Theresa Lanowitz at AT&T Business shares insight into how mobile app development contributes to organisational security
Applications are the lifeblood of any business. In fact, it has been said that every company is a software company; and the rise of digital transformation has certainly reinforced that as more organisations adopt digital technologies to improve processes and create meaningful experiences for customers to drive innovation.
For instance, mobile applications have played a pivotal role in speeding up the digital transformation process as they are convenient for everything from banking to checking medical records. However, they are complex – from advanced frontends designed to improve user experience to more complex backend databases and applications that all require protection. And this is where a lack of security can pose a serious threat. If the only focus for developers is UX and operational efficiencies, the organisation will immediately compromise its cyber-security posture.
If a front or back-end vulnerability is successfully exploited, cyber adversaries can enter an enterprise via a non-secure mobile app. With the proliferation of mobile devices and apps, security needs to take a front seat in mobile app development to defend against evolving threats.
As companies of every size and type create meaningful and innovative experiences for customers, how can software developers help make sure these applications, specifically mobile apps, are secure?
Incorporate shift left security
The idea of ‘shift-left’ originated with the testing community to help manage the proverbial cost, quality, and schedule triangle – test earlier in the lifecycle to find defects sooner while keeping the project on track. Shift-left also helps teams focus on delivering a quality application, instead of attempting to test out defects at the end of the development process. This concept helps with a faster time to production with a better understanding of the source code – which is as particularly vital as the time to market is power.
Likewise, security should be treated as a non-functional requirement for any application. By understanding security requirements, developers can build more secure code from the beginning and avoid bolting on security at the end. Employing tools such as static and dynamic analysis will help scan source code for application security and detect commonly known vulnerabilities, such as cross-site scripting, SQL injection, and buffer overflows.
Furthermore, a shift-left approach to security encourages more cross-functional communication between developers, which is important to a security-first approach.
Adopt a Zero Trust mindset
The basic concept of Zero Trust is to “trust nobody and no thing (as in IoT) and to verify everybody and every thing”. This means identity and access management (IAM) is a critical component of mobile app development and one of the first steps on a journey to Zero Trust. In fact, the recent AT&T Cybersecurity InsightsTM Report finds that 94% of participants are on their way to a Zero Trust journey, which is promising for the wider industry.
Keep in mind, Zero Trust is a mindset or a framework and not a specific tool. However, using tooling is another important aspect of the Zero Trust journey. IAM tooling helps to make sure that the right users have the right access to the right applications or resources.
Moreover, employing a Zero Trust mindset brings together multiple levels and teams within an organisation. This helps to align security priorities and removes the focus of a tooling-only approach to security.
Know your APIs
Another key component of the application development process is an Application Programming Interface or API, which allows one piece of software to interact with another piece of software through a set of programming instructions and standards. APIs are built and released so that software developers can create products powered by the service of a particular API. APIs lack a Graphical User Interface (GUI) and are comprised of two elements:
1) how information is exchanged between the two pieces of software
2) a software interface written to the specification and published for use
A loosely coded or broken API can be an open door to a cyber adversary and is especially risky if the API connects to a third-party application. Determine how to centrally test and authorise APIs to help prevent unintentional consequences.
Manage your vulnerabilities
Defect management is something development teams have been relying on for decades. Knowing your defects and whether those defects have been deferred or remediated goes a long way toward delivering quality software.
Likewise, understanding and managing security vulnerabilities is invaluable information for the entire organisation. Vulnerability management helps to minimise the attack surface through identification, evaluation, prioritisation, remediation, and reporting of vulnerabilities.
Each organisation needs to determine its own risk appetite and devise a plan to manage and address security vulnerabilities.
Staying current with updates released via patches is critical. Since mobile apps are in many cases accessing backend databases, it is important to follow basic cybersecurity hygiene patching practices.
Patch management should be a priority but is often overlooked and instantly becomes a point of easy access for cyber adversaries as they poke around trying to exploit already known vulnerabilities. Ignoring patch management provides low-hanging fruit for cybercriminals.
Threat actors are lurking everywhere and are seeking the path of least resistance to access organisations’ corporate and customer data, intellectual property, as well as credentials. Building applications with a security-first mindset will help make companies more resilient and able to better withstand constant cyber threats against their applications, data, and endpoints.
Theresa Lanowitz is head of cyber-security evangelism, at AT&T Business
Main image courtesy of iStockPhoto.com