Applications are on the move; how do you secure them?

Automation can help narrow the gap between security needs and security resources

Most mobile applications fail critical security tests. Quite often, businesses apply their mobile application security processes to their use of web security scanning tools. In our current climate, the key to business survival is to secure mobile applications fast and under the correct security process to identify and fix.

On July 21, the New York Times ran a story outlining the defects in a hastily developed mobile app that was to help South Korea enforce its strict quarantine rules.¹ These defects could have led hackers to access a wealth of personal information, including the names, locations, birth dates, genders, nationalities, phone numbers and medical symptoms of anyone hacked.

But Korea wasn’t alone. The Times also found that a virus-tracing app in India could leak users’ precise locations. Amnesty International discovered flaws in a Qatari exposure-alert app. Other nations, including Norway and Britain, have also had to revise their virus apps in response to privacy issues.

In the United States, the adoption of Covidwise, the jointly developed contact tracing app from Google and Apple, is experiencing very slow and hesitant adoption, mainly over concerns about security and relinquishing personal health information.

These concerns have been amplified by human rights groups who have warned that the design of many apps puts millions at risk for stalking, scams, identity theft or oppressive government tracking. The apps could also undermine trust in public health efforts.²

However important, personal health is only one area where electronic security issues are currently in the spotlight. Throughout the US, at every government level, there is obvious concern involving the integrity of election systems. These concerns include the relative ease of hacking into voting machines and credible threats to voter registration systems, election websites and voter privacy. Administration attacks on the alternative – paper ballots submitted by mail – have only accentuated these fears. And, of course, consumer-facing businesses of every sort have sharply ramped up their online and mobile presence to find ways of meeting customer needs while maintaining social distance.

One predictable result of the rapid expansion of sensitive mobile and remote workplace communications is that the number of qualified cybersecurity professionals who are available to work with developers and monitor for issues after their applications are deployed is simply inadequate. When it comes to data security specialists, there is a serious talent shortage. As a result, the imperative to build and deploy apps quickly frequently results in cutting corners, particularly when those corners involve security. Implementing automation, however, can help test and fix mobile apps for security vulnerabilities when launching in a shorter time frame. It doesn’t need to take a lot of time either. Automated AI-enabled systems produced by several suppliers are helping developers move along at warp speed in developing secure applications but without spending an inordinate amount of effort addressing risk analyses or compliance requirements.

Two closely-related families of these automated test systems – Dynamic Application Security Testing, or DAST, and its sister, on-demand Mobile Application Security Testing, or MAST – are commercially available. In essence, what they do is to analyze static and mobile-optimized websites, configure and conduct vulnerability scans, track flaws that they find, and then report their findings quickly and accurately to guide developers in fixing them.

DAST and MAST automation can close the gap in an era of massive data security issues and a shortage of qualified security professionals.

¹ https://www.nytimes.com/2020/07/21/technology/korea-coronavirus-app-security.html

² https://www.nytimes.com/2020/07/08/technology/virus-tracing-apps-privacy.html