Organizations are more concerned about application security than ever and have a growing awareness of security concerns. SearchSoftwareQuality.com’s newest expert, Dan Cornell, principal of software consulting company Denim Group, discusses mobile security, what organizations can do to build security requirements into software and security challenges in cloud ALM.
He views the most serious concerns with mobile software security as falling into two major areas: 1) how organizations expose their users to risk, and 2) how applications expose the companies themselves to risk.
In regards to user risk, he explains, “Mobile apps have impact on security of your customers and their data and most folks would agree that a forward-thinking enterprise is going to take into account the security situation of their users and they’re not going to want to expose their users to risk because of these applications they’re developing. It’s bad business.”
As far as company risk, he explains that potentially sensitive algorithms are put in mobile applications that are then run on mobile devices that are vulnerable to attackers who can disassemble them, and “more importantly, organizations are exposing Web services to support these mobile applications.” The Web services that run in a company’s data centers are vulnerable to risk in online customer support scenarios, for example.
He recommends that organizations examine whether their Web services can remain resilient against malicious attacks, and offers suggestions for including security in the requirements management process. He says, “If the developers know going in that they need to implement these different controls, then they know to build them.”
Cornell continues, “We often use a technique called threat modeling, to in a structured way to lay out the different assets and parts of the system and where data flows, and use that to identify potential weaknesses during the design stage, so you can identify those up front and plan to mitigate those risks, rather than rolling them out and try to retrofit the security controls later.”
When it comes to cloud application security, Cornell explains:
Software as a Service applications and their APIs are being incorporated into mobile apps to implement some functionality of the system. It’s important for developers to understand if you’re getting data feeds from Twitter or from Facebook or from Salesforce, especially systems where content is being generated by third parties, you have to be very careful when you bring that data into your system to make sure that it conforms to whatever rules you expect it to conform to. You shouldn’t trust things that are coming from these cloud applications necessarily.
On the other hand, the availability of SaaS and PaaS platforms is appealing to developers. It can be very convenient and beneficial for many companies to rely on cloud services, but from a security standpoint, there are potential risks as well.
Cornell emphasizes that “you need to be judicious in where you elect to give up control,” and this tradeoff is different for every organization.
To read some of Cornell’s SSQ Ask the Expert responses, see: