How can your organization expand usage of mobile applications, while effectively managing mobile security threats?

Security awareness is definitely growing. Increasingly, organizations understand the need, even the requirement, to protect sensitive mobile application data. However, based on my first-hand experience at Mobile World Congress 2014, organizations are concerned and frustrated about how they can make their mobile applications more secure – some to the point of being completely overwhelmed. With that in mind, I want to provide you with some best practices for mobile data protection based on my experience, which should help to allay your fears.

Case in point: In my discussion with an IT director at a Spanish hospital, the director was clearly aware of his organization’s need to protect patients’ data. Data privacy and protection laws established clear application data protection requirements for the director to pursue. However, the IT director appeared to be “stuck,” because he received conflicting pressure from medical professionals and patients to make information more readily available via mobile applications, but he also understood the inherent dangers of expanded availability. To further complicate matters, many of his colleagues at the hospital were cutting-edge mobile users, who pressured him to support the mobile devices they utilized on a daily basis. He didn’t know how to approach solving these complex and overlapping issues.  

 

Explore Mobile Application Development Platforms as a Launching-Point

Have you ever felt like the IT director in the example above, who was not sure of the next step to take? If your organization needs to develop customized web, native or hybrid mobile applications to support multiple mobile platforms, utilizing a mobile development framework can be a good place to start. A leading mobile application development platform will help you simplify and streamline mobile application development, making it easy for you to quickly develop feature-rich mobile applications and provide operational infrastructure to help secure applications once they’re deployed.

However, it’s imperative that you develop mobile applications securely in advance of their being deployed. The risk of potential “data leakage” mandates that your mobile applications be tested for security risk early in the software development lifecycle, in order for your privileged customer and organizational data to be protected.

OWASP recently updated their Mobile Top 10 Risks for 2014 list. The chart below is a result of that data and a representation of the mobile application threat landscape. Insecure data storage (Risk M2) and unintended data leakage (Risk M4) highlight the need to protect and encrypt sensitive information. In fact, unprotected data should never be written to a mobile device.

Identify Your Organization’s Data at Risk

The first step to protecting sensitive mobile application data is for you to identify what data require protection. Use of market and industry-leading application security tools makes it easier for you to quickly identify data at risk. This permits you to identify where data enters your applications, where it travels inside your applications, and where it leaves your applications. By offering you the ability to quickly identify where data leaves mobile applications, you’re provided with a “map” or a “blueprint” of all the places where data encryption should be applied.

In the race to provide mobile applications or update existing ones, many organizations don’t take the time or have the expertise to secure their applications. The pace of development and change is so rapid that, without the aid of automated application security testing solutions, your application security protection might be in a constant state of lagging behind the latest vulnerabilities, leaving you exposed to potential data breaches.

Integrate Application Security into your SDLC

On February 25th, IBM announced the latest version of our application security testing solution: IBM Security AppScan 9.0. The new release advances market-leading mobile application security capabilities, by providing seamless integration with IBM Worklight. Now in a single integrated development environment (IDE), mobile applications can be developed and security-tested at the same time.

The new AppScan release makes it convenient to secure native and hybrid mobile applications.  Comprehensive security analysis, coupled with a detailed understanding of IBM Worklight APIs, helps to prevent data leakage from mobile applications. AppScan identifies all the places where data leave applications and prioritizes security risks for developers, providing you with a collection of definitive security vulnerabilities.

By securing mobile applications as they’re developed, organizations realize the added benefit of protecting their enterprise data.  Now, with the integration of IBM Worklight with IBM Security AppScan, it’s more convenient and practical to secure mobile applications early in the software development lifecycle.

More from Application Security

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

Vulnerability management, its impact and threat modeling methodologies

7 min read - Vulnerability management is a security practice designed to avoid events that could potentially harm an organization. It is a regular ongoing process that identifies, assesses, and manages vulnerabilities across all the components of an IT ecosystem. Cybersecurity is one of the major priorities many organizations struggle to stay on top of. There is a huge increase in the number of cyberattacks carried out by cybercriminals to steal valuable information from businesses. Hence to encounter these attacks, organizations are now focusing…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Unmasking hypnotized AI: The hidden risks of large language models

11 min read - The emergence of Large Language Models (LLMs) is redefining how cybersecurity teams and cybercriminals operate. As security teams leverage the capabilities of generative AI to bring more simplicity and speed into their operations, it's important we recognize that cybercriminals are seeking the same benefits. LLMs are a new type of attack surface poised to make certain types of attacks easier, more cost-effective, and even more persistent. In a bid to explore security risks posed by these innovations, we attempted to…