In 2015, Check Point Software released a report that stated that mobile devices were the weakest link in the security chain. According to its “2015 Security Report,” 72 percent of IT providers agreed that their top mobile security challenge was securing corporate information. Research also revealed that 96 percent of organizations utilized at least one high-risk application, so mobile application security represented one of their key organizational priorities.
The message is clear: Corporate data is at risk, and being made aware of these risks is critical to taking proper precautions to secure mobile devices. In a recent interview, Tyler Shields, formerly of Forrester Research, spoke extensively to IBM about how organizations can prevent and manage mobile application security threats.
A Holistic Approach to Mobile Application Security
According to Shields, safeguarding applications and data should ideally be performed at the development stage of the software development life cycle (SDLC). If all security problems could be identified at this initial stage, with coding proceeding forward securely, there would be no downstream concerns about application security. That would be the ideal situation, but in reality, it’s almost impossible to attain.
Realistically, enterprises should seek to mitigate application risk by securing their app models and embedding apps using third-party tools. This could go a long way in helping them to secure mobile applications from malicious attacks.
Organizations with advanced application security testing programs are now looking at holistic approaches to securing apps that go beyond simply putting SDLC frameworks into place.
Be Preemptive and Be Prepared
Shields reminded us that individual applications are basically blocks of code that need to be secured and 100 percent foolproof. To understand application security more effectively, you need to master the framework of Web and mobile applications.
An app is comprised of three basic layers:
- Front-end presentation layer;
- Application code layer; and
- Database back-end.
The security models are very similar in each of these, and an attack can happen at any layer. Your challenge is to preempt attacks by making each of the layers more secure.
To learn more about protecting your organization’s application layer, watch the brief YouTube video below:
Three Ms: Monitor, Manage and Mitigate Risk
Repackaged applications are the most targeted apps on mobile these days. For example, a commercial bank can build its own app and make it available on Android and iOS. With the right tools at their disposal, attackers can potentially re-engineer these apps by injecting malware, placing the apps back into the application stores and ultimately storing and controlling devices that download the apps. To prevent these types of attacks, you need to improve security of the apps being built and put into the wild.
The following video, developed by IBM and Forrester Research, shows how you can improve your security protection:
Achieving Safe and Effective Mobile Application Security
According to Shields, the best way to secure mobile apps in your environment is to create and run your own internal application store. This is definitely not the easiest project to dive into since it requires considerable time and organizational resources. However, the long-term benefits can be tremendous, and eventually you’ll gain perspective on all the apps that enter your environment. Incorporating leading application security testing tools that can analyze apps for unexpected behavior and potential malicious activities will also provide you with a more comprehensive view of security.
While it’s impossible to completely prevent attacks, hacking mobile applications can be made much more difficult if you fine-tune app handling, embed apps with monitoring and tracking systems and increase the overall level of security in your mobile environment. Only by identifying risks can you strengthen your defenses against current and future threats and fully leverage mobility’s core benefit of empowering a smarter, safer mobile workforce.
Incorporating leading application security testing tools that can analyze apps for unexpected behavior and potential malicious activities will also provide you with a more comprehensive sense of security. To hear Shields’ perspective on the strategic benefits of utilizing internal app stores, watch the following video:
To Learn More
To learn more about how you can manage application security risk management at your organization, check out the IBM-sponsored Ponemon Institute study “How to Make Application Security a Strategically Managed Discipline.” You can also read the accompanying blog “Present These 10 Key Application Security Risk Management Findings to Your Executive Team.”