How can your organization expand usage of mobile applications, while effectively managing mobile security threats?

Security awareness is definitely growing. Increasingly, organizations understand the need, even the requirement, to protect sensitive mobile application data. However, based on my first-hand experience at Mobile World Congress 2014, organizations are concerned and frustrated about how they can make their mobile applications more secure – some to the point of being completely overwhelmed. With that in mind, I want to provide you with some best practices for mobile data protection based on my experience, which should help to allay your fears.

Case in point: In my discussion with an IT director at a Spanish hospital, the director was clearly aware of his organization’s need to protect patients’ data. Data privacy and protection laws established clear application data protection requirements for the director to pursue. However, the IT director appeared to be “stuck,” because he received conflicting pressure from medical professionals and patients to make information more readily available via mobile applications, but he also understood the inherent dangers of expanded availability. To further complicate matters, many of his colleagues at the hospital were cutting-edge mobile users, who pressured him to support the mobile devices they utilized on a daily basis. He didn’t know how to approach solving these complex and overlapping issues.  

 

Explore Mobile Application Development Platforms as a Launching-Point

Have you ever felt like the IT director in the example above, who was not sure of the next step to take? If your organization needs to develop customized web, native or hybrid mobile applications to support multiple mobile platforms, utilizing a mobile development framework can be a good place to start. A leading mobile application development platform will help you simplify and streamline mobile application development, making it easy for you to quickly develop feature-rich mobile applications and provide operational infrastructure to help secure applications once they’re deployed.

However, it’s imperative that you develop mobile applications securely in advance of their being deployed. The risk of potential “data leakage” mandates that your mobile applications be tested for security risk early in the software development lifecycle, in order for your privileged customer and organizational data to be protected.

OWASP recently updated their Mobile Top 10 Risks for 2014 list. The chart below is a result of that data and a representation of the mobile application threat landscape. Insecure data storage (Risk M2) and unintended data leakage (Risk M4) highlight the need to protect and encrypt sensitive information. In fact, unprotected data should never be written to a mobile device.

Identify Your Organization’s Data at Risk

The first step to protecting sensitive mobile application data is for you to identify what data require protection. Use of market and industry-leading application security tools makes it easier for you to quickly identify data at risk. This permits you to identify where data enters your applications, where it travels inside your applications, and where it leaves your applications. By offering you the ability to quickly identify where data leaves mobile applications, you’re provided with a “map” or a “blueprint” of all the places where data encryption should be applied.

In the race to provide mobile applications or update existing ones, many organizations don’t take the time or have the expertise to secure their applications. The pace of development and change is so rapid that, without the aid of automated application security testing solutions, your application security protection might be in a constant state of lagging behind the latest vulnerabilities, leaving you exposed to potential data breaches.

Integrate Application Security into your SDLC

On February 25th, IBM announced the latest version of our application security testing solution: IBM Security AppScan 9.0. The new release advances market-leading mobile application security capabilities, by providing seamless integration with IBM Worklight. Now in a single integrated development environment (IDE), mobile applications can be developed and security-tested at the same time.

The new AppScan release makes it convenient to secure native and hybrid mobile applications.  Comprehensive security analysis, coupled with a detailed understanding of IBM Worklight APIs, helps to prevent data leakage from mobile applications. AppScan identifies all the places where data leave applications and prioritizes security risks for developers, providing you with a collection of definitive security vulnerabilities.

By securing mobile applications as they’re developed, organizations realize the added benefit of protecting their enterprise data.  Now, with the integration of IBM Worklight with IBM Security AppScan, it’s more convenient and practical to secure mobile applications early in the software development lifecycle.

More from Application Security

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today