Skip to content

Guest post by Mandeep Khera

Advisory Board Member App-Ray. Former Chapter Leader for OWASP

Web applications continue to be vulnerable to attacks from hackers. Worse, mobile apps continue to be the ignored stepchild with over 95 percent vulnerable according to some studies.

No wonder hackers continue to exploit app security vulnerabilities in both iOS and Android mobile apps. Some of which include SQL Injection (Client-Side), Vulnerable 3rd Party Software, Application uses HTTP Basic Authentication, Weak Crypto, Application Utilizes Shared KeyChain, Allows Unsafe SSL Connections, and many others.

So, in spite of the millions of dollars spent on application security. Why are most mobile apps still not secure? We can list a few obvious reasons for this.

Limited InfoSec resources

An enterprise CISO (Chief Information Security Officer) has hundreds of issues to worry about to protect their company against hackers and no organization can have unlimited security personnel. A lot of these resources are focused on endpoint security, network layer, APIs, and few of the most critical web apps leaving little time for mobile apps.

Developers’ lack of expertise

Mobile application security is a very focused function and most developers lack adequate training to handle security during development. Moreover, developers are under constant pressure to deliver new features quickly to stay competitive in the market. Most companies who have tried to move the security burden onto developers have not have been successful to do so.

Too many vulnerabilities

One common issue all security organization face is the plethora of apps security vulnerabilities. These can be overwhelming and sometimes hard to prioritize with limited resources.

Inefficiencies in some testing tools

Not all mobile application security testing tools are created equal and a lot of the tools miss key vulnerabilities while producing a ton of false positives. Developers and InfoSec teams have to research all the false positives which are a huge time sink resulting in more frustrations.

So, what should you do? 

The simple answer is DevOps. The model of DevOps breaks down barriers between development and operations functions and optimizes the development and deployment process in an agile manner.  By moving mobile applications security into DevOps, companies will be able to test apps during the development cycle in an iterative fashion so it’s continuous.

Building security is the most efficient model for mobile applications. Testing after the applications are developed is not only very inefficient, it’s extremely expensive. DevOps can be a great partner for the CISO’s organization in fighting this beast.

There is no such thing as a perfectly secure app, but good processes and tools can help you one step ahead of the hackers. You don’t need to outrun the bear, just your peers in the industry.

Benchmark your mobile app’s security situation, run a free-of-charge scan with App-Ray. Act now, security cannot wait!

 

More about The Mobile Security Testing Guide (MSTG) – a comprehensive manual for mobile app security testing and reverse engineering.

Delfin Vassallo

Bitbar Marketing Director