Originally published in WahibHaq blog.
As the marketplace turns to mobile, large and small enterprises are seeing a rise in mobile security breaches. From phishing attacks to failures in addressing known vulnerabilities, breaches are being reported across all industries.
The Ponemon Institute recently published survey results indicating that at least 25% of business will experience a major security breach. To address the issue, enterprises need to develop more robust security testing and assessment procedures that address vulnerabilities across the entire enterprise environment.
Regardless of whether your company develops chatbot tools or fintech apps, the following eight points are important measures that all companies who use mobile technology should make sure they implement.
Penetration testing attempts to anticipate security breaches by identifying vulnerabilities. Exploitable vulnerabilities include remote attacks, physical break-ins, and social engineering.
The methods and means of penetration cover a broad level of approaches. Enterprises should review their goals and risk-adverse concerns to determine the level of tolerance.
Once a mobile app is ready for deployment, enterprises need to ensure that the app meets the mandatory criteria for acceptance by the system through testing. End-user acceptance, technical requirements, business-goal alignment, and operational process each have security considerations that should be reviewed.
From an operational standpoint, the app should perform within existing environment protocols to avoid introducing new or known security risks. Few of the widely known protocols include restricting users to access crash and debug logs, investing in good encryption, and installing local session timeout.
Companies should test known vulnerabilities in source code and attack vectors against the architecture before the mobile app is published in App Store and Google Play. Errors and flaws are cheaper, easier, and lower risk prior to roll-out. Code or the architecture can be changed to remove vulnerabilities before data can be lost.
The Open Web Application Security Project (OWASP) provides a useful laundry list of questions and concerns to consider when addressing architecture and security.
Since third-party vendors are not part of the enterprise IT environment by definition, they do not have the same level of security awareness or concerns. A mobile app can be secure, but if the back-end systems and web services have security vulnerabilities, risks of data theft and other attacks remain.
The issue becomes more critical when the mobile app itself has been developed by a third-party. Third-party vendors can make false or incorrect assumptions about security requirements, not know the full complement of enterprise IT standards and policies, or have little experience working for enterprise environments.
Developing an app from the ground is time-consuming and challenging. Developers can use free and open-source libraries and frameworks to save time. Ensuring the security of these resources, however, is critical.
Hackers have been known to publish libraries in hopes that app developers will integrate them into their final product. Once these apps are released to end-users, the hackers then can have access to the information they seek.
Always verify the security of free and open-source resources. While these outside contributions are an acceptable use in app development, developers should always confirm their security. Research the source entity of the libraries and frameworks for reputation and their history and success in with other contributions. Review the code line-by-line to fully understand what it does, keeping an eye out for phishing scams. Additionally, only use code from trusted resources that have been verified by in-house or by other trusted verification resources.
If you don’t ensure your app is secure, all the app users are at risk. Mobile app developers focus on front-end issues like user experience (UX) and user interface (UI) or backend implementation. Most of the time security is not their primary concern especially for user-facing apps. They should, however, have security experts on their teams.
As an app developer, you’re the last line of defense for your company's product or service.
Enterprise solutions should always enforce security to be a core competency for developers or any third-party developer. If we talk about Android and iOS platforms then both offers extensive documentation on tips and guidelines to significantly reduce the frequency and impact of application security issues.
Engineering culture and the release process tend to put pressure on speedy app release. Often, stress to produce on tight deadlines can compromise security reviews. Enterprises should ensure that security remains a vital part of the release process.
Mobile app testing should include assessing the successes–and failures–of the enterprise IT team responsible for support. The IT team should have policies and processes in place, as well as the metrics to measure them that address how it responds within the system, key performance indicators (KPIs), and problem resolution.
A key factor in problem resolution is to access how long the security patch takes to reach users. For instance, Apple's approval process can take as long as a week. Additionally, users need to accept and download the patch, which is not something a developer can control. It is vital to have a strategy in place for these circumstances as well.
Assessing IT support and response, whether in-house or outsourced, can expose process issues that may lead to security issues as well.
Security is not just a matter of enterprise policy; in many cases, certain security requirements are enforced by cyber-security and privacy laws, like HIPAA. Otherwise, they can be governed by ISO Certification Standards, FIPS, ENISA or OWASP among many others.
Keeping applications and data in compliance based on industry and regional requirement has to be one of the biggest headache for IT department in many organizations.
Enterprise security testing means ensuring that mobile app development incorporates security standards from the beginning. By establishing procedures that make security a priority throughout the process, all enterprises can reduce their risk to data breaches that can cause legal, financial, technological, and public relations nightmares.
This article was co-authored by freelance editor, Rae Steinbach.