Page 52 - index
P. 52
particular app would be to your organization. For example, what do you stand to lose if
an attacker, in a scenario similar to this year’s Anthem data breach, achieves higher
access privileges and secures long-term access to your data? In Anthem’s case, just five
cracked network user IDs resulted in the loss of the personal information of over 80
million people.
So, ask yourself, “What data is the app storing and/or processing? Who has access to
that data? What security measures are in place for approved users? If an employee
loses a mobile device, does the network require a VPN password for remote access and
if so, is that password cached?”
To best inform the approach you take to security policy, having a firm grasp of the types
of information that is stored, shared and accessed on these apps is critical.
2. Build a solid foundation. It’s been proven that when coding to secure an application,
“default denying” everything throughout the design process will ensure an application is
sufficiently protected. In addition, assigning permissions as needed will make it much
easier to pinpoint the source of a vulnerability if and when it occurs.
The key to getting your app to this point requires there be a heavy focus on security from
the outset of its development so as to be properly integrated throughout each phase.
From a design perspective, while user interface and user experience are key
considerations in the evolution of any app, they are also intrinsic to security. Every effort
should be made to take the weight of security responsibility off the end-user’s shoulders.
Why? Because if an app requires the user to make a decision between security and
convenience, it should come as no surprise that they would more often than not default
to convenience—and in many cases, this decision presents serious consequences for
your organization.
In those instances when you’re forced to compromise convenience for the sake of
security, such as repeated, required VPN log-ins, a user should be made aware of and
understand the security reasoning behind that decision.
3. Prepare for anything—and that means the worst. Even with a heavy cover of policies,
if you don’t have a plan within those policies or if your team doesn’t fully understand it,
your organization is at risk. It’s especially worth noting that many IT Pros and developers
may wonder why investing in native app security is necessary when the organization’s
core infrastructure and shared platforms could be locked down instead.
At the end of the day, if your business is running apps on shared infrastructure, you have
to assume these platforms aren’t secure and the possibility of data being leaked is very
real.
52 Cyber Warnings E-Magazine – June 2015 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
