Application security initiatives and programs are getting good at getting down to where an organization’s data lives and protecting it against threats, but that is only one piece of the security puzzle. With limited amounts of time, resources, and people available to tackle security, organizations prioritize what gets protected.
“For instance, an organization may develop 100 different applications. Since it is not always cost-effective or time-efficient to come up with a customized security plan for each application, only the applications considered critical receive top priority, maybe five or six of them, and the remaining 95 or so are deprioritized in terms of security” according to Chad McDonald, chief information officer, and chief information security officer at Digital.ai, a software solutions provider. “That doesn’t mean those 95 applications don’t require protection; it just means that the risk is somewhat lower,” he noted.
McDonald explained that this lack of resources and forced prioritization results in poor endpoint security. Endpoint security becomes an even more significant concern with mobile devices. These devices are often connected to highly vulnerable data, including banking information, credit cards, and medical records and equipment. According to a recent report, a majority of all financial applications are vulnerable to basic reverse engineering attacks because they lack simple binary code protections that validate whether or not an application is running in a safe environment.
“There is a whole host of information that now lives on your mobile device or is accessed via your mobile device via an application,” said McDonald. “We haven’t really yet seen security controls get pushed down broadly to that point.”
It’s challenging to tackle mobile endpoint security when several different programming languages are being used to make up an application. Operatingems are constantly evolving and being refactored, making things more complicated and tolling application security.
But mobile endpoint security cannot really be ignored or only applied to the more business-critical applications. McDonald explained that even those “lesser important applications” can still touch other parts of the organization and do significant damage.
“The bad guys only have to be right once. They only have to get into one app,” he said. “You very rarely see an attacker come indirectly through the system they’re trying to attack. More often, they attack a vulnerable system, gain some level of control inside the perimeter, and then pivot to something more critical.”
In a mobile app, that would translate to a hacker exploiting one of those lesser critical applications, looking for ways to jump into a more relevant system or elevating privileges from a user to an administrator, and interrupting operations or shutting down the server.
What developers can do
Developers really need a way to expand their security abilities across their entire portfolio and bake telemetry into their applications. According to McDonald, while there has been a lot of attention on application performance monitoring lately, a majority of those efforts are aimed at driving marketing data and looking at what section of the application the user spends the most time or is performing the best, and how long it takes for the application to load. Developers really need security-specific telemetry data, such as how an application is being attacked and what section of the code is at risk, with the ability to feed that information back to the organization to make informed decisions about locking accounts or updating code.
“My recommendation to developers is to really shine the flashlight in the dark corners of the application,” said McDonald. “Understand how your applications are actually being used from a security perspective in addition to that performance and marketing data.”
It also helps to educate the users about application security. Most users don’t really think about or understand the different layers of application security. “There is an assumption that Apple or your Android handheld device, or Google in the case of Android, has your back and is providing all the necessary security controls that you may need for protection of the application,” said McDonald.
Just because an application is in the App Store, Google Play Store, or available for download from a website doesn’t mean it is safe or secure. Users should make sure their application is valid and certified because there could be copies of those applications out there in the wild with nefarious functionality baked in.
Additionally, some users tend to jailbreak their device or route their mobile device to download a game or gain access to other content, but that bypasses all the built-in security controls and opens a massive gap in the security perimeter of the mobile device. “If you are not careful about what you’re putting on your phone, essentially you’re opening the floodgates for the bad guys to do whatever they choose,” said McDonald.
The Digital.ai Essential App Protection
Digital.ai is focused on integrating security into the software development pipeline, so organizations don’t have to pick and choose the more critical applications to protect. In addition to its Premium App Protection solution, the company recently introduced Digital.ai Essential App Protection, which provides the first line of defense against application-layer attacks.
Digital.ai Essential App Protection protects applications from unsafe environments and provides actionable insight into how, when, and where applications are vulnerable. “What you end up with is security essentially backed into the normal software development process. This approach doesn’t introduce undue drag on development teams or security teams as they build software and roll it out,” said McDonald. “You can understand different applications being attacked, where that attack is coming from, and what sections potentially of the application are being attacked. What that allows you to do is constantly evolve or listen to what the threat of the bad guys are doing, and evolve your security controls to meet that ever-changing concern.”
Digital.ai Essential App Protection provides persistent monitoring of an organization’s attack surface so they can understand what attacks look like, strengthen controls or change controls to continually defend against hackers. This targeted approach lets developers focus their efforts on where the attacks are happening instead of taking the traditional shotgun approach.
“What is impossible today from a security perspective is quite likely possible tomorrow with advances in technologies and new and innovative ways that the bad guys are learning to grow their attacks and become more sophisticated as they attack or leverage new tools,” said McDonald.
Key features of the Essential App Protection solution includes:
- Actionable threat insights on compromised devices and applications with follow-on response and protection updates
- Runtime self-protection to detect and prevent app instances from running in unsafe environments
- Class encryption makes it more difficult for attackers to review and analyze decompiled app code, gain access to information and exploit vulnerabilities.
- Integration into CI/CD pipelines
- Visibility into how an application is being attacked
- Low-code capabilities, so users don’t have to configure or modify source code
- Compatibility with iOS and Android applications
“With app security expertise in short supply, organizations are often limited to protecting only their most critical apps. Not anymore. With Digital.ai Essential App Protection and Digital.ai Premium App Protection, organizations have the solutions they need to embed security right into their DevOps pipeline and protect all their apps, regardless of the organizations’ level of security expertise,” said Aviad Aviv, general manager of security at Digital.ai. “Digital.ai App Protection provides organizations peace of mind that they are protecting their IP and their customers.”