Cover Your Apps: What We’ve Learned About Application Security Testing This Year

One of my debit cards had been replaced twice this year due to data breaches reported by major retailers. Last week, I experienced a new situation: Another one of my debit cards was used to make a purchase in a city that’s a 6,791-mile flight from my hometown.

Oddly, the card hadn’t left the comfort of my home for several months. So I had to engage in a laborious process to meticulously review bank accounts, report the fraud to my financial institution and have a replacement card sent to me. It’s just one example, but it does prove that data breaches can have a significant impact on your customer relationships.

How can you protect your organization from potential data breaches that result from application security vulnerabilities in order to maintain trusting relationships with your customer base? The answer is very simple: by reviewing the 10 blogs below.

2015: The Year in Application Security

2015 saw a massive rise in the importance of Internet of Things (IoT) security, increased adoption of cloud computing and expanded requirements for organizations revisiting bring-your-own-device (BYOD) policies. Fast-paced IT changes resulted in increased security vulnerabilities and threats, forcing organizations to re-examine how they tackle potential security breaches.

It’s also going to influence hiring trends throughout the industry. According to the Bureau of Labor Statistics, the demand for trained IT security analysts is expected to grow by a whopping 37 percent between now and the year 2022, fueled by the increased threat of cyberattacks.

In this blog, we recap the 10 most popular Security Intelligence blogs of the year, presented in the order of their social media share volume. Whether your security team consists of seasoned professionals or relative newbies, we’re confident that they’ll benefit from the information below.

1. ‘DroppedIn: Remotely Exploitable Vulnerability in the Dropbox SDK for Android’

In his March 11 blog, Roee Hay detailed a security vulnerability (CVE-2014-8889) in the Dropbox software development kit (SDK) for Android devices, which permitted attackers to connect applications on mobile devices without the victim’s knowledge or authorization. The vulnerability could be exploited in two ways: utilizing a malicious app installed on the user’s device or remotely using drive-by techniques. The vulnerability was resolved in Dropbox SDK for Android v1.6.2.

You can find additional details about the DroppedIn vulnerability in this white paper, which was co-authored by Hay and Or Peles.

2. ‘One Class to Rule Them All: New Android Serialization Vulnerability Gives Underpriveleged Apps Super Status’

Peles also reviewed an Android serialization vulnerability (CVE-2015-3825) that was detected by IBM’s X-Force Application Security Research Team and placed more than 55 percent of Android phones at high risk. Advanced attackers could exploit this vulnerability to give malicious apps with no privileges the ability to become super apps, helping cybercriminals to commandeer devices.

In addition to the Android serialization vulnerability, the team found several vulnerable third-party Android SDKs, which could help attackers own apps. Overall, the research team determined that, even with the right focus and tools, malicious apps have the ability to bypass the most security-conscious users.

3. ‘The 10 Most Common Application Attacks in Action’

In his April 8 blog, Paul Ionescu from IBM’s X-Force Ethical Hacking Team spotlighted a video series that demonstrates attacks from each category of Open Web Application Security Project’s (OWASP) top 10 list. The YouTube series includes information on how to prevent attacks and how to use automated tools to detect whether attacks are possible.

4. ‘IBM Recognized as a “Leader” in Analyst Report for Application Security Technologies’

In December 2014, Forrester Research released “The Forrester Wave: Application Security, Q4 2014,” which spanned 12 significant service providers across 82 evaluation criteria. In my Jan. 15 blog, I recapped highlights from the application security report.

In summary, IBM received the highest rating of all evaluated vendors in Forrester Research’s Current Offering and Market Presence categories. IBM also earned the highest possible rating from Forrester Research for Customer References, Services, Employees and Technology Partners.

5. ’10 Convenient Ways to Increase Your Mobile Application Security Knowledge’

Mobile application security continues to be a primary concern for organizations of all types and sizes. I educated readers about 10 practical actions they can take to quickly expand their security team’s mobile application security knowledge.

6. ‘IBM Maintains Leadership Position in 2015 Gartner Magic Quadrant for Application Security Testing’

On Aug. 6, Gartner released its annual update to the Gartner Magic Quadrant for Application Security Testing (AST). IBM maintained its position in the “Leaders” Quadrant for Application Security Testing in a report that spanned 19 total vendors. In my Aug. 19 blog, I provided details about IBM’s positioning in the report.

7. ‘Is the Internet of Things Too Big to Protect? Not if IoT Applications Are Protected!’

Patrick Kehoe of IBM partner Arxan Technologies revealed that application-related threats are growing rapidly based on increased connectivity offered to users by IoT-powered devices such as medical equipment, vehicles and smart homes. A companion webinar offered countermeasures that are available to secure vulnerable applications in the IoT.

8. ‘IBM-Sponsored Ponemon Institute Study Reveals Alarming State of Mobile Security for Apps’

Larry Ponemon from the Ponemon Institute recapped significant findings of “The State of Mobile Application Insecurity,” which analyzed more than 400 organizations’ mobile application security practices. Astonishingly, in a study in which 40 percent of respondents were Fortune 500 companies, nearly 40 percent of organizations admitted to not performing security testing on their mobile applications. Naturally, that approach can leave the door wide open to the potential hacking of sensitive user, corporate and customer data.

9. ‘The Application Economy and the Challenges of the Internet of Things’

In her May 13 blog, Neira Jones discussed how the digital phenomenon is transforming today’s businesses. With increased mobility, social media and bring-your-own-device (BYOD) flexibility, organizations face significant challenges balancing IoT technology adoption and developing secure solutions, all while still maintaining high levels of innovation, employee productivity and growth.

10. ‘A Perfect Match: Uniting Mobile Security With Your Employees’ Use of Online Dating Apps’

Powered by application security on cloud technology, IBM analyzed popular mobile dating applications. The final “IBM Mobile Security Study” revealed the following:

  • Nearly 60 percent of leading applications studied on the Android mobile platform were vulnerable to potential cyberattacks that could put personal user information and organizational data at risk.
  • For 50 percent of enterprises IBM analyzed, employee-installed, popular dating applications were present on mobile devices that had access to confidential business data.

The goal of my Feb. 11 blog was not to discourage users from utilizing those applications. Rather, it intended to educate organizations and their users on potential risks and mobile security best practices so they could use the applications safely.

Help Us Share Our Knowledge

We sincerely appreciate your dedication to sharing our application security testing content wisdom throughout the year, and stay posted for compelling new content in 2016. In the meantime, kindly share this blog post via email and social media, using the hashtag #CoverYourApps. It truly takes a village to effectively combat application security threats. Thanks!

Contributor'photo

Neil Jones

Major Events Content Strategist for IBM Security

Neil currently serves as Major Events Content Strategist for IBM Security. He possesses more than 15 years of...