November 10, 2015 By Pamela Cobb 3 min read

One of the common themes I’ve seen repeated over and over this year in the security world is the collaboration of malicious actors. Whether it’s via bytes on the Dark Web or cybercrime rings in the real world, there is no shortage of stories about attackers taking advantage of expertise and tools to find vulnerabilities and entries into your network to steal sensitive data. Add in the challenges in mobile application security and the disappearing network perimeter, and it’s game on for attackers.

It’s nice to imagine that security vendors and clients are united together in lockstep, weaving together intricate layers of protection like a complicated halftime marching band at an American football game. The reality is more a sad trombone falling flat. In my band experience, even if the brass section has their act together, missing a beat in the percussion section could throw everyone off their game.

The same holds true in security: Your network protection may be on point, but without mobile application security in lockstep, your network is vulnerable.

Band Camp for Attackers

There are lot of tools and automation techniques available to find common application vulnerabilities susceptible to attacks like SQL injection (SQLi) or cross-site scripting (XSS), which are highlights on the Open Web Application Security Project (OWASP) Top 10. In the recent “The State of Mobile Application Insecurity” study, more than half of respondents believed XSS in mobile apps will increase over the next 12 months.

In an effort to aid application developers, organizations like OWASP provide open-source black box testing tools, but these tools are also leveraged by attackers to find and exploit flaws. Attackers are creative; they harness these and other toolkits, enhance and repackage them, and then sell them on underground black markets to other attackers to potentially infiltrate your network and steal data.

Malware-as-a-service isn’t new; many security firms, including IBM X-Force malware researchers, started reporting incidents of these toolkits more than four years ago. The industrialized revolution of cybercrime is providing over-the-counter botnets, distributed denial-of-service (DDoS) software and other polymorphic malware for less experienced cybercriminals. Malware toolkit enhancements are even being crowdsourced as attackers fund and vote for new features in a community forum, which was the case with the Citadel malware earlier this year. The Dark Web is the practice field — a place to gather and refine their craft.

Know the Drill for Mobile Application Security

While the OWASP tool site offers over 50 tools for testing common vulnerabilities, many organizations lack either the resources or expertise to take advantage of these and improve the security of their applications. In that same Mobile Insecurity study mentioned above, only 41 percent of respondents said their organization had sufficient mobile security expertise — not exactly news we want trumpeted from the rooftops.

Join the Nov. 17 webinar to get the the 411 on Mobile App Sec Testing for ios

Sometimes, however, the good guys do build a tool that helps. In 2014, a researcher at CERT/CC created a tool named “Tapioca” to help automate testing of Android applications as a virtual machine preconfigured to perform man-in-the-middle (MitM) testing and analysis. In the course of the analysis, thousands of disclosures were made for individual applications vulnerable to these MitM attacks. Although the apps were all different, the same fix was required to correct fundamental vulnerabilities.

Developers need more of these same types of tools to help find and remove vulnerabilities before attackers exploit them.

#CoverYourApps Before Someone Else Uncovers Them

The problems facing mobile security aren’t limited to Android apps. To learn more about how to “cover your apps,” register to attend the security webinar on iOS devices titled “The 411 on Mobile Application Security Testing and Runtime Protection for iOS Applications.”

Just because Android applications make more noise when it comes to reported vulnerabilities doesn’t mean iOS apps are safe. Watch the webinar to learn how to protect your growing portfolio of mobile applications and keep the band in step.

More from Endpoint

Unified endpoint management for purpose-based devices

4 min read - As purpose-built devices become increasingly common, the challenges associated with their unique management and security needs are becoming clear. What are purpose-built devices? Most fall under the category of rugged IoT devices typically used outside of an office environment and which often run on a different operating system than typical office devices. Examples include ruggedized tablets and smartphones, handheld scanners and kiosks. Many different industries are utilizing purpose-built devices, including travel and transportation, retail, warehouse and distribution, manufacturing (including automotive)…

Virtual credit card fraud: An old scam reinvented

3 min read - In today's rapidly evolving financial landscape, as banks continue to broaden their range of services and embrace innovative technologies, they find themselves at the forefront of a dual-edged sword. While these advancements promise greater convenience and accessibility for customers, they also inadvertently expose the financial industry to an ever-shifting spectrum of emerging fraud trends. This delicate balance between new offerings and security controls is a key part of the modern banking challenges. In this blog, we explore such an example.…

Endpoint security in the cloud: What you need to know

9 min read - Cloud security is a buzzword in the world of technology these days — but not without good reason. Endpoint security is now one of the major concerns for businesses across the world. With ever-increasing incidents of data thefts and security breaches, it has become essential for companies to use efficient endpoint security for all their endpoints to prevent any loss of data. Security breaches can lead to billions of dollars worth of loss, not to mention the negative press in…

Does your security program suffer from piecemeal detection and response?

4 min read - Piecemeal Detection and Response (PDR) can manifest in various ways. The most common symptoms of PDR include: Multiple security information and event management (SIEM) tools (e.g., one on-premise and one in the cloud) Spending too much time or energy on integrating detection systems An underperforming security orchestration, automation and response (SOAR) system Only capable of taking automated responses on the endpoint Anomaly detection in silos (e.g., network separate from identity) If any of these symptoms resonate with your organization, it's…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today