App security the elephant in the room

Rodney Byfield, CIO at Metro Tasmania.

In January, Apple announced App Store sales hit $10 billion for 2013. This number will surely grow this year as there are around half a million native iPad apps available on the site. Add Android apps available from other sites to the mix and the number becomes much higher.

It's clear that mobilisation is the way of the future. But it introduces security risks that CIOs need to address.

As you mobilise your workforce, users will need to download apps for work purposes, resulting in the need to integrate some of these apps with back end systems on your network.

Securing these apps will be increasingly important as they become more distributed through APIs. Combine the sheer volume of apps already created with the social requirement for mobile devices to run apps for work and play, and the potential for risk of attack grows exponentially.

Bugs in any non-work apps for instance, can potentially compromise your systems and could even provide access to a mobile device for further hacking.

This is not new to IT; we are used to playing catch up and implementing workarounds or finding ways to mitigate risks and security issues, but never before on this scale.

Many of us have spent the last 20 years concentrating on securing our networks. For the most part, application security has been left for the vendor to deal with. We just facilitate it.

Much of the current literature we have focuses on securing the network, while code and data layers have received considerably less attention.

The point here is all about focus. Data and application security needs to be a focus point for the next generation of corporate mobilised applications. The point of view matters -- it's a completely different mindset in the app world.

Banks will have a distinct advantage because most of them will have gone through the PCI DSS process, which includes application security. Unfortunately, the rest of the corporate world is just starting down this track.

Understanding the security gaps in application data and/or code structure will require in-depth institutional knowledge. Although the IT security industry is growing, I wouldn't consider it anywhere near large enough to cope with the app boom.

The business of IT needs to understand the message properly -- finishing a security project to implement a level of security does not conclude the engagement; rather, it is only a starting point for the future of mobilisation.

When you consider app security it should not be as an academic exercise for cost/benefit analysis. There will be situations where your return on investment (ROI) will not support a critical initiative.

However, you have to consider how much greater the damage could be to the brand or customer base if your company were compromised. Can you afford that risk?

1  2  Next Page