Everything a CSO needs to know about Mobile Apps and Enterprise Security
Aspect Security is a consulting firm providing application security verification and training services. The company's engineers verify an average of 5,000,000 lines of critical code every month and their work unearths over 10,000 vulnerabilities every year. Aspect Security's expertise improves clients’ security posture dramatically and support a worldwide clientele with critical applications in the government, defense, financial, healthcare, services and retail sectors.
Info Security PG: What does it take to create and deploy secure applications?
Jeff Williams: Fundamentally, building and deploying secure applications requires clear insight into the threats to their business and a well-designed defense strategy for each. Armed with a clear plan, the key to ensuring success is visibility. From design and development, through testing, and on into production organizations need to gather compelling evidence that the plan has been achieved. The widely-used “penetrate-and-patch” approach is spotty and inconsistent, and costs $1,000 to find a vulnerability and $4,000 to fix the problem. A more cost-effective solution is for organizations to build out their security story during development. A clear security story combined with effective security training has immediately measurable results. One of our clients experienced a 70% reduction in vulnerabilities on teams where a majority of the developers had attended our training.
About Jeff Williams
As a pioneer in the software development and security field, Jeff is one of the world’s foremost experts on application security. Williams and his team at Aspect Security are founding members of the Open Web Application Security Project (OWASP), through which he has made ground-breaking industry contributions including: the OWASP Top Ten, Enterprise Security API (ESAPI), Application Security Verification Standard (ASVS), Risk Rating Methodology and WebGoat. Jeff holds advanced degrees in psychology, computer science and human factors, and graduated cum laude from Georgetown Law.
Info Security PG: What are the emerging trends in app security?
Jeff Williams: We are seeing increasing application complexity, connectivity, and criticality – all three factors increasing the likelihood of devastating breaches. Unfortunately, the response from many organizations will be to seek to purchase technology or implement process models as silver bullets to “fix” application security. While they might end up with better metrics around the problem, it is unlikely that they will make significant progress against their “security debt.” On the positive side, we are finally seeing some innovation in the application security market with new realtime application security tools (such as Contrast) making vulnerability identification and remediation accessible to even Agile and DevOps projects.
Info Security PG: What do we need to know about mobile app security when it comes to keep an enterprise secured?
Jeff Williams: As the world moves towards mobile applications connecting to cloud servers, the enterprise is losing control of the infrastructure that their business runs on. Because both environments are new, there are not strong security guarantees associated with these new platforms. There are a number of steps that organizations can do to re-establish control over their data and applications in this environment.
First and foremost, most organizations with established application security programs should extend their practices and programming standards past web and client-server to reach all mobile applications (both third-party and in-house). These practices must be updated so that when mobile applications are developed, they follow standard application security processes. Understanding the key differences in operating systems and Application Programming Interfaces (APIs) is critical in creating secure mobile applications. In addition, organizations should consider contract language, technical controls like MDM and MAM, usage policies, and training to help re-establish control over their applications and data. In particular, the correct use of encryption in both storage and transit is critical to ensuring data protection.
Ultimately, organizations need a mobile application security program that focuses on the threats to the business and ensures that appropriate defenses are in place and verified.
Founded in: 2002 CEO: Jeff Williams Public or Private: Private Head Office in Country: United States Products: Consulting firm focusing exclusively on application security verification, program management, and training services. The company’s products are: eLearning curriculum for secure application development; and Contrast™ an application security testing tool for JavaEE applications. Company's Goals: We love software and it hurts us to see it abused by attackers. We are dedicated to helping make the world a safer place by ensuring that the software that powers our lives, well-being, and businesses is protected against ever-evolving threats.
JOIN NOW THE CYBER SECURITY WORLDWIDE COMMUNITY ON LINKEDIN