App security is a must for every development project. It would be difficult to distribute and monetize apps if app stores or curators such as Google Play and iTunes refuse to include applications in their collections due to security concerns. Google, for one, rejected more than half of the apps submitted to the Play Store with security cited as one of the top reasons for the rejection.
A good grasp of application security is essential in the midst of cyber attacks that are not only growing in volumes but also evolving in their sophistication. The following tips should help in ensuring app security, especially for neophyte developers and those who are still learning the ropes of app development.
Review the code
This step is a no-brainer, but it is worth repeating and emphasizing. It is an essential initial stage of security scrutiny, just like in the case of continuous security testing and cyber risk assessment. Everything starts with the evaluation of the integrity of the code. It is not only enterprise end users that should be meticulous with app security. App developers, too, can take advantage of the principles of continuous testing and risk assessment.
This review is particularly important in view of the reliance of developers on open source libraries. An overwhelming number of applications make use of open source codes. Not many developers build their software from complete scratch.
According to Veracode’s State of Software Security report, more than 70 percent of apps in use at present have at least one security flaw attributable to the use of an open source library. “We found that flawed libraries don’t get used less; in fact, they frequently get used more often,” the report writes. The report goes on to suggest that the more an application includes libraries, especially open source ones, the more likely they are to contain flaws.
A thorough software composition analysis should be undertaken. This procedure can reveal a host of issues including data leakage, cross-site scripting, inadequate input validation, SQL injection, and CRLF injection.
**Anticipate security issues by understanding how an app will be used
Tech evangelist Tim Mackey says that “the core challenge is that appropriate tooling and strategies will depend upon your development paradigm.” as application development security best practices require, the intended use of applications determines the kind of security work developers have to put into their projects.
Mackey cites as an example the case of an agile DevOps-centric engineering team where the apps are deployed as microservices in containers. “There are capabilities within containerized deployments that can be described as security mitigation models—the result of which are more difficult to attain when developing IoT firmware or mobile applications,” Mackey explains.
It is vital for development teams to have a clear comprehension of how their apps will be deployed. This knowledge guides the building of threat models crucial in establishing the security of an application.
Establish security requirements
Almost all app developers will likely agree that ensuring security is essential for effective app development. However, many of them have the tendency to skip or be less meticulous about it because of deadlines and the failure of clients to include security in the project specifications.
To ascertain that application security is not relegated to a minor or almost forgotten concern, it is advisable to clarify the security objectives for a development project. Information security visionary Sammy Migues, in a DARKReading piece, offered insightful ideas on how to improve app security.
“It may be up to IT and software engineering teams to create infrastructure, set access controls, create custom applications, and configure environments to be resilient to attack and protect data, but it's problematic to have those groups decide what ‘security’ means, how to do it, and whether they're accomplishing it,” Migues wrote.
It is already a given that product managers or clients will be more concerned about the app features. The responsibility to ensure app security would have to be assumed by the developers. It is important to communicate the security requirements to the client, though, so they can adjust their expectations especially when it comes to deadlines.
Do not forget the basics
While establishing security requirements, consider this acronym: ALL ACES, where A stands for authentication, L for least privileges, L for libraries, A for API, C for cryptography, E for encryption, and S for session management.
High-level authentication is a basic for app security. One way to do it is to prevent users from setting weak passwords. In relation to this, it is also a basic practice to provide the bare minimum privileges to users of an app or to anyone who might want to examine an app’s code. Network access should similarly be kept as small as possible.
Additionally, developers should always be mindful of their use of libraries, especially third-party ones, as they can contain vulnerabilities or flaws that can weaken the security of an app. The same goes with API. Only authorized APIs should be used.
Cryptography and encryption are related terms, and both are related to basic app security. It is important to encrypt data to make them unreadable to cybercriminals or bad players. To achieve reliable encryption, it is a must to use good cryptography tools and techniques. Examples of which are AES and SHA256.
Lastly, there has to be proper session management. In mobile apps, for example, it is advisable to provide options for remote logging out and data wiping. Session timeouts are usually employed in desktop apps, but users may find them pesky in mobile applications. As such, remote login control and data deletion functions are encouraged.
Use the right tools and processes
Several tools are used for security testing. These include static application security testing (SAST), dynamic application security testing (DAST), interactive application security testing (IAST), runtime application self-protection (RASP), and penetration testing tools. Using all of these tools does not necessarily mean that the final output will be invulnerable to attacks, but it can provide a reasonable guarantee of security.
Going through the rigorous security testing processes and using the different tools can inevitably extend the time it takes to build an application. However, it would be a bad idea to ditch them or resort to shortcuts. The consequences can be severe.
According to Verizon’s 2020 Mobile Security Index, 43 percent of organizations sacrificed mobile security over the past year as development teams were asked to prioritize time to market at the expense of security. This has resulted in a doubled likelihood of getting compromised.
Fast rollout is expected for any development project, but it should not mean disregarding security standards. Developers understand the pressures of meeting deadlines. However, it would be counterproductive to push them too hard and submit to the commonly held notion that anything not deemed as a feature (of an app) is a (development) speed bump. The pointers briefly discussed above should be useful in securing apps as they are being developed.