In 2015, Check Point Software released a report that stated that mobile devices were the weakest link in the security chain. According to its “2015 Security Report,” 72 percent of IT providers agreed that their top mobile security challenge was securing corporate information. Research also revealed that 96 percent of organizations utilized at least one high-risk application, so mobile application security represented one of their key organizational priorities.

The message is clear: Corporate data is at risk, and being made aware of these risks is critical to taking proper precautions to secure mobile devices. In a recent interview, Tyler Shields, formerly of Forrester Research, spoke extensively to IBM about how organizations can prevent and manage mobile application security threats.

A Holistic Approach to Mobile Application Security

According to Shields, safeguarding applications and data should ideally be performed at the development stage of the software development life cycle (SDLC). If all security problems could be identified at this initial stage, with coding proceeding forward securely, there would be no downstream concerns about application security. That would be the ideal situation, but in reality, it’s almost impossible to attain.

Realistically, enterprises should seek to mitigate application risk by securing their app models and embedding apps using third-party tools. This could go a long way in helping them to secure mobile applications from malicious attacks.

Organizations with advanced application security testing programs are now looking at holistic approaches to securing apps that go beyond simply putting SDLC frameworks into place.

Learn How to Make Application Security a Strategically Managed Discipline

Be Preemptive and Be Prepared

Shields reminded us that individual applications are basically blocks of code that need to be secured and 100 percent foolproof. To understand application security more effectively, you need to master the framework of Web and mobile applications.

An app is comprised of three basic layers:

  • Front-end presentation layer;
  • Application code layer; and
  • Database back-end.

The security models are very similar in each of these, and an attack can happen at any layer. Your challenge is to preempt attacks by making each of the layers more secure.

To learn more about protecting your organization’s application layer, watch the brief YouTube video below:

https://www.youtube.com/watch?v=6rFwTcDbsHk

Three Ms: Monitor, Manage and Mitigate Risk

Repackaged applications are the most targeted apps on mobile these days. For example, a commercial bank can build its own app and make it available on Android and iOS. With the right tools at their disposal, attackers can potentially re-engineer these apps by injecting malware, placing the apps back into the application stores and ultimately storing and controlling devices that download the apps. To prevent these types of attacks, you need to improve security of the apps being built and put into the wild.

The following video, developed by IBM and Forrester Research, shows how you can improve your security protection:

https://www.youtube.com/watch?v=lCKNgKmtpFw

Achieving Safe and Effective Mobile Application Security

According to Shields, the best way to secure mobile apps in your environment is to create and run your own internal application store. This is definitely not the easiest project to dive into since it requires considerable time and organizational resources. However, the long-term benefits can be tremendous, and eventually you’ll gain perspective on all the apps that enter your environment. Incorporating leading application security testing tools that can analyze apps for unexpected behavior and potential malicious activities will also provide you with a more comprehensive view of security.

While it’s impossible to completely prevent attacks, hacking mobile applications can be made much more difficult if you fine-tune app handling, embed apps with monitoring and tracking systems and increase the overall level of security in your mobile environment. Only by identifying risks can you strengthen your defenses against current and future threats and fully leverage mobility’s core benefit of empowering a smarter, safer mobile workforce.

Incorporating leading application security testing tools that can analyze apps for unexpected behavior and potential malicious activities will also provide you with a more comprehensive sense of security. To hear Shields’ perspective on the strategic benefits of utilizing internal app stores, watch the following video:

https://www.youtube.com/watch?v=N76QrSYWFCc

To Learn More

To learn more about how you can manage application security risk management at your organization, check out the IBM-sponsored Ponemon Institute study “How to Make Application Security a Strategically Managed Discipline.” You can also read the accompanying blog “Present These 10 Key Application Security Risk Management Findings to Your Executive Team.”

Learn How to Make Application Security a Strategically Managed Discipline

More from Application Security

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today