Vijay Dheap, IBM Master Inventor and Mobile Security Strategist
Hot off the press, the IBM X-Force report is out and states that “Application vulnerabilities have become the primary attack vector for enterprises over the past few years.” Couple that with Gartner’s prediction that mobile app projects will outnumber development projects for PCs by a four-to-one margin by 2015, and you’ll need to start taking a closer look at your how your mobile apps are developed. The IBM X-Force report is optimistic that organizations will be proactive in cultivating or extending secure software development lifecycle (SSDLC) practices to mobile app development through the use of vulnerability analysis tools.
But first, let’s take a step back and ask the following questions: Where are your mobile apps developed? Who is developing them? If you are like most organizations these questions don’t have simple answers.
The first wave of mobile apps was built tactically, with marketing teams leading the charge to establish the organization’s footprint in the mobile ecosystem. App development was often outsourced, but organizations quickly began to realize that this wasn’t a one-time effort but rather an ongoing initiative. The pace of mobile adoption in the enterprise has accelerated, and organizations now have the need to support not just their mobile consumers but also their mobile employees and partners. Driven by business imperatives or public demand and the lack of centralized development processes, various departments are taking the lead in serving their constituents with the mobile apps they require. These departments may look externally for mobile app development skills or, if there is sufficient business case, build out in-house competencies.
This distributed nature of development, while enhancing the time to market of mobile apps, needs to have a level of quality control—especially security quality control. After all, mobile apps are becoming the primary interface channel for reaching the stakeholders of the organization and increasingly represent the brand experience of the organization. As the volume and value of transactions conducted through an enterprise’s mobile app grow, the bigger the target it becomes for malicious entities. It should be noted that given the relative novelty of mobile app technologies, there remains a shortage of skilled mobile app developers. Given the demand and availability of development tools, many without core software development backgrounds are beginning to enter the talent pool. However, these developers are likely not to have significant exposure to security best practices.
Given the uncertainty about who is building your mobile apps and where, it is imperative to establish a security quality checkpoint for all your organization’s mobile apps. The next question becomes how? Well, there’s some bright news on that front: IBM AppScan 8.7 just became generally available. IBM AppScan 8.7 delivers mobile app vulnerability analysis, which enables app developers to identify weaknesses in their code that can be exploited by malicious entities. Building on years of security research on web applications, the AppScan team investigated over 40,000 application programming interfaces (APIs) on the iOS and Android platforms to deliver a high-quality vulnerability analysis solution. This effort differentiates IBM AppScan 8.7’s mobile capabilities by enabling full-trace analysis of a mobile app. A developer or security analyst can trace all the data inflows and outflows within a mobile app. The solution also has prebuilt vulnerability types that it will flag in an app, and since it is backed with innate knowledge of the APIs it is able to mitigate the occurrence of false positives.
We discussed earlier that time to market has always been a key driver for mobile app projects; therefore any checkpoints instituted need to seamlessly mesh with the fast-paced mobile software development process. IBM AppScan supports the automation of vulnerability analysis as part of the software development process. Additionally, as developers learn from each project iteration they will become more productive by adopting more secure coding practices, since they will be spending more time remediating vulnerabilities rather than filtering out false positives.
One more thing to note is that mobile apps should not be viewed singularly. These apps in the enterprise context will invariably connect to back-end APIs and services. With IBM AppScan 8.7 an organization can take an end-to-end view in identifying and remediating vulnerabilities in mobile interactions they intend to support.
Regardless of where or who builds your organization’s mobile apps, a centralized security quality-testing process with IBM AppScan will enable your organization to create a culture of secure mobile app development across your mobile initiatives. If you are wondering what types of vulnerabilities a mobile app may have and how IBM AppScan can help reduce the risk profile of a mobile app, the table below highlights how AppScan 8.7 can address the Open Web Application Security Project (OWASP) Top Ten Mobile Security Risks.