Despite the rising costs and impact of application compromise — recent data found that 58 digital records are stolen every second and breaches cost companies an average of $3.6 million — many best practices and procedures for securely designing, developing, testing and protecting applications are largely ad-hoc. As noted by Tech Republic, in fact, exactly ZERO percent of organizations say their security needs are fully met by their current infosec strategy, down from just 11 percent last year.
Some respondents pointed to a lack of skilled resources while others cited budget constraints, but regardless of origin the outcome is clear: Hastily-designed app protection procedures that don’t meet current needs and can’t keep up with evolving demands.
Need a helping hand with your application protection process? We’ve compiled some of the best practices of leading-edge companies into a top-10 list. Let’s get started.
Now is the time to seriously look at how you are protecting and securing your applications
The U.S. National Institute of Standards and Technology (NIST) has published two data-security focused documents in as many months.
In June 2018, NIST published guidance on assessing requirements for securing unclassified information (NIST Special Publication 800-171A Assessing Security Requirements for Controlled Unclassified Information).
In July 2018, SPECIAL PUBLICATION 1800-1 Securing Electronic Health Records on Mobile Devices was published offering a practical guide to meeting the specialized security and privacy obligations that come with the management of health records on mobile devices.
Anyone developing software applications today can easily feel overwhelmed by the persistent security threats their products face from application counterfeiting and malware injection to theft of services and confidential information. This article discusses some of ways hackers go about their dirty deeds and how to achieve a balanced perspective on application risk and risk management allowing you to release applications with greater confidence. Gaining this confidence requires a deeper knowledge of the risks and potential remedies.
I just read the Forrester Wave™: Governance, Risk, And Compliance Platforms, Q1 2018.
Forrester reminds us all that “Risk and compliance management is more important than ever, thanks to the increasingly intangible nature of business value and the growing risk of violating customer trust.”
Preventing Privilege Escalation in mobile payment apps (PCI Mobile Payment Acceptance Security Guidelines Section 4.3)
Regulators, standards bodies and IT auditors have become increasingly likely to recommend an absolute prohibition of rooted Android devices in production environments. As the 2017 PCI Mobile Payment Acceptance Security Guidelines state, “Bypassing permissions can allow untrusted security decisions to be made, thus increasing the number of possible attack vectors.”
It is only natural that the apps themselves rise up to act as a ubiquitous governance, risk, and compliance management layer – preventing, detecting, responding, and reporting on threats - including those posed by unauthorized rooted devices.
When perimeters are breached, identities stolen and malware launched, encryption stands as information’s last line of defense. Without effective encryption policies, you will first be victimized and then held liable (punished) by every information stakeholder (customers, partners, investors, regulators, the courts, etc.).
Just this week, Wired led with the headline Tinder’s Lack of Encryption Lets Strangers Spy on your Swipes where they wrote in part:
“In 2018, You'd be forgiven for assuming that any sensitive app encrypts its connection from your phone to the cloud, … But if you assumed that basic privacy protection for the world's most popular dating app, you'd be mistaken.”
The GDPR is comprehensive; its impact is far reaching, and the penalties for infringement are severe (up to €20 million or 4% of global annual revenue, whichever is higher).
In short, no impacted business can afford to ignore The GDPR. As the May 2018 deadline looms, organizations find themselves scrambling to be “GDPR ready” – but what exactly does that mean?
According to the official EU GDPR website, http://www.eugdpr.org, “The EU General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in 20 years.”
This may well be true. The GDPR includes unprecedented penalties connected to data breaches, it reaches across international borders, and it targets both data owners and 3rd party service providers that process/manage that data.