Enterprises are using more apps than ever, many of which are cloud-based. That's according to a recent Forbes article, and — no surprise — this increased use comes with increased risk. Survey data found that 85 percent of all data uploaded went to apps that enabled file sharing, and, perhaps more worrisome, 81 percent of data downloaded came from apps with no encryption of at-rest data. It's no shock, then, to see a push from IT executives for enterprise-wide security programs that vet and review any app created, used or purchased by a company. And yet companies in both the United States and the United Kingdom are struggling to stay at the forefront of AppSec initiatives. With enterprise apps presenting more risk than ever before, why the disconnect?
Apps don't come from a single source. As revealed by a Veracode/IDG webinar, 43 percent of apps in the US were internally developed, compared to 36 percent in the UK. Both countries sourced 35 percent of their apps from commercial vendors, while UK companies outsourced slightly more apps to a third party (30 percent — the US outsourced only 25 percent). But that 25 covers some big-name enterprises — for example, John Deere. While the global farm-equipment maker won't outsource the design of "customer experience," according to CNBC, it has outsourced mobile device code. John Reid, the director of product technology and innovation at Deere, says, "We could take the stance that we need to know how to write all the apps ourselves, but that's not what makes the difference to our customers." It might, however, if that app code doesn't pass basic security requirements.
The easiest way to reduce app vulnerabilities is to create an enterprise-wide security program. In the United States, 52 percent of company executives have mandated this kind of program and are tracking its implementation, while 32 percent are aware of such programs but haven't made them mandatory. Results in the UK are more concerning: While almost the same number of execs are aware of these programs as in the US, only 38 percent have made them mandatory. So what's the holdup? Why does the UK lag behind the US, and why are stateside businesses not 100 percent in favor of end-to-end AppSec?
Part and Parcel
There are two major hurdles that any company must overcome to implement this kind of holistic enterprise policy. First is an understanding of what testers are looking for when they analyze in-house, commercial or third-party apps. For example, the National Institute for Standards and Technology (NIST) is creating a mobile-application vetting guide (the current draft, "SP 800-163: Technical Considerations for Vetting 3rd Party Mobile Applications," is available online or review and comment) to help companies identify potential vulnerabilities. In many cases, these vulnerabilities aren't obvious. As noted by NIST Computer Scientist Tom Karygiannis, "Apps with malware can even make a phone call recording and forward conversations without its owner knowing it." It's also possible for apps to gain access to contact lists or track a user's location. Without a set of best practices for analyzing and reporting application vulnerabilities, any enterprise-wide effort ends up being slapdash and ad-hoc, ultimately defeating the purpose.
The second part to this AppSec problem is the pipeline. With apps coming from so many sources and with so many cloud-enabled functions, it can be almost impossible for local IT professionals to catch and inspect each one. As a result, mandated security programs may fail not for lack of effort or guidelines, but rather from lack of resources. Due to this, it's often worth partnering with an application security provider that can monitor, test and report on apps in real time — even when an enterprise is scaling to test hundreds to thousands of apps — and provide the framework for an effective, enterprise-wide initiative. Combined with a set of testing best practices like those from NIST, it's possible to manage the app pipeline and ensure only "clean" applications come out the other side.
Businesses in the UK lag behind their US counterparts when it comes to application security, but companies in the United States aren't immune to application risks. Intelligently managed, clearly defined and enterprise-wide AppSec is essential to reduce cloud-based application risks.
Photo Source: Bigstock