leveraging cloud-based services for tasks such as logging, notifications, and billing and payments, allowing them to focus on the app client logic and leave the server-side features to the cloud. The result is faster delivery of a better app, and one that puts the richest available functionality into users’ hands.
But what makes it faster and cheaper may also make it riskier: Mobile apps are increasingly dependent on cloud services that the apps team didn’t build, the organization doesn’t own, and the ops team doesn’t even know about. Meaning that to create effective mobile apps, you must have confidence in the cloud.
Given the increasing breadth of the mobile ecosystem, it’s crucial to understand where the weak security links exist. Essentially, there is a threat in every layer: the mobile client, the network and the server. When you use cloud services in a shared environment, you’re at risk from weaker adjacent apps. Many third-party components and web services aren’t secure and perhaps haven’t even been tested. Plus, you may be trusting highly sensitive data—customers’ PINs, passwords, messages, account numbers, photos and documents—to services that you don’t own.
Apps teams can’t roll the dice on mobile security. Here’s how to make your own luck when using third-party services in the cloud.
1. Realign priorities around security.
Before you can consider the quality of someone else’s security, you must get your own house in order. Organizations are accustomed to asking, “Will the application work in production?” and “Will it scale and perform well under load?” But now they must ask a third question: “Will it be secure?”
2. Address the application fundamentals.
Now that you’re asking questions about your applications’ security, you’d do well to actively improve it. Ensure that your developers are coding with security in mind, starting before they ever write that first line of code. Aside from the security benefit, you will also increase development productivity, because you’ll avoid the rework that inevitably comes when you add in security after the fact. And with the time you save, you can spend valuable development resources and time on innovation instead of firefighting, troubleshooting and fixing vulnerabilities.
Also, developers must pay attention to security when selecting and consuming external services. Understand your IT team’s policies on third-party procurement, particularly as they relate to security, and ask your vendors to prove they provide the security you need.
3. Secure the stack.
Next, you’ll want to ensure that you’ve secured the entire mobile stack, from the mobile device to the server, including the communications between the two. Know where you’re using credentials and sensitive data; track them through the device, network and back end; then test all of those components for security.
Use software that can help you pinpoint with line-of-code precision the root cause of potential vulnerabilities in apps developed for the most commonly used smartphone platforms. Use static analysis tools during development, and run dynamic security analyses to security-test the web services that will interact with your mobile apps.
4. Don’t leave it up to someone else.
As your developers continue to take advantage of cloud services for mobile apps, you might wonder how you can be certain that it’s OK to trust a particular cloud service. The answer is simple: You can’t be certain. That’s why you have to do what you can on your side.
For more on security in the cloud, learn about HP’s cloud management and security solutions, and for more on securing mobile applications, visit Fortify’s mobile security page.
Dev Center 20/20
How will we organize development centers for the apps that will power our enterprises?
Introduction to Enterprise 20/20
What will a successful enterprise look like in the future?
Challenges and opportunities for the CIO of the future.
Welcome to a new reality of split-second decisions and marketing by the numbers.
IT Operations 20/20
How can you achieve the data center of the future?
What the workforce of 2020 can expect from IT, and what IT can expect from the workforce.
Preparing today for tomorrow’s threats.
Looking toward the era when everyone — and everything — is connected.
Data Center 20/20
The innovation and revenue engine of the enterprise.