Application security initiatives and programs are getting good at getting down to where an organization’s data lives and protecting it against threats, but that is only one piece of the security puzzle. With limited amounts of time, resources and people available to tackle security, organizations have had to prioritize what gets protected.
“For instance, an organization may develop 100 different applications. Since it is not always cost effective or time efficient to come up with a customized security plan for each application, only the applications considered critical receive top priority, maybe five or six of them, and the remaining 95 or so are deprioritized in terms of security,” according to Chad McDonald, chief information officer and chief information security officer at Digital.ai, a software solutions provider. “That doesn’t mean those 95 applications don’t require protection, it just means that the risk is somewhat lower,” he noted.
McDonald explained that this lack of resources and forced prioritization results in poor endpoint security. Endpoint security becomes an even bigger concern with mobile devices as these devices are often connected to highly vulnerable data including banking information, credit cards, and in some cases even medical records and equipment. According to a recent report, a majority of all financial applications are vulnerable to basic reverse engineering attacks because they lack simple binary code protections that validate whether or not an application is running in a safe environment.
“There is a whole host of information that now lives on your mobile device or is accessed via your mobile device via an application,” said McDonald. “We haven’t really yet seen security controls get pushed down broadly to that point.”
It’s difficult to tackle mobile endpoint security when there are a number of different programming languages being used to make up an application, and operating systems are constantly evolving and being refactored, making things more complicated and taking a toll on application security.
But mobile endpoint security is not something that can really be ignored or only applied to the more business critical applications. McDonald explained that even those “lesser important applications” can still touch other parts of the organization and do significant damage.
“The bad guys only have to be right once. They only have to get into one app,” he said. “You very rarely see an attacker come in directly through the system they’re trying to attack. More often, they attack a system that is vulnerable, gain some level of control inside the perimeter, and then pivot to something more critical.”
In a mobile app, that would translate to a hacker exploiting one of those lesser critical applications, looking for ways to jump into a more relevant system or elevating privileges from a user to an administrator, and interrupting operations or shutting down the server.
What developers can do
Developers really need a way to expand their security abilities across their entire portfolio and bake telemetry into their applications.
According to McDonald, while there has been a lot of attention on application performance monitoring lately, a majority of those efforts are aimed at driving marketing data and looking at what section of the application the user spends the most time or is performing the best, and how long it takes for the application to load. Developers really need security specific telemetry data such as how an application is being attacked and what section of the code is at risk, with the ability to feed that information back to the organization so they can make informed decisions about locking accounts or updating code.
“My recommendation to developers is to really shine the flashlight in the dark corners of the application,” said McDonald. “Understand how your applications are actually being used from a security perspective in addition to that performance and marketing data.”
It also helps to educate the users about application security. Most users don’t really think about or understand the different layers of application security. “There is an assumption that Apple or your Android handheld device, or Google in the case of Android, has your back and is providing all the necessary security controls that you may need for protection of the application,” said McDonald.
Just because an application is in the App Store, Google Play Store or available for download from a website doesn’t mean that it is safe or secure. Users should make sure their application is valid and certified because there could be copies of those applications out there in the wild with nefarious functionality baked in.
Additionally, some users tend to jailbreak their device or route their mobile device to download a game or gain access to other content, but that byasses all the built-in security controls and opens a huge gap in the security perimeter of the mobile device.
“If you are not careful about what you’re putting on your phone, essentially you’re opening the floodgates for the bad guys to do whatever they choose,” said McDonald.
The Digital.ai Essential App Protection
Digital.ai is focused on integrating security into the software development pipeline so organizations don’t have to pick and choose the applications that are more critical to protect. In addition to it’s Premium App Protection solution, the company recently introduced Digital.ai Essential App Protection, which provides a first line of defense against application layer attacks.
Digital.ai Essential App Protection protects applications from unsafe environments and provides actionable insight into how, when and where applications are vulnerable. “What you end up with is security essentially backed into the normal software development process. This approach doesn’t introduce undue drag on development teams or security teams as they build software and roll it out,” said McDonald. “You have the ability to understand different applications being attacked, where that attack is coming from and what sections potentially of the application are being attacked. What that allows you to do is constantly evolve or listen to what the threat or the bad guys are doing, and evolve your security controls to meet that ever-changing concern.”
Digital.ai Essential App Protection provides persistent monitoring of an organization’s attack surface so they can understand what attacks look like, strengthen controls or change controls to continually defend against hackers. This targeted approach enables developers to really focus their efforts on where the attacks are happening instead of taking the traditional shotgun approach.
“What is impossible today from a security perspective is quite likely possible tomorrow with advances in technologies and new and innovative ways that the bad guys are learning to grow their attacks and become more sophisticated as they attack or leverage new tools,” said McDonald.
Key features of the Essential App Protection solution includes:
- Actionable threat insights on compromised devices and applications with follow-on response and protection updates
- Runtime self-protection to detect and prevent app instances from running in unsafe environments
- Class encryption so it is more difficult for attackers to review and analyze decompiled app code, gain access to information and exploit vulnerabilities
- Integration into CI/CD pipelines
- Visibility into how an application is being attacked
- Low-code capabilities so users don’t have to configure or modify source code
- Compatibility with iOS and Android applications
“With app security expertise in short supply, organizations are often limited to protecting only their most critical apps. Not anymore. With Digital.ai Essential App Protection and Digital.ai Premium App Protection, organizations have the solutions they need to embed security right into their DevOps pipeline and protect all their apps, regardless of the organizations’ level of security expertise,” said Aviad Arviv, general manager of security at Digital.ai. “Digital.ai App Protection provides organizations peace of mind that they are protecting their IP and their customers.”
Learn more at digital.ai/essential-app-protection
Content provided by SD Times and digital.ai