5 Tips for Secure Software and Mobile Application Development
In our line of work, the majority of our security engineering and consulting resides with network and system(s) security. This in no way downplays the importance of security in other sectors of the IT business, but I can only report the facts as they are known to me. However, as of late, we have noticed a significant shift in customer requests focusing on security of their applications and the security-posture maintained through the development of these applications.
OWASP has maintained and reported their Top 10 list for many years, but as of late it appears more and more organizations are starting to pay extra attention to its importance and the impact some of these vulnerabilities could have on their applications and business. Whether the reason be the increasing mobile applications, regulatory compliance, or plain recognition of the security importance involved – companies are finally starting to realize areas for improvement and requiring more due diligence in identifying potential threats.
While secure coding practices should be instituted and built-in to the lifecycle of every application developed, this is not always the case. Where this becomes alarmingly clear is with the development of mobile applications. The IT industry as a whole is equally guilty of lacking the patience we try to sell to our customers and this same “I want it now” mentality is starting to show with the development of mobile applications into the work-force.
Mission Critical or Convenient
One of my favorite terms used for permitting a “slight” side-step of security is “mission critical”. This term was adopted from our military and somehow managed to become the “catch-all” excuse for an application or system lacking in proper security configuration(s). Is it really about something being “mission critical” or is it about the application making tasks more convenient?
With mobile apps being developed at an intense clip for a wide-variety of purposes, the focus should be on the security rather than the convenience. Given the very nature of a mobile app makes them extremely vulnerable to external attacks. Show me one teenager without a foundational understanding of “jail-breaking” an Android or iPhone and I will be shocked. With an ability to jail-break a device, experienced individuals are literally allowed root access, flexibility in application downloads, phone configuration that would otherwise be locked, and access to compiled application files which turns into something far “less convenient” for your user-community and upper-management.
Mobile Application Connections
With mobile applications, one constant is the connection status of the app itself. For a mobile application to have industry credibility it typically needs to be serving an enterprise service or providing a work function not found otherwise. This requires connection to internal servers. Given the jail-break scenario mentioned previously, it stands to reason that individuals could easily gain access to internal business resources through any application vulnerability. This is certainly a major concern for developers (at least it should be) and determination on types of connections to internal resources should be determined at the early stages of application development.
Security Checklists for Mobile App Development
Internally we maintain a well-established process and methodology for reviewing software and mobile application development for our clients. While I won’t venture into the depths of our security review processes, I thought it best for this particular article to highlight some important aspects.
- Secure It Early. Simply putting security as a main focus early on in the development process of your application will reduce the risk of potential vulnerabilities encountered. Establishing a software review board or Change Control Board (CCB) will likely produce a secure code development process that is effective at reducing both the risks associated to mobile applications and cost for recovering from an exposed vulnerability.
- What’s Your Policy? Something that is often overlooked in the development of mobile applications are the internal privacy and information systems policy of a given organization. In addition, more and more companies are faced with requirements and mandates stemming from regulatory compliance (such as HIPAA, PCI DSS, NIST, etc.) and need to consider all of these factors in the planning and design stages of the application development process.
- Let’s Be Honest. I cannot tell you the number of times we have worked with clients who have explained their application security design and review process is handled internally and most of the time by the same team developing the application(s). Being fully aware of budgetary constraints facing a large portion of companies these days, this is one area that should involve serious consideration for investment. Without going so far as to accuse all software developers of being ill-willed or mischievous, the simple fact is that not inviting an experienced third-party to analyze, assess, and test applications early on in the design process is asking for potential problems down the road — which will prove very costly and could impact public persona.
- Study for the Test. Nothing could be more damming for the success of an application than failing to meet its intended purpose for development. Additionally, nothing could be more damming to your business as a non-secure mobile application serving its workforce. This is the reason that testing and documenting the various tests performed is very crucial to the success of your team. With industry-proven tools, well planned test cases, and third-party security companies this can be addressed rather easily and save time, money, and resources in the end.
- Let’s Roll. Having successfully maneuvered through the 4 previous steps, you should be well on your way to officially presenting your application to the user-community and deploying as required. While security was effectively addressed and considered throughout the process explained above, the initial deployment of your application should involve heavy over-sight and management from either an internal or external security team to ensure application integrity.
Security is a 24/7 operation and should be seriously considered in every aspect of your business. New threats and vulnerabilities are being discovered at an all-time rate and taking the necessary precautions now can save you from disastrous consequences later. With that in mind, appropriate training of key personnel should be maintained and ultimately be required on at least an annual basis. This will allow for future development life cycles to operate at a more efficient and effective rate.
Praetorian Secure follows an industry-proven methodology for secure software and mobile application development, and for more information regarding our Software Security Services, please contact us at 855-510-7328 or click here to fill out our online customer form.