Application security initiatives and programs are getting good at getting down to where an organization’s data lives and protecting it against threats, but that is only one piece of the security puzzle. Resources and people available to tackle security are limited amounts of time, hence the organizations have had to prioritize what gets protected. Chad McDonald, chief information officer and chief information security officer at Digital.ai, a software solutions provider, commented:
“An organization may develop 100 different applications. Since it is not always cost-effective or time-efficient to come up with a customized security plan for each application, only the applications considered critical receive top priority, maybe five or six of them, and the remaining 95 or so are deprioritized in terms of security. That doesn’t mean those 95 applications don’t require protection, it just means that the risk is somewhat lower.”
McDonald explained that this lack of resources and forced prioritization results in poor endpoint security. Endpoint security becomes an even bigger concern with mobile devices as these devices are often connected to highly vulnerable data including banking information, credit cards, and in some cases even medical records and equipment. McDonald also noted:
“There is a whole host of information that now lives on your mobile device or is accessed via your mobile device via an application. We haven’t really yet seen security controls get pushed down broadly to that point.”
It’s difficult to tackle mobile endpoint security when there are a number of different programming languages being used to make up an application, and operating systems are constantly evolving and being refactored, making things more complicated and taking a toll on application security. But mobile endpoint security is not something that can really be ignored or only applied to the more business-critical applications. McDonald explained that even those “lesser important applications” can still touch other parts of the organization and do significant damage.
In a mobile app, that would translate to a hacker exploiting one of those lesser critical applications, looking for ways to jump into a more relevant system or elevating privileges from a user to an administrator, and interrupting operations or shutting down the server. Developers really need a way to expand their security abilities across their entire portfolio and bake telemetry into their applications.
According to McDonald, while there has been a lot of attention on application performance monitoring lately, a majority of those efforts are aimed at driving marketing data and looking at what section of the application the user spends the most time or is performing the best, and how long it takes for the application to load. Developers really need security-specific telemetry data such as how an application is being attacked and what section of the code is at risk, with the ability to feed that information back to the organization so they can make informed decisions about locking accounts or updating code. McDonald said:
“My recommendation to developers is to really shine the flashlight in the dark corners of the application. Understand how your applications are actually being used from a security perspective in addition to that performance and marketing data.”
Just because an application is in the App Store, Google Play Store or available for download from a website doesn’t mean that it is safe or secure. Users should make sure their application is valid and certified because there could be copies of those applications out there in the wild with nefarious functionality baked in. Additionally, some users tend to jailbreak their device or route their mobile device to download a game or gain access to other content, but that bypasses all the built-in security controls and opens a huge gap in the security perimeter of the mobile device.
Digital.ai is focused on integrating security into the software development pipeline so organizations don’t have to pick and choose the applications that are more critical to protect. Digital.ai Essential App Protection protects applications from unsafe environments and provides actionable insight into how, when and where applications are vulnerable.
Digital.ai Essential App Protection provides persistent monitoring of an organization’s attack surface so they can understand what attacks look like, strengthen controls or change controls to continually defend against hackers. This targeted approach enables developers to really focus their efforts on where the attacks are happening instead of taking the traditional shotgun approach.