Could you recommend a plan for ensuring secure mobile enterprise application development? There’s been more pressure...
on our development group to provide mobile applications for internal use. How can we as an information security team ensure those applications are secure?
Regardless of which mobile platform you're developing applications for, the core of your application security strategy should be a policy that enforces secure coding practices. Vulnerability detection and assessments should be performed from application design through the development and deployment stages. A problem that often arises is that those responsible for enterprise information security don't have an in-depth understanding of how a proposed mobile application will actually work, while developers often don’t realize the security implications of particular features and functions that they wish to incorporate into the application.
One of the best ways to bridge the knowledge gap between the information security team and the development group is to introduce threat modeling tools at the application design stage. It not only raises security awareness among developers, but also makes application security an integral part of the application design and development process.
Threat modeling introduces a structured approach for identifying, evaluating and determining the correct controls to mitigate the risks to an application. It involves categorizing which assets or sensitive information the application accesses and then assessing how they may be compromised from an attacker’s point of view. This helps build security into the application, resulting in a reduction in the number of vulnerabilities that make it through to the release version.
A good tool to start with is Microsoft's SDL threat modeling tool, as it isn't designed just for security experts. It makes threat modeling accessible for developers by providing guidance on creating and analyzing threat models. You may also want to consider using a development platform that highlights security as a feature. The Sybase Inc.’s Unwired Platform is a mobile enterprise application platform that provides a single administrative console to centrally manage, secure and deploy mobile applications, all while allowing developers to concentrate on building applications. Virtual Mobile Technologies’ RAMP Mobile Enterprise Application Platform supports all mobile platforms and provides end-to-end information security.
The correct implementation of encryption will be critical to ensuring the application can keep data secure. It's therefore essential that your developers really understand how to use the security features provided by their development platform and code language. The recent version 2 release of Oracle Corporation’s MIDP (Mobile Information Device Profile), for example, includes enhanced mobile code and application security, making HTTPS support mandatory and developers should be given training on how to fully utilize such features.
The cost of addressing security issues increases as the software design lifecycle proceeds, so threat modeling and training developers to code securely not only helps create better products, but will also benefit your bottom line. As a member of the security team, you must keep abreast of new threats, countermeasures and mobile development platforms, such as the new BlackBerry Enterprise Application Development Platform, so you can provide informed and current advice to the developers on securing mobile applications during the development phase.
Related Q&A from Michael Cobb
Expert Michael Cobb explains how an HTTP referer header affects user privacy and outlines changes that can be made to ensure sensitive data is not ...continue reading
Expert Michael Cobb explains the difference between the REESSE3+ and IDEA block ciphers and explores when each is applicable in an enterprise setting.continue reading
While cookies are critical to delivering personalized Web content, they are a privacy concern. Learn how adding Bloom filters to cookies can help ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.