Many businesses are putting themselves at risk with unknown or insecure mobile applications. Organizations developing mobile apps must have a formal process that follows secure design guidelines, threat modeling, and verification to help eliminate many of the risk factors.
More than 1.5 million applications are available in public mobile app stores. This doesn't take into account the many applications in organizations that are only available to internal personnel. Last month, I discussed the problems posed by our mobile footprints due to applications that are unknown and new mobile applications that don't follow our typical best-practices and standards. (See: Get a Handle on Your Mobile Application Security .) We're rushing to be the first-to-market with the latest, coolest app, but we're forgetting something critically important. We must ensure that our new mobile application projects put security at the forefront.
How do you know what you don't know?
Many organizations continuously train their development staff to reliably produce better, more secure code. Improved education has been beneficial, and we are starting to see certain types of vulnerabilities crop up less often. One of our worldwide clients experienced a 70 percent reduction in vulnerabilities after its developers had taken our training. On average, it costs $1,000 to find a vulnerability and $4,000 to fix it. It's much more cost-effective to teach developers how to build security in at the outset.
Many organizations continuously train their development staff to reliably produce better, more secure code. Improved education has been beneficial, and we are starting to see certain types of vulnerabilities crop up less often. One of our worldwide clients experienced a 70 percent reduction in vulnerabilities after its developers had taken our training. On average, it costs $1,000 to find a vulnerability and $4,000 to fix it. It's much more cost-effective to teach developers how to build security in at the outset.
On average, we discover 11.6 vulnerabilities in every mobile application our practice verifies. Understanding the key differences in operating systems and application programming interfaces (APIs) is critical in creating secure mobile applications. With over 1,000 vulnerabilities in existence, developers cannot possibly be expected to create defensible applications without proper training.
What are your standards?
We all have some form of standards and guidelines for our developers to follow when creating applications. However, the details are oftentimes not focused on security, and in many cases, there is no mention of mobile applications! How is authentication or authorization handled? Does it matter if the application runs offline? Are there any operating system-specific standards to follow when developing? There are differences between Android and iOS when ensuring that a password field is obfuscated as a "password field" -- just as we would worry about in a browser.
We all have some form of standards and guidelines for our developers to follow when creating applications. However, the details are oftentimes not focused on security, and in many cases, there is no mention of mobile applications! How is authentication or authorization handled? Does it matter if the application runs offline? Are there any operating system-specific standards to follow when developing? There are differences between Android and iOS when ensuring that a password field is obfuscated as a "password field" -- just as we would worry about in a browser.
We need to make sure we have solid security standards and guidelines for all technologies that are in use. Take a gander at your development standards and guidelines. Do they include guidance for what has been mentioned here? Check out the OWASP Mobile AppSec Projectfor good, free resources to help.
Design/architecture reviews with threat modeling
Internet and intranet infrastructures and applications are continuously becoming more complex. We have many interconnected systems talking to back-end systems through firewalls, routers, switches, and the like. We have failover systems and, in some cases, complete business continuity locations. With mobile, we add another front-end channel with another level of complexity to our already intricate infrastructure. The applications may add new, use current, or enhance current infrastructures to support the new channel. Adding the mobile channel requires a thorough design and architecture review with an emphasis on threat modeling. We need to understand the new threats introduced with mobile applications and the potential risks to the organization.
Internet and intranet infrastructures and applications are continuously becoming more complex. We have many interconnected systems talking to back-end systems through firewalls, routers, switches, and the like. We have failover systems and, in some cases, complete business continuity locations. With mobile, we add another front-end channel with another level of complexity to our already intricate infrastructure. The applications may add new, use current, or enhance current infrastructures to support the new channel. Adding the mobile channel requires a thorough design and architecture review with an emphasis on threat modeling. We need to understand the new threats introduced with mobile applications and the potential risks to the organization.
Manual verification
After we've developed a mobile application with strong security based on the risks gleaned from threat modeling, we must perform some sort of manual verification. Depending on the application's size, there may be multiple levels of verification through iterative code reviews and penetration testing. It is imperative to find good mobile verification experts to work with you to verify the security of your applications or to build a strong testing group from within. Work with these experts to define verification based on required level of rigor, focus areas, and mobile operating system targets.
After we've developed a mobile application with strong security based on the risks gleaned from threat modeling, we must perform some sort of manual verification. Depending on the application's size, there may be multiple levels of verification through iterative code reviews and penetration testing. It is imperative to find good mobile verification experts to work with you to verify the security of your applications or to build a strong testing group from within. Work with these experts to define verification based on required level of rigor, focus areas, and mobile operating system targets.
Dynamic and static verification
Dynamic and static verification techniques are still in their infancy, with very little available for dynamic verification of mobile apps. However, that does not mean that these two security activities don't fit into the secure mobile development process. Mobile static analysis should be built into the development process to make sure certain that APIs aren't abused, or encryption mechanisms are as strong as the can be, or that sensitive data is treated appropriately. Mobile dynamic and static analysis will continue to improve and will fit nicely into our specific set of security activities for mobile applications.
Dynamic and static verification techniques are still in their infancy, with very little available for dynamic verification of mobile apps. However, that does not mean that these two security activities don't fit into the secure mobile development process. Mobile static analysis should be built into the development process to make sure certain that APIs aren't abused, or encryption mechanisms are as strong as the can be, or that sensitive data is treated appropriately. Mobile dynamic and static analysis will continue to improve and will fit nicely into our specific set of security activities for mobile applications.
All of these security activities should be performed with mobile application risk at the forefront. Some applications will require more rigor and will require all of the aforementioned activities. In other cases, the risk level may warrant only manual or dynamic verification. Either way, mobile applications will only continue to improve employee efficiency and client needs. That being said, it is critical that every organization developing mobile apps has a well-defined and stable mobile application security process.
No comments:
Post a Comment