Deliver on Digital Transformation Potential with App Protection-Forward Strategies
Published on August 6, 2019 by Alexander Goodwin
Currently charging up the hype cycle slope? The rush to become a “technology-forward” organization.
But delivering on digital transformation potential demands more than buzzwords — along with C-suite support, end-user buy in and robust data defense, companies must develop “protection-forward” strategies to secure the IT front line: Applications.
What is a technology-forward organization? One that prioritizes digital transformation — the ongoing shift away from cumbersome physical processes and outdated IT solutions to always-connected, digitally-enabled services that empower user access and data analytics to drive long-term ROI.
When properly implemented, tech-forward strategies pay big dividends: As noted by Forbes, businesses like Target and Best Buy — both at risk of going under just a few years ago — have substantially improved both performance and revenue by leaning into digital solutions. According to Tech Republic, 66 percent of business leaders now plan to implement digital transformation strategies and expect them to drive 17 percent ROI over the next year.
The challenge? Forward thinking can’t be confined to the big picture: Realizing IT potential demands a protection-forward strategy to secure the rapidly-expanding suite of web and mobile applications that power day-to-day business operations.
Risk and Reward
Applications are at risk. Consider the financial industry: As noted by IT World Canada, 92 percent of mobile and web-based financial apps tested contained at least one medium-risk security issue and 85 percent failed GDPR compliance evaluations.
But with apps now driving both internal efficiency and critical to customer retention, what’s the disconnect? Why are companies still releasing apps that don’t meet basic security expectations?
Two key factors help perpetuate this insecure application cycle:
- The Need for Speed — Speed matters. Applications that get to market first grab consumer interest and let companies move on to the next project, driving the kind of forward momentum that’s become synonymous with tech-savvy businesses. The problem? Speed naturally introduces security risk. As Tech Target points out, the adoption of DevOps app delivery has significantly boosted development and deployment speeds. Security is the outlier — the obstacle that slows production and hampers app development. As a result, companies often wait until applications are live to investigate security issues, putting both consumer and corporate data at risk.
- C (Suite) No Evil, Hear no Evil — Along with the push to deliver apps on time and conquer digital markets, security remains a low priority for C-suite executives. According to , just 49 percent “have cybersecurity on their board agenda at least quarterly,” and a mere four percent say security gets a mention once each month.
This puts application security behind the curve since even critical issues may not get C-suite attention for weeks or months, in turn limiting the efficacy of more buzz-worthy digital transformation initiatives.
App-etite for Destruction
As noted by the FTC, “more than a thousand apps are hitting the market each day”. The Commission recommends that companies “aim for reasonable data security” to help mitigate app risk in this growing ecosystem — but what’s the worst that could happen if speedy DevOps teams push insecure apps out the door early?
- Malicious Modification — If attackers gain access to application source code or critical functions, it’s possible for them to weaponize your software and repurpose it for criminal intent.Consider the recent rash of “Agent Smith” malware — according to Phys.org, this malware is able to copy popular gaming applications on mobile devices, then “inject its own malicious code and replace the original app with the weaponized version.” From the user perspective, nothing changes — apps still work as intended. But the malware serves up unwanted ads and paves the way for more serious financial or personal data breaches.
- Compliance Concerns — A year after GDPR implementation, almost one-third of European businesses still aren’t compliant. Combined with other regulations such as PCI DSS and emerging data privacy laws such as the California Consumer Privacy Act (CCPA), even small issues with how applications store, transmit and handle data can put organizations at risk of compliance failures.The result? Depending on the severity and context of the issue organizations could face monetary fines, removal of applications from approved storefronts and reputation loss among critical consumers.
Simply put? Insecure apps have a ripple effect on corporate security and digital transformation processes. As noted by the Tech Target piece, tracking down app issues post-release can take three months or more, while shelving apps to address critical infosec issues puts companies behind the competition.
Putting Your Best Foot Forward
Recent NIST guidance on software security and protection makes it clear: Organizations bear responsibility for the safety and security of their applications and the data they process. The agency suggests a four-part development process that specifically calls out improved software security designed “to protect all components of the software from tampering and unauthorized access.”
To achieve this kind of protection-forward functionality, many organizations are transitioning to DevSecOps teams that make app security a key component of development and release cycles. Here, three factors help drive app protection success:
- Shared Responsibility — As noted by InfoQ, successful DevSecOps teams leverage “a philosophy of cooperation and shared ownership in which members of your development, operations, and security teams collaborate together, each taking responsibility for some things that would normally be outside of their purview.”
- Well-Defined Processes — Teams must articulate and implement specific security testing and evaluation processes that help refine apps and lower risk during the development cycle.
- App Obfuscation, Hardening & Protection — In-app protection tools can help mitigate threats before applications go live and protect apps in real-time to limit risk in the wild. Tools must pass a dual criteria test: They must be effective in obfuscating key functions and actively responding to potential attacks, and must be easy for DecSecOps teams to implement, integrate and maintain.
Technology-forward businesses recognize the power of digital transformation. But, leveraging the potential of this organizational shift demands app protection-forward strategies that lay the security groundwork for responsible and compliant application design.