Friday, September 21, 2012

Mobile App Sec is being left behind

When it comes to application security, mobile app sec ("MobAppSec" as we like to call it) seems to be getting some pretty abysmal scores. What makes this especially risky business is that we're more and more putting real apps where real money (or other valuable information) is being put in harm's way.

Two studies were released this week, which together are useful at understanding the bigger picture when it comes to MobAppSec. The first is the fourth release of the venerable Building Security In Maturity Model (BSIMM) by Gary McGraw, Brian Chess, and Sammy Migues. Next, there's the fourth annual World Quality Report from consulting firm, Capgemini.

The BSIMM study collects and analysis observations from some 51 software development organizations across 12 industry verticals. In all, some 111 security activities are observed. It paints a rather thorough picture of what software developers around the world are doing with regards to software security. Although it's missing efficacy measurements -- to be fair, it doesn't set out to measure the efficacy of the activities observed -- it is easy to draw the conclusion that software development has come a long way in the last few years, at least in terms of security practices.

Since the launch of the BSIMM in 2008, for example, the software security groups (SSGs) in major software development organizations have flourished, rising from 1 SSG employee per 100 developers to 2 SSG employees per 100 developers. And it appears the limiting factor in staffing SSG organizations is finding qualified employees. This speaks well for the future of software security in large enterprises, to be sure.

In stark contrast to the BSIMM, however, Capgemini's World Quality Report (WQR) would indicate that MobAppSec isn't getting anywhere near the same level of security attention that other software projects get (per the BSIMM). (I should note that the BSIMM doesn't exclude mobile efforts, per se, but it doesn't directly address them either. Further, there is a note of a possible BSIMM Mobile Working Group, so perhaps we'll see some mobile-specific data in the future.) 

The WQR concludes that firms are failing at mobile application security. The MobApp communities seem, to be driven by more of a gold rush mentality, focusing on functionality and time-to-market.

While focusing first and foremost on functionality is completely appropriate for a business, doing that at the expense of security can result in unforeseen security consequences. For example, while iOS 6 is brand new in the hands of consumers, there are already reports of things like Siri allowing an attacker to send Facebook postings and tweets, even on a locked device. No doubt the security research community will be taking a far deeper dive into finding all the abuse cases that can be found in the new iOS 6 user interfaces, among other things.

The majority of BSIMM participants know that developing secure software requires attention to details throughout the development process, from inception through production and maintenance. MobApp developers would be well advised to learn from these things sooner than later. There's an old adage that a smart person learns from his mistakes, but a wise person learns from others' mistakes.

We'll help bring these things together at our upcoming Mobile App Sec Triathlon, of course. We'll talk about many of the things observed in the BSIMM study, and we'll help put those concepts into actionable steps that developers can immediately put into practice. We hope to see you there.


Ken van Wyk

No comments:

Post a Comment