IT environments are evolving. Gone are the days of in-house, fixed-endpoint, limited-access server stacks, replaced instead by a combination of private and public cloud solutions, mobile applications, and IoT devices.
As noted by research firm IDC, public cloud spending now outpaces all other IT infrastructure, with a growth rate topping 10 percent year-over-year. Statista reports that users downloaded more than 178 billion apps in 2017 alone—and are on track to break 250 billion over the next few years.
What does this mean for organizations? Application environments are quickly moving beyond in-house IT purview, exposing apps and network services to steadily growing risks. This creates a paradox: Companies can’t deny the benefits of third-party environments and application partnerships, but they also can’t ignore the threat of app and data compromise or reverse engineering and tampering.
Outside the comfort and control of in-house networks, apps must learn to fend for themselves. Here’s a crash course in the art of software self-defense.
Application environments outside direct company control present significant risk. Consider a recent Wired piece, which notes that “hundreds of millions of records” containing unprotected Facebook user data were recently discovered on Amazon servers. Uploaded by Facebook app developers, this dangerous data trail showcases the speed of security risk: Information moved easily from Facebook to app developer networks to plaintext storage solutions.
Insecure app environments also pose a physical risk: As reported by AutoBlog, after the Chicago Car2Go app was compromised, approximately 100 cars were stolen, and some were used to commit crimes. This is the nature of mobile applications—accessibility trumps environmental security but opens software to the possibility of vulnerability exploitation or code modification.
Put simply? Applications — and their data — now exist across insecure environments as a matter of course but lack the internal security controls necessary to defend themselves.
The simplest explanation for rapidly increasing application security risk? Mobile app adoption. As noted above, hundreds of billions of apps are now downloaded each year by consumers and companies now recognize that apps are the key to staying competitive in a mobile-first world.
But the rush to develop and deploy apps naturally impacts security: According to recent survey data, most financial applications come with significant security flaws, including insecure data storage, insufficient cryptography, or the potential for code tampering. In many cases, developers aren’t taking advantage of existing security options—as noted by Help Net Security, two-thirds of iOS applications don’t use App Transport Security (ATS) controls, which help ensure encrypted connections between apps and servers.
Also problematic? The decreasing efficacy of traditional defenses such as endpoint security tools. Recent research found that 42 percent of all endpoints are unprotected at any given time, 70 percent of breaches originate at the endpoint, and 100 percent of all endpoint security measures eventually fail. The result? Even supposedly “protected” environments aren’t foolproof—apps brought behind corporate failsafes and firewalls are never risk-free.
In The Karate Kid, protagonist Daniel LaRusso spends a not-insignificant amount of time waxing his teachers’ car, frustrated that he’s not mastering the karate techniques he desperately wants to learn. Spoiler alert: He’s been training the whole time, developing myriad skills, from patience and persistence to the physical movements necessary to ward off potential attackers.
Effective application protection across insecure environments demands similar dedication and diversification to ensure apps are prepared to handle everyday issues and master emerging challenges.
So, what does this look like in practice?
First, organizations must recognize that any environment—including internal server stacks—is potentially hostile. Moreover, both application front- and back-ends are at risk, especially if apps aren’t just used on public networks and hosted in redundant data centers across multiple countries. Finally, companies must address the growing complexity, cost, and confusion surrounding emerging app compliance standards and regulations; traditional defenses no longer qualify as “due diligence” in a data-driven, mobile-first environment.
Giving apps the protection they need to self-defend means skipping the search for a catch-all, fire-and-forget solution and instead taking a layered approach using techniques such as:
The sheer volume and variety of applications make it clear that companies must assume every environment is untrusted. This isn’t an academic exercise—application breaches present serious risks to growth models and bottom lines across both technology and physical resource stacks.
The bottom line? Don’t rely on application environments to protect and secure your app. Instead, preemptively apply protection directly to the app, allowing it to secure itself wherever and whenever with both passive and active self-defense.