Instant 'appification'

The Internet economy is open, mobile and 24/7. Apps increasingly drive this world, and attract cyber criminals in droves.

Read time 3min 50sec

Cyber criminals, like the majority of people, go where they see the most opportunity. At the moment, and for the foreseeable future, that means apps are like a honeypot for hackers.

Several trends are converging to create this state of affairs. One is the massive take-up of smart mobile devices. Companies are coming to terms with the fact that their primary customer interface is frequently a mobile device, and that means moving into apps. At the same time, corporate work is moving off desktops and laptops and onto tablets and smartphones, a process driven by the growing use of apps to give employees the same type of easy and intuitive experience they expect as consumers.

The end result? Corporate back-end systems and data are no longer protected behind a fortified firewall. Even the traditional thick-client ERP systems are now typically Web-based, and able to be accessed by mobile devices.

Need for speed

Another trend is speed. Customers in this world - and employees too - expect apps to be delivered when needed. There is no patience anymore for the traditional, long IT project. This could mean developers are tempted to take shortcuts in the name of speed and user-friendliness, with security receiving scant consideration.

This lack of security is exacerbated by the fact that apps typically make use of existing features of the mobile device - location services, photographs and so on. These are unlikely to meet corporate security standards. Apps also re-use components from other apps. One insecure component that offers a backdoor for hackers could compromise multiple apps.

In other words, the majority of apps are seldom, if ever, developed with security in mind - ease of use, rapid deployment, seamless connection with the back-end systems are the typical criteria of a good app. Security is usually an afterthought, and is thus never an integral part of the design.

Then there's the Internet of things, the growing drive to connect smart machines and sensors to the Net, from mining equipment or medical hardware to the fridge. Manufacturers are competing hard to be the first to market with connected offerings; again, the casualty can be security. Even medical equipment, which generates highly sensitive (and valuable) data, is not necessarily being designed to be secure in a connected world.

The majority of apps are seldom, if ever, developed with security in mind.

Very often, too, manufacturers are using chips or sensors that are outdated, and thus more vulnerable.

Apps under attack

Unsurprisingly, networks are no longer the focus of cyber attacks, applications are. In fact, the classic denial of service attack is being reinvented for the app world via the use of ransomware. Ransomware restricts access to a computer system unless some form of ransom is paid.

The inevitable conclusion is that the whole application ecosystem has to slow right down and find ways of integrating security into the software development life cycle. The first step of any development project now has to be threat modelling, to appreciate what threats are most relevant to the particular app. The app then needs to be developed with the likely threats in mind.

Mark Curphey, director and product unit manager, Microsoft Corporation, founder of Open Web Application Security Project, puts it well: "In the 80s, we wired the world with cables, and in the 90s, we wired the world with computer networks. Today, we are wiring the world with applications (software). Having a skilled professional capable of designing, developing and deploying secure software is now critical to this evolving world."

Amen to that. It just needs to be added that integrating security into the development process is just the beginning - the bad guys are looking at the whole application life cycle. Because the application will spend most of its life in the production environment, support staff and app users also have to be educated about the threats faced by the app, and it will need to be monitored.

All of this will mean a change of mind-set and culture both within the software development team and within the organisation as a whole - the subject of my next Industry Insight.

Godfrey Kutumela

leader of the cyber crime and security division at IndigoCube.

Godfrey Kutumela has over 16 years’ experience in security consulting and engineering, having conducted high-end security consulting engagements, and designed and delivered technical solutions on three continents. Driven by his passion for securing online and mobile applications in this new era of the Internet of things, he made a strategic move to join the newly formed IBM Security Systems Division in 2012. His role at IBM was as leader and evangelist of IBM’s application security, security and threat intelligence portfolio for the Middle East and Africa market. Kutumela joined IndigoCube in June 2015 as the leader of the cyber crime and security division. His responsibilities include bringing application security integration practices to the local market and helping organisations protect their critical applications and generated data. He has also served as membership chair for the (ISC) 2 Gauteng Chapter since May 2015.

Login with