Discover Performance

HP Software's community for IT leaders // June 2014

3 mobile security best practices, learned the hard way

Outsourced mobile apps are a Trojan horse for vulnerabilities. HP Software narrowly headed off a disaster—and changed its processes.

The bottom line

What: Mobile app security is tricky—particularly with third-party developers.
Why: When the business outsources, CISOs may not even know an app is being deployed.
How: From initial awareness to final validation, change how your business approaches mobile.
More: Secure mobile apps with HP’s Fortify suite.

Today’s IT departments are working harder than ever to follow secure computing practices. Unfortunately, even the most security-diligent IT organization can do nothing to secure code they’ve never seen and don’t know about. And those unseen, unknown apps are dishearteningly common.  
Between high mobile app demand and profligate shadow IT, new applications frequently get to market with little or no attention to security. Successful CISOs are learning that to prevent mobile app catastrophes and last-second security fire drills, they need to enlist the help of the business to get security on everyone’s mobile app radar.

Organizations of every type are finding themselves under pressure to deliver services and information to customers on mobile devices—invariably on tight timelines and budgets. The result, says Ryan English, director of HP Fortify on Demand, is often outsourcing. Third-party development of mobile apps is so widespread that many IT organizations struggle even to keep a simple inventory of what’s been deployed.
"This is the result of the consumerization of IT," English says. "Marketing says, ‘We know IT can’t get this done in our timeframe, and if they could, they’d charge us 20 times what a third party would ask. We’re going to get this done ourselves—on time and a lot cheaper.’"

It can happen to you

And it happens everywhere. English notes that last fall, HP itself experienced a difficult, high- pressure weekend of debugging a third-party mobile app—just three days from a critical launch. The application was commissioned by HP Software’s marketing team to provide online agenda planning for HP Protect conference attendees. The firm building it, however, turned out to have little or no secure coding experience.  
Learning about the app just a few days before its launch date, English’s Fortify on Demand team decided to run some basic checks and discovered a number of overlooked security issues, such as unencrypted passwords and a possible attack surface into the backend server.
"The unsecured app was never public, and we got it fixed before any data was leaked out. But it cost us and the development agency 72 hours of hell," English says.
A very similar situation involving a mobile app that RSA used for its 2014 security conference did not end as well. Security researchers later discovered—and made public—the existence of half a dozen significant security issues in that application. 

Create trust—and verify

As HP learned, leaving the business to fend for itself puts security and reputation at risk—and will often become a security team’s last-minute emergency. Instead, IT security needs to find its role in the outsourcing process. CIOs and CISOs must partner with business units and third-party developers from the start.
"The IT group has to become service brokers," English says. "Even when IT isn’t going to do the work, they can help negotiate contracts and finesse the requirements—without being a blocker."
Ultimately, the business needs greater awareness that mobile app security has to be explicitly planned, and IT can support that effort by helping to steer the business toward the best resources. A collaborative effort between the business and IT will have three best practices:   
1. Require security. Most mobile app outsourcing companies focus only on whatever functional requirements they’re given. Add security requirements that are clear and specific.
2. Create a whitelist. Businesspeople are thinking about budgets and timelines, not security. Steer them to trusted development partners by vetting mobile app outsourcing companies. If the business needs to go off that list, move quickly to vet their choice before a contract is signed.
3. Verify the code. Build time into the process to validate that third-party code. You’ll need two or three weeks before launch, so that problems can be identified and remediated, the fixes verified, and the new app pushed through the weeklong process of updating in app marketplaces.
Validation does not necessarily have to be done by internal IT. On the contrary, says English, the IT security team can provide the business with a list of service providers that can do automated security checks on demand.

Start now

While HP Software has the technology—and now, certainly, the learned best practice—to avoid mobile app disasters, other enterprises will continue to struggle with the right processes and tools to assure that security is considered in the planning stage and verified before deployment. English notes that it’s important to institute the methods and means to secure mobile apps before the next rush to launch.
To learn more about on-demand mobile app security testing, look at HP Enterprise Security’s Fortify portfolio, including Fortify on Demand. And download our free ebook, "Mobile software security done right" (reg. req’d).


IT leader assessment

This tool evaluates the correlation between IT attributes and business success and, based on how your answers compare with average scores, will advise you where to invest in IT.

It is based on data HP collected from 650 global companies about a range of IT characteristics (server capacities, approach to information management, security, BYOD, etc.) and how they correlate to revenue gain. This assessment will compare your answers to the average scores in that study.

There are 12 questions that will require an estimated 10 minutes of your time. You'll receive a summary of your rating upon completion.

Let's get started

Please select an answer.


Your answer:
Your score:
Average score:
Revenue leaders' score:


Please select an answer.



Your score:
Average score:
Revenue leaders' score:

Get detailed results:


Popular tags


Discover Performance Weekly

HP Software’s Paul Muller hosts a weekly video digging into the hottest IT issues. Check out the latest episodes.

Enterprise 20/20

Security 20/20

Preparing today for tomorrow’s threats.

Introduction to Enterprise 20/20

What will a successful enterprise look like in the future?

CIO 20/20

Challenges and opportunities for the CIO of the future.

Dev Center 20/20

How will we organize development centers for the apps that will power our enterprises?

Marketing 20/20

Welcome to a new reality of split-second decisions and marketing by the numbers.

IT Operations 20/20

How can you achieve the data center of the future?

Employee 20/20

What the workforce of 2020 can expect from IT, and what IT can expect from the workforce.

Mobility 20/20

Looking toward the era when everyone — and everything — is connected.

Data Center 20/20

The innovation and revenue engine of the enterprise.

Read more

HP Software related

Most read articles

Discover Performance


Tweets @ HPSecurity