Professional Documents
Culture Documents
security
done right
The five big questions that lead to secure
mobile development
By Jacob West
Chief Technology Officer
HP Enterprise Security Products
Plan
Contents
Run
4
2
Build
Value stream 1:
From strategy to portfolio
Who will users hold accountable?
11
13
In a user-centric world, apps are the heart of how people experience the enterprise. Not so
Mobile security self-assessment
long ago, the task of taking a service from initial request to final production might have been
measured in months. But given todays demands for a constant stream of new capabilities,
we now measure delivery in weekseven days. This brings a monumental change to every
aspect of the strategy-to-portfolio stream.
Of course, if yours is like most IT organizations, you already have IT portfolio processes and
solutions in place. But its likely that you are looking to improve the consistency and quality
of the data that those processes produceand youre probably seeking a broader, more
complete view of how steps in the processes interact.
In the midst of all this, in-house IT often doesnt control the end-to-end design of a system
and instead must become proficient in rapidly brokering and integrating commercially sourced
services and apps as well as creating its own. This has given rise to new development methods
like Agile, and programming and delivery methods like DevOps. The bottom line is that we
must be able to manage the entire service lifecycle so that we can deliver results quickly,
flexibly, and continuously.
hy
Todays security-conscious users will hold someone accountable for every security misstep they encounter on mobile devices
even if that accountability is ultimately misplaced.
Wh
What
How
As users increasingly work on mobile devices, HP Security Research expects the number of threats and vulnerabilities to grow
precipitously in the years ahead.
With security challenges looming, organizations must develop a security strategy that encompasses the varied choices they will
have to make in the fast-changing mobile ecosystem.
Where
What
How
Wh
hy
Where
Device type
PC (Desk-based and
Notebook)
Ultramobile
Tablet
2012
2013
2014
2017
341,263
315,229
302,315
271,612
9,822
23,592
38,687
96,350
116,113
197,202
265,731
467,951
Mobile phone
1,746,176
1,875,774
1,949,722
2,128,871
Total
2,213,373
2,411,796
2,556,455
2,964,783
We are in the midst of a huge shift in the technologies people depend on. In Q4 of 2010, the
industry shipped more smartphones than PCs (laptops and desktops combined) for the first
time. Gartner projects a steady decline in desktop devices and a sharp rise in shipments of
mobile devices in the years to come.
In some developing countries such as India, traffic generated by mobile devices has already
surpassed the traffic originating from traditional PCs. While this isnt yet the case in the United
States or Europe, the trend is spreading worldwide and impacts the way enterprises connect
with customers, partners, and employees.
As an industry, were moving away from traditional desktop computers in favor of mobile
devices for all aspects of our IT interaction. As a result, mobile has become the major area of
growth for IT and development investment.
Clearly, enterprises must adapt to a mobile world. Perhaps less clear, however, is the fact that
organizations that do so without properly accounting for security will put themselves at a
rapidly growing disadvantage compared to their security-aware competitors.
What
How
Wh
hy
Where
Organizations are not, for the most part, being held accountable for the level of security in
their mobile applications. This is because large-scale public breaches still occur far more often
in web and traditional infrastructure applications than in mobile applications. But thats going
to change.
App owners
Network providers
App developers
Manufacturers
Thanks to the rapid adoption of mobile technology, the number of high-profile breaches
resulting from vulnerabilities in mobile apps and their back-end infrastructure is sure to grow.
As this happens, users are going to look for someone to hold accountable. Who will pay the
price?
OS authors
Users
App owners
Naturally, users often start with the most obvious association: the app owner. If your logo was
on the app that allowed a users data to be compromised, they might (often rightly) assume
that it was your code that allowed the breach to occur. But app owners wont be the only
targets for user backlash.
App developers
Many users of mobile apps today have no idea who developed them. They often assume the
logo featured in the app is the same as that of its developer, but we know that isnt always the
case. As users become more mature in sourcing their applications, development shops that
dont build security into apps risk incurring ire as well.
What
How
Wh
hy
Where
Increasingly, the app store is going to be the control point for mobile security. Once a
vulnerable or malicious app has been delivered to the device, its too late to find and eliminate
it effectively. Its far more effective to make the choke point at the point of delivery, where
resources are more plentiful and no damage has been done.
Finally, when it comes to platform strategy, consider the inherent security of the programming
language that underpins your targeted platform.
Gartner says that by 2017 or 2018, 25 percent of enterprises will have their own enterprisespecific application store for delivering applications to their users. Google Play supports a
model for enterprises that want to create their own app stores, but does little to account for
security.
The advantage of the Apple modela closed app storeis centralized control over the
ecosystem. Apple has a lot of control over what can be delivered to devices, as well as the
ability to revoke applications from devices if the app is found to be vulnerable or malicious.
However, enterprises that want to go beyond Apples efforts to secure app downloads have
few options.
As the market becomes more saturated and competition for remaining market share grows
more intense, security at the app-store level will be a key differentiator. This differentiator will
impact not only commercial app stores, but also enterprises that want to provide secure apps
for their workforce.
Objective-C, the language iOS apps are written in, has been around for some time, yet was
not widely known before iPhones became popular. Because of this pedigree, Objective-C has
legacy challenges:
1. It is not type- or memory-safe, which means buffer overflows are a major risk for
developers building iOS applications.
2. Because it wasnt widely used in enterprises before iOS, the industry does not have a
decades-long backlog of experience, tools, and processes to support secure development.
In contrast, Android applications are written in Java. This is advantageous for the typical
enterprise, which has ample Java development expertise already in house. There is also a
much longer history of tool support and processes to support secure development in Java.
Finally, Java is a more modern language, which means we can rule out problemssuch as
buffer overflowsthat only result from type-unsafe languages like Objective-C. Of course,
ruling out a single class of vulnerability doesnt guarantee any meaningful level of security.
While security issues wont be the only factor in your platform decision, these issues are a
major driver pushing enterprises back to mobile-optimized web applications.
What
How
Wh
hy
Where
In-house
Traditional
outsource
Boutique/mobile
outsource
Very few companies today write all of their own code. Outsourcing relationships are the norm,
not the exception. Mobile growth means accelerated delivery expectations, and that has led
many companies to further increase their outsourcing. In particular, companies are often using
specialized boutique development firms that only build mobile applications. But is it a good
idea?
Lets consider the pros and cons of mobile development options:
Control
Integration
Reuse
Knowable expectation
Influence
Speed
Specialization
Expertise
Cost
Speed
Cost
Specialization
Unknown expectations
Influence/control
In-house development
Traditional outsourcing
Boutique firms
Pros
Pros
Pros
Cons
Makes it harder to find specialized talent on mobile
development.
Doesnt change your accountability for the security of
your applications. You must be able to validate that
the software is secure when accepting delivery.
10
What
How
Wh
hy
Where
Reactive: assessing
and remediating code
Security team alone
responsible for
security
Small set of programs
Addressing software
security after the fact
High IT value
In place: software
security required
before production
Security team works
with development on
security
All critical software
secure
Solving software
security during
development
Proactive: instilling
best practices into
future code
Development takes
over responsibility for
security
All enterprise
software embedding
security into software
development lifecycle
(SDLC)
High strategic value
Explore
Accelerate
Optimize
At a high level, most companies move through three levels of maturity when rolling out a
software security initiative.
Level 1
The first level of maturity is the establishment of a central security team whose job is to run
vulnerability assessments on a very small set of the most important applications, looking for
the most serious vulnerabilities. The central security team eliminates the highest-risk issues,
but its a reactive model that does not scale well. Typically, the central security group is just 2
percent of the size of the software development team. The exclusively centralized model is
not designed to address all security risks, and increasingly this is what companies must do.
Level 2
The next level of maturity is when the central security group begins to work very closely
with the development team, helping them perform security assessments and raising their
awareness about secure coding practices. In this model, the central security team focuses on
sophisticated issues, while the coding team takes responsibility for simpler tasks.
Level 3
Software security assurance journey
At the most mature stage, the development team is responsible for its own security. The
central security group acts primarily as a trusted partner, enabling development, setting policy,
and perhaps creating tool and process customizations.
11
12
Who
Your users
What
Platform support;
web or hybrid over
native
Who
Think first about the type of apps you have: What do they do, and who uses them? Who will your users hold accountable for
security mishaps, and how will you respond?
What
Next, think carefully about platform support. Plan to support only those platforms that your users care about, and avoid the
security entanglements of native apps unless your business requires specific capabilities they provide.
Where
In-house
development or
outside?
Where
Decide on the best strategy for app developmentin-house, traditional outsourcer, or boutique mobile development firmto
meet your needs. If you go for in-house development, make sure you retain the right security expertise and adopt a secure
development process.
How
Secure delivery
How
Finally, decide on a development and delivery mechanism for your mobile apps that gives you control and accountability.
By asking these questions up front, youll develop a thorough strategy for mobile app security that not only protects your users,
but also guards the organization against the damaging effects of security missteps.
13
For more, visit HPs page on mobile application security, and go to Fortifymyapp.com
to assess the security of mobile apps youve already developedincluding a free tool
to test your code.
Jacob West is chief technology officer for Enterprise Security Products (ESP) at HP. In his
role, West influences the security roadmap for the ESP portfolio and leads HP Security
Research (HPSR), which drives innovation with research publications, threat briefings, and
actionable security intelligence delivered through HP security products.
A world-recognized expert on software security, West co-authored the book Secure
Programming with Static Analysis with colleague and Fortify founder Brian Chess in 2007.
Today, the book remains the only comprehensive guide to how developers can use static
analysis to avoid the most prevalent and dangerous vulnerabilities in code.
West co-authors the Building Security in Maturity Model (BSIMM) and speaks frequently at customer and industry
events, including RSA Conference, Black Hat, Defcon, and OWASP. A graduate of the University of California, Berkeley,
West holds dual degrees in computer science and French, and resides in San Francisco.