Discover Performance

HP Software's community for IT leaders // October 2012
Subscribe

Application security in the age of mobile

Mobile apps offer new challenges in an era of rising attacks. Security leaders need to identify risks and instill best practices for a new era.

Mobile functionality is no longer optional. Developers are learning to code for mobile, and the nature of the fast-growing mobile space means a greater rush to get apps and updates into the field. Mobile presents a particularly complex landscape that includes the device, network traffic and the server—and higher pressure to roll out apps and updates faster.

Despite the risks, the 2012 Global State of Information Security Survey, conducted by PricewaterhouseCoopers and CIO and CSO magazines, found that fewer than half of the executives and IT chiefs polled had implemented safeguards to protect the enterprise from security hazards that mobile devices and social media can introduce. And just 43 percent have a security strategy for employee use of personal devices, with only 37 percent reporting a security strategy for mobile devices.

Security leaders need to consider the unique aspects of the mobile realm to not only maintain the security practices of traditional development, but to improve on them.

In a recent Tech Dossier article, Wendy Nather, enterprise security research director at 451 Research, says developers “are used to writing for a web app that runs on a server behind a firewall and the end-client is very thin. They are not used to thinking in terms of actual code executing on the mobile device, where there is a thicker client and it’s in a hostile environment.” For mobile apps, that often includes third-party distribution channels over which you have no direct control.

Identifying mobile app security gaps

Many enterprises outsource mobile app development because of the scarcity of in-house expertise. But it’s a rare third-party mobile app developer who can offer enterprise customers the level of security acumen truly required. So companies may “have three different systems integrators building three one-off applications for different platforms, with none of the existing corporate governance and process,” says Jacob West, director of software security research at HP. This results in insecure apps.

And an insecure mobile app may be a particularly large threat. Mobile devices often contain personal information, may incorporate powerful tracking capabilities and, in the case of business users, provide access to sensitive enterprise applications. Mobile app developers commonly write code that stores passwords and other sensitive data—from proprietary corporate information to consumer credit card accounts—unencrypted on devices.

“There are some pretty complex permissioning and communications schemes that have been set up for how applications can shuffle data between themselves and the OS and between multiple apps,” West says. These schemes represent a vital security feature, but developers often fail to understand and implement them.

Further complicating the situation is that mobile apps rely on a multitude of third parties: handset makers, network service providers and app stores. So if a customer cries foul over a breach, there’s no straightforward way to assess liability.

Security best practices for mobile apps

“What I think we are missing so far is a secure software development lifecycle that is customized for mobile applications,” Nather says.

In the meantime, you must apply existing tools and best practices to new ways of developing and outsourcing applications. Your first steps:

  • Adapt software initiatives, governance policies and training to specifically encompass mobile development and security.
  • When dealing with outside developers, specify the security performance and features that are required and demand source code and a functioning runtime against which they can verify and test application security.
  • Emphasize testing to find problems in your code, particularly as your developers are adapting to the needs of the mobile era.

The bottom line

Mobile application security requires rethinking traditional approaches so that good software development processes are not lost in the rush to market. Information technology and security leaders must assess their application security and plug all the holes opened by mobility, while helping to build a process that bakes security in from the start, rather than making it a last-step bottleneck.

Read the full Tech Dossier article, “There’s an app for that, but is it secure?” to learn more about the impact of mobile on application security practices, then read about HP Mobile Application Security Assessment Services.


x

IT leader assessment

This tool evaluates the correlation between IT attributes and business success and, based on how your answers compare with average scores, will advise you where to invest in IT.

It is based on data HP collected from 650 global companies about a range of IT characteristics (server capacities, approach to information management, security, BYOD, etc.) and how they correlate to revenue gain. This assessment will compare your answers to the average scores in that study.

There are 12 questions that will require an estimated 10 minutes of your time. You'll receive a summary of your rating upon completion.



Let's get started
x

Please select an answer.
x

Analysis:

Your answer:
Your score:
Average score:
Revenue leaders' score:


x

Please select an answer.


x

Results

Your score:
Average score:
Revenue leaders' score:


Get detailed results:

Subscribe

Popular tags

Events

Discover Performance Weekly

HP Software’s Paul Muller hosts a weekly video digging into the hottest IT issues. Check out the latest episodes.


Enterprise 20/20

Security 20/20

Preparing today for tomorrow’s threats.

Introduction to Enterprise 20/20

What will a successful enterprise look like in the future?

CIO 20/20

Challenges and opportunities for the CIO of the future.

Dev Center 20/20

How will we organize development centers for the apps that will power our enterprises?

Marketing 20/20

Welcome to a new reality of split-second decisions and marketing by the numbers.

IT Operations 20/20

How can you achieve the data center of the future?

Employee 20/20

What the workforce of 2020 can expect from IT, and what IT can expect from the workforce.

Mobility 20/20

Looking toward the era when everyone — and everything — is connected.

Data Center 20/20

The innovation and revenue engine of the enterprise.

Read more

HP Software related

Most read articles

Discover Performance

Archive

Tweets @ HPSecurity