Keeping Secrets: The Evolving Expectation of App Defense
Published on July 10, 2017 by Gabriel Torok
Applications drive corporate success. As noted by Business 2 Community, the average American smartphone owner uses more than 10 apps per day and spends over three hours per day connected to the Internet via their mobile device. The problem? Rapidly-expanding app markets combined with easy-to-find hacker kits make the current environment a cybercriminal’s paradise — according to recent Ponemon data, the average cost of a data breach is around $3.62 million and the size of breaches is trending up. It gets worse: According to Gartner, 99 percent of app vulnerabilities exploited won’t rely on new, sophisticated attack vectors, but existing vulnerabilities that infosec pros have seen in the wild for at least a year.
And according to Alex Urbelis, a partner at the Blackstone Law Group who has also been part of the information security community for more than 20 years, it’s not just technology shortcomings that should worry enterprise decision-makers. New laws such as the Defend Trade Secrets Act create legal challenges — while companies now have a private right of action to make claim for damages in federal court if trade secrets are misappropriated, insufficient (or absent) app protection could render this claim null and void.
Here’s a look at the top enterprise app threats and how companies can start better keeping secrets and better protect their intellectual property.
Data and application breaches have become so common that data about their impact is readily available. While this offers a great jumping-off point it’s also a sobering reminder that breaches are now the rule rather than the exception and that no company can afford to ignore the risks associated with their apps (whether mobile, desktop, cloud, web or IOT.)
We conducted an Application Risk Management survey in June of 2017; and you can look for details soon in an upcoming blog. The survey gathered information about their development organizations’ risk management priorities and mitigation strategies.
The survey results indicated that the top 6 application development vulnerabilities were:
- Data loss or corruption
- Intellectual Property theft
- Liability or reputational damage
- Operational disruption
- Regulatory or compliance violations
- Software piracy
Financial factors pertaining to addressing risks are identified in the Cisco 2017 Annual Cybersecurity Report, showing that 35% of security professionals believe budget is the biggest obstacle to adopting advance security processes and technology. Meanwhile, 20 percent of organizations say they lose customers after a breach and 30 percent lose revenue, even as 27 percent of all new, third-party cloud application introduced into corporate ecosystems pose “high security risk”. As a result of the pressures, it’s no surprise that cyber-insurance premiums are now a must-have for enterprises, with premiums set to triple over the next three years.
Simply put? The statistics paint a clear (if bleak) picture: Enterprises want better application security. It’s not always an easy transition, but the longer companies procrastinate the greater the risk.
While it’s tempting to imagine that all application threats come from highly-focused groups looking to breach valuable targets, according to hacker Robert Barat of infosec radio show Off The Hook, many basic hacking tools “are open source and hosted on GitHub”. This allows users with minimal skill and moderate interest to compromise applications for their own purposes.
Consider last summer’s wildly popular mobile game Pokemon Go. As noted by Barat, developer Niantic was in a rush to get the game out the door, “didn’t implement basic debugger detection software and sent a lot of data unencrypted.” Leveraging simple and freely-available tools users reverse-engineered the product and accessed for-pay in-game services for free. But that’s the just start — lost revenue meant potential job loss and unencrypted data transmission put personally identifiable information (PII) at risk, opening the door for a lawsuit.
And beyond PII data loss there’s also the risk of serious financial harm. As noted by Urbelis, that’s what happened to medical device manufacturer St. Jude Medical, which created an in-home device to connect with patient pacemakers. A company called MedSec reverse engineered the product and discovered how to remotely drain the battery, in turn putting users in potentially life-threatening danger. Then, MedSec sold this information to a stock shorting firm and released the data publicly, earning a huge windfall and causing a freefall for St. Jude stock.
Even more worrisome? The SEC isn’t coming down on companies for this kind of market manipulation, meaning that vulnerable apps and devices could lead to massive financial frustration.
Recent survey data shows that companies recognize a common list of application development vulnerabilities including data loss and corruption, intellectual property theft, operational disruption and liability damage. And yet just 16 percent of enterprises have app controls established in a formal organizational framework — more than 40 percent opt for ad-hoc and reactive defenses.
So how do organizations effectively keep secrets and reduce the risk of application breaches? From a technology standpoint, companies need smart app protection that hardens applications, obfuscates data and offers “nuclear” options against particularly virulent attacks. This type of defense also provides the “reasonable means” necessary to secure trade secrets under the Defend Trade Secrets Act, allowing companies to both satisfy the demands of an increasingly tech-savvy public willing to share PII via mobile devices and pursue malicious actors if they attempt to misuse or misappropriate critical source code, application data or intellectual property.
Bottom line? Applications are critical to compete on a global scale; fiscal and legal security depend on effective and adaptable app protection and defense.