Cyber criminals, like the majority of people, go where they see the most opportunity. At the moment, and for the foreseeable future, that means apps are like a honeypot for hackers.
Several trends are converging to create this state of affairs. One is the massive take-up of smart mobile devices. Companies are coming to terms with the fact that their primary customer interface is frequently a mobile device, and that means moving into apps. At the same time, corporate work is moving off desktops and laptops and onto tablets and smartphones, a process driven by the growing use of apps to give employees the same type of easy and intuitive experience they expect as consumers.
The end result? Corporate back-end systems and data are no longer protected behind a fortified firewall. Even the traditional thick-client ERP systems are now typically Web-based, and able to be accessed by mobile devices.
Need for speed
Another trend is speed. Customers in this world - and employees too - expect apps to be delivered when needed. There is no patience anymore for the traditional, long IT project. This could mean developers are tempted to take shortcuts in the name of speed and user-friendliness, with security receiving scant consideration.
This lack of security is exacerbated by the fact that apps typically make use of existing features of the mobile device - location services, photographs and so on. These are unlikely to meet corporate security standards. Apps also re-use components from other apps. One insecure component that offers a backdoor for hackers could compromise multiple apps.
In other words, the majority of apps are seldom, if ever, developed with security in mind - ease of use, rapid deployment, seamless connection with the back-end systems are the typical criteria of a good app. Security is usually an afterthought, and is thus never an integral part of the design.
Then there's the Internet of things, the growing drive to connect smart machines and sensors to the Net, from mining equipment or medical hardware to the fridge. Manufacturers are competing hard to be the first to market with connected offerings; again, the casualty can be security. Even medical equipment, which generates highly sensitive (and valuable) data, is not necessarily being designed to be secure in a connected world.
The majority of apps are seldom, if ever, developed with security in mind.
Very often, too, manufacturers are using chips or sensors that are outdated, and thus more vulnerable.
Apps under attack
Unsurprisingly, networks are no longer the focus of cyber attacks, applications are. In fact, the classic denial of service attack is being reinvented for the app world via the use of ransomware. Ransomware restricts access to a computer system unless some form of ransom is paid.
The inevitable conclusion is that the whole application ecosystem has to slow right down and find ways of integrating security into the software development life cycle. The first step of any development project now has to be threat modelling, to appreciate what threats are most relevant to the particular app. The app then needs to be developed with the likely threats in mind.
Mark Curphey, director and product unit manager, Microsoft Corporation, founder of Open Web Application Security Project, puts it well: "In the 80s, we wired the world with cables, and in the 90s, we wired the world with computer networks. Today, we are wiring the world with applications (software). Having a skilled professional capable of designing, developing and deploying secure software is now critical to this evolving world."
Amen to that. It just needs to be added that integrating security into the development process is just the beginning - the bad guys are looking at the whole application life cycle. Because the application will spend most of its life in the production environment, support staff and app users also have to be educated about the threats faced by the app, and it will need to be monitored.
All of this will mean a change of mind-set and culture both within the software development team and within the organisation as a whole - the subject of my next Industry Insight.
Share