Last month, Veracode released a supplement to its 2015 security report that focused on application development. The report showed that four of five applications written in PHP, Classic ASP and ColdFusion failed at least one of The Open Web Application Security Project (OWASP) Top Ten, a list of security benchmark best practices. Put more simply, the research suggests that applications – many of them mobile – are awash in vulnerabilities.
The research found that one scripting language is riskier than two other common approaches. “In the side-by-side comparison of programming languages, we found that PHP was far more vulnerable to the issues of cross-site scripting and SQL injection than Java and .NET,” Chris Wysopal, Veracode’s co-founder, CTO and CISO says.
The intricacies of which scripting languages are more vulnerable than others is very important to developers and security professionals. For others, however, the question is a bit simpler: Is there an epidemic of insecure applications running on the mobile devices, many of which handle corporate communications and data?
Wysopal thinks he has the answer, and it’s one that enterprise security executives are not going to like:
“[O]ur finding that 87 percent of Android apps and 80 percent of iOS apps have cryptographic issues shows that mobile developers have a long way to go in terms of meeting basic standards for building secure apps.”
Is this feeling shared by others? Joshua Wright, the senior instructor and counter hack technical director for the SANS Institute, thinks it is.
“Frequently, developers don’t have a strong understanding of the threats associated with mobile device platforms or the app development frameworks they utilize,” Wright says. “This, combined with the quick-to-market app delivery model, has led to hundreds of thousands of insecure apps throughout the iOS and Android app stores.”
Two megatrends in telecommunications have led to this point. The first is that the explosion of mobility has limited the options for securing data and applications. In short, the old model, in which firewalls protect what is within the enterprise and very select, and generally non-mission-critical, apps and data are allowed beyond the electronic barrier, no longer exists. The second trend is BYOD. The reality is that many of the applications used by people for their employment are consumer apps that don’t have as high a level of security as those built from the ground up for the enterprise.
This is a complex new mobile security world, but clearly not a hopeless one from the security perspective. The reality, according Robert Gravelle, the owner of Gravelle Web Design, is that the core problem is the users, not the technology. Device portability and over-the-air updates lend themselves to hacking, he says.
“Security to a large extent falls onto the user. The widespread practice of device rooting by Android users is only increasing risk because it circumvents the security restrictions put in place by the operating system,” Gravelle explains.
What Can Be Done to Improve Mobile App Security?
The insecurity of mobile life has a variety of causes, ranging from technological shortcomings to user apathy, ignorance and naivety. The question is what can be done. On the technical front, Wysopal suggests, education is key. He provided a very good indicator of the first step in moving forward. Since Java and .Net developers have a stronger background in secure code than those using PHP, bringing the latter up to speed seems to be a good first step.
The problem may one of a willingness to be proactive. The press release on the Veracode study says that only about one-quarter of organizations have “mandated, ongoing secure coding education programs” in place.
The unfortunate reality, however, is that the need to produce applications faster works against the desire to train developers better and adequately test what they produce. If anything, the industry seems to be moving in the other direction.
“[T]he answer lies in better developer training and an understanding of what technologies can help protect an organization’s mobile ecosystem,” Wysopal says. “For developers, training is essential. For organizations with a mobile program, they should consider implementing an MDM system that allows policy-based controls such as automated application blacklisting, application reputation intelligence that is continuously updated and based on real-world risk profiles.”
The bottom line is that the battle against insecure applications is never-ending. That means that it likely will never be fully won—but could be fully lost. The best advice hasn’t changed during the past few years. It includes encryption, strong passwords and strong corporate security policies. Gravelle suggests that a good deal of work is necessary on a number of fronts.
“Unfortunately, like all security matters, it takes a multi-pronged solution,” he says.
Carl Weinschenk covers telecom for IT Business Edge. He writes about wireless technology, disaster recovery/business continuity, cellular services, the Internet of Things, machine-to-machine communications and other emerging technologies and platforms. He also covers net neutrality and related regulatory issues. Weinschenk has written about the phone companies, cable operators and related companies for decades and is senior editor of Broadband Technology Report. He can be reached at cweinsch@optonline.net and via twitter at @DailyMusicBrk.