Could you recommend a plan for ensuring secure mobile enterprise application development?
There’s been more pressure on our development group to provide mobile applications for internal
use. How can we as an information security team ensure those applications are secure?
Regardless of which mobile platform you're developing applications for, the core of your application security strategy should be a policy that enforces secure coding practices. Vulnerability detection and assessments should be performed from application design through the development and deployment stages. A problem that often arises is that those responsible for enterprise information security don't have an in-depth understanding of how a proposed mobile application will actually work, while developers often don’t realize the security implications of particular features and functions that they wish to incorporate into the application.
One of the best ways to bridge the knowledge gap between the information security team and the development group is to introduce threat modeling tools at the application design stage. It not only raises security awareness among developers, but also makes application security an integral part of the application design and development process.
Threat modeling introduces a structured approach for identifying, evaluating and determining the correct controls to mitigate the risks to an application. It involves categorizing which assets or sensitive information the application accesses and then assessing how they may be compromised from an attacker’s point of view. This helps build security into the application, resulting in a reduction in the number of vulnerabilities that make it through to the release version.
A good tool to start with is Microsoft's SDL threat modeling tool, as it isn't designed just for security experts. It makes threat modeling accessible for developers by providing guidance on creating and analyzing threat models. You may also want to consider using a development platform that highlights security as a feature. The Sybase Inc.’s Unwired Platform is a mobile enterprise application platform that provides a single administrative console to centrally manage, secure and deploy mobile applications, all while allowing developers to concentrate on building applications. Virtual Mobile Technologies’ RAMP Mobile Enterprise Application Platform supports all mobile platforms and provides end-to-end information security.
The correct implementation of encryption will be critical to ensuring the application can keep data secure. It's therefore essential that your developers really understand how to use the security features provided by their development platform and code language. The recent version 2 release of Oracle Corporation’s MIDP (Mobile Information Device Profile), for example, includes enhanced mobile code and application security, making HTTPS support mandatory and developers should be given training on how to fully utilize such features.
The cost of addressing security issues increases as the software design lifecycle proceeds, so threat modeling and training developers to code securely not only helps create better products, but will also benefit your bottom line. As a member of the security team, you must keep abreast of new threats, countermeasures and mobile development platforms, such as the new BlackBerry Enterprise Application Development Platform, so you can provide informed and current advice to the developers on securing mobile applications during the development phase.
This was first published in March 2011