Embed Size (px)
Citation preview
MOBILE APPLICATION SECURITY BY DESIGN
WHY SHOULD SECURITY MATTER?Mobile security breaches have affected more than two-thirds
(68 percent) of global organizations in the last 12 months, according
to a study from BT. This is something that can cause both
reputational and economic harm for you as a business. So does this
mean we all need to get ourselves a Blackphone? We don’t think so.
In this presentation we provide you with a comprehensive break
down of the different security threats that are out there, help you
assess where you stand, and explain why you should consider
using Security by Design for all your mobile applications.
SECURITY AGAINST WHAT?Unauthorized access to corporate or personal data
Unauthorized use of user’s privacy protected data and information
(e.g. location)
Theft of funds, banking credentials, or credit card numbers
Stealing of user corporate or personal credentials
Hacker compromising end user’s devices as conduit to corporate
network
Hacker accessing mobile device features and other applications
Loss of productivity (e.g. when environment is not stable or
employees battery is drained out)
Regulatory violations
WHAT KIND OF THREATS ARE OUT THERE? (WEB VS. NATIVE)There are different types of risk level linked to different platforms.
For example: Computers have viruses and malware that come
from malicious code spawned from opening a document, running
a script on a web site, or launching an executable. Mobile devices
don’t yet have this risk; their primary risk are the applications being
executables themselves, trying to access data on the phone, or
in the case of Android, embedding itself deep into the operation
system in something called a rootkit.
WHAT KIND OF THREATS ARE OUT THERE? (EXT. VS. INT.)External threats Hackers, organized crime, corporate espionage:
these people are looking at stealing money from financial
transactions, intellectual property, credentials or personal profiles
they can sell, or getting a foothold into a corporate network to be
able to better access one of the above assets of value.
Internal threats Users who are authorized to use systems and
access data with applications. However, they can intentionally or
unintentionally amplify their privilege, or perform functions that
they should not be authorized to do. This would allow them to view,
delete, or steal data they shouldn’t have access to.
HOW TO ASSESS WHERE YOU STAND? (PART 1 OF 2) Understand your current plans and also future plans for security in:
Infrastructures This may include the overall network infrastructure,
internet points of presence, mobile gateways, and business
continuity contingencies. Implement encryption and other secure
mechanisms in place for both the transport and storage of data.
Security policies These policies should support regulatory
requirements as well as industry best practices. This includes ISO
27001:2013 requirements as well as Data Security implementation.
Examples of this include utilizing physical security measures such
as passwords to control access to data, establishing monitoring
processes for user access rights and roles at regular intervals,
and creating procedures to ensure security eve
HOW TO ASSESS WHERE YOU STAND? (PART 2 OF 2) Development, Testing and QA This should assess the process
for development, system testing & QA, security testing and
deployment process.
Environment The environment should be adequate to needs and
mitigate the risks. Mobile environments should have fail-over site
to ensure redundancy and high availability.
Training of employees Training of employees will increase
compliance to security policies and decrease breaches caused
internally.
Education of users Users can be customers or employees. There
should be transparency towards the users of your mobile apps
about the level of security that can be expected within your
application. This should be communicated within the user journey.
KEY RECOMMENDATION: SECURITY BY DESIGNThink security at all stages of app development. Mobile application
development should include security checks within the
development life cycle, including design, testing and QA process.
Preventive maintenance should be performed to regularly improving
the codes of the apps.
CASE STUDY: CEMEXGoal Identify potential security risks and propose recommendations
to mitigate these while identifying immediate activities that would
aid CEMEX in securing its mobile environment.
Solution Golden Gekko (A DMI Company) performed a risk
assessment of CEMEX’s mobile infrastructure and architecture,
CEMEX’s mobile app development process and two existing apps,
Sales 360 and MyCEMEX.
Results Golden Gekko (A DMI Company) put forward a proposal
with key activities to safeguard CEMEX’s Mobile environment.
TRUSTED AQUA PARTNERThe App Quality Alliance (AQuA) is the mobile industry’s organization
supporting quality app development. Golden Gekko (A DMI
Company)’s Trusted Status endorsement means that our app
development services and QA practices have been assessed,
validated and endorsed by AQuA in a stringent process that ensures
only the highest quality output.
“Golden Gekko (A DMI Company)’s approach of agile software
development life and iterative QA processes demonstrate that
they share our vision when it comes to developing real quality in
the app market.”
– Martin Wrigley, Executive Director, AQuA
Text goes here.
WHY DO IT?INTERESTED IN DOING A MOBILE SECURITY AUDIT OF YOUR COMPANY? WANT TO LEARN MORE ABOUT HOW TO PROTECT YOUR CUSTOMERS’ DATA AND HELP MANAGE THEIR PRIVACY?
CONTACT US FOR A CALL OR MORE INFORMATION.
web www.goldengekko.comemail [email protected]
