Discover PerformanceHP Software's community for IT leaders // September 2012
Building mobile apps means a focus on cloud security
The rapidly growing number of cloud-based services for mobile apps is a godsend to developers. But what are the security ramifications? Here are four things to consider.
Mobile apps represent a kind of gateway drug to the cloud. This is due to developers increasingly leveraging cloud-based services for tasks such as logging, notifications, and billing and payments, allowing them to focus on the app client logic and leave the server-side features to the cloud. The result is faster delivery of a better app, and one that puts the richest available functionality into users’ hands.
But what makes it faster and cheaper may also make it riskier: Mobile apps are increasingly dependent on cloud services that the apps team didn’t build, the organization doesn’t own, and the ops team doesn’t even know about. Meaning that to create effective mobile apps, you must have confidence in the cloud.
Given the increasing breadth of the mobile ecosystem, it’s crucial to understand where the weak security links exist. Essentially, there is a threat in every layer: the mobile client, the network and the server. When you use cloud services in a shared environment, you’re at risk from weaker adjacent apps. Many third-party components and web services aren’t secure and perhaps haven’t even been tested. Plus, you may be trusting highly sensitive data—customers’ PINs, passwords, messages, account numbers, photos and documents—to services that you don’t own.
Apps teams can’t roll the dice on mobile security. Here’s how to make your own luck when using third-party services in the cloud.
1. Realign priorities around security.
Before you can consider the quality of someone else’s security, you must get your own house in order. Organizations are accustomed to asking, “Will the application work in production?” and “Will it scale and perform well under load?” But now they must ask a third question: “Will it be secure?”
2. Address the application fundamentals.
Now that you’re asking questions about your applications’ security, you’d do well to actively improve it. Ensure that your developers are coding with security in mind, starting before they ever write that first line of code. Aside from the security benefit, you will also increase development productivity, because you’ll avoid the rework that inevitably comes when you add in security after the fact. And with the time you save, you can spend valuable development resources and time on innovation instead of firefighting, troubleshooting and fixing vulnerabilities.
Also, developers must pay attention to security when selecting and consuming external services. Understand your IT team’s policies on third-party procurement, particularly as they relate to security, and ask your vendors to prove they provide the security you need.
3. Secure the stack.
Next, you’ll want to ensure that you’ve secured the entire mobile stack, from the mobile device to the server, including the communications between the two. Know where you’re using credentials and sensitive data; track them through the device, network and back end; then test all of those components for security.
Use software that can help you pinpoint with line-of-code precision the root cause of potential vulnerabilities in apps developed for the most commonly used smartphone platforms. Use static analysis tools during development, and run dynamic security analyses to security-test the web services that will interact with your mobile apps.
4. Don’t leave it up to someone else.
As your developers continue to take advantage of cloud services for mobile apps, you might wonder how you can be certain that it’s OK to trust a particular cloud service. The answer is simple: You can’t be certain. That’s why you have to do what you can on your side.
For more on security in the cloud, learn about HP’s cloud management and security solutions, and for more on securing mobile applications, visit Fortify’s mobile security page.
Register for HP’s premier event for inspiration from industry leaders, the HP inside scoop, and a deep dive into tomorrow’s enterprise IT trends.
HP Software VP Paul Muller brings in HP and industry-wide experts each week for challenging discussions about trends in Big Data, mobility, IT security and more.
Forrester analyst Kurt Bittner discusses how to enhance Agile development with continuous integration and automated testing to deliver real business results.