Ask most enterprise information security managers what they're doing in terms of addressing mobile app risks and...
what you'll likely hear is how mobile device management and unified endpoint management have been deployed across the network. There are certain controls in MDM and UEM that can help, but there's more to the mobile app discussion.
Looking above and beyond the traditional network and device layers, security associated with mobile apps is more closely related to web applications and your systems development lifecycle than it is to anything on the mobile endpoint. Still, it seems that mobile apps are most often treated as one-off, niche products rather than actual business applications that need specific types of attention if security risks are to be minimized.
If this aspect of your information security program is to be effectively managed, you first have to get mobile app security onto your radar, and then build out the oversight. Mobile apps that are developed in house have to be included in your overall risk management efforts and integrated into your development and QA processes. In cases where mobile apps are outsourced to marketing companies, offshore developers or whomever, security oversight can be a bit more limited, but that doesn't mean your business can absolve itself of all responsibility.
In either situation, once mobile app security is on your radar, you have to take the same approach you would with other core business systems to ensure that security requirements are being met. This includes mobile app-centric:
- security policies and standards that are agreed-upon, documented and shared with all the necessary parties, especially developers and QA testers either in house or off site;
- threat modeling to determine specific threats and areas of confirmed or potential attack;
- vulnerability and penetration testing -- via your own internal team or through a third-party -- of the app and its associated infrastructure and web services;
- source code reviews via static analysis or interactive application security testing; and
- vendor management and scrutiny for third parties associated with all aspects of the mobile app supply chain, including development, infrastructure services and cloud vendors.
If each of these areas is not implemented and overseen with the same level of scrutiny you give to other business systems, then mobile apps will work against your security efforts and introduce tangible security risks for enterprise users.
Input validation flaws can lead to SQL injections, and weak access controls can lead to compromised user sessions, while web servers can have missing patches that can be exploited. Cleartext HTTP communication sessions can expose everything to wireless network eavesdroppers. If these mobile application risks are not taken seriously, they can lead to security incidents and breaches.
A lot can be done to uncover and resolve mobile app risks, as there are mobile app security frameworks and standards provided by organizations, such as the Open Web Application Security Project and NIST.
There are also vendors with solutions that can automate testing in certain remediation efforts, such as Solared Cyber Security and NowSecure. But in the end, mobile app risks are no different than any other risks associated with other applications or systems present in your environment. There's a lot going on -- and a lot to lose -- so mobile app security has to be taken seriously.
Looking at the bigger picture, the secret to running an effective information security program involves three main elements: knowing what you've got, understanding how it's at risk and doing something about it.
Where are the mobile app risks that could affect your company? If none are apparent, then you haven't looked hard enough. How do mobile apps fit into your overall enterprise security program? This is an oversight you don't want to make.
If you stay on top of mobile app security and treat it like you would any other part of your program, then the risks can be addressed and the impact of an app-related incident or security breach can be minimized. Otherwise, it gives the bad guys a quick win, and that's not going to be a defensible scenario when something happens.