Emerging App Security Regulations: Are You Compliant?

IT security is a hot topic, and no wonder — major healthcare, finance and government breaches have all made headlines in recent months prompting both federal agencies and compliance organizations to draft new security standards. As noted by Tech Target, regulations under Sarbanes-Oxley, PCI-DSS and HIPAA all lay out clear expectations for companies when it comes to protecting network assets, personal data and critical infrastructure.

Software, meanwhile, has historically escaped the reach of these regulations, largely thanks to the rapid uptake of mobile and web-based applications: The sheer number and type of cloud-enabled offerings and now IoT-connected software made it difficult for governing bodies and compliance agencies to define meaningful standards that improved overall security. But, just as cloud computing went through a “wild west” period of rapid expansion followed by increasing scrutiny and regulation, software and application development is now on the receiving end of emerging security regulations.

Why? Because data is created, accessed, and altered through applications, protecting and hardening your application is a key component to protecting your data. Adding application hardening to your secure software development lifecycle will make it more difficult for people and machines to exploit them.

So, here is the question: are you compliant? Read on to find out what’s impacting the industry and what you can do to ensure app compliance.

General Guidelines

Before diving into the deep end of application security regulations, it’s worth making sure basic IT protections meet current standards.

Notable examples include:

• HIPAA — If you’re a “covered entity” under healthcare legislation (you transmit any type of healthcare data defined under the act), you must “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information.”
• PCI DSS — The new PCI standard, V 3.2, requires that companies provide proof of ongoing compliance. As noted by Security Intelligence, this means the adoption of multifactor authentication for both remote and administrator access along with documentation of cryptographic architecture.

Also worth noting? Forty-seven out of 50 states have now implemented cybersecurity policies which require companies to notify both government agencies and consumers if breaches compromise customer data.

App-Specific Requirements

Applications are finally getting the recognition they deserve, both as the foundation of effective IT and the number one source of data breaches. According to Search Compliance, some researchers suggest that 90 percent of software in use has security vulnerabilities in the application layer. The result? It’s no wonder cybercriminals are wising up and using apps to compromise corporate infrastructure, install malware and exfiltrate data, and app security regulations are emerging to combat this new threat.

Let’s break down some of the most relevant:

• OWASP — The Open Web Application Security Project (OWASP) remains a go-to standard for application security. The OWASP Top 10 provides yearly reports on specific app threats, and encourages organizations to both compile a list of all third-party components used in software along with monitoring these components for potential breaches. In addition, OWASP’s new resilience requirements mandate that mobile apps must be able to detect rooted or jailbroken devices, leverage multiple defense mechanisms and include multiple response types based on detected threats.
• GDPR — The new General Data Protection Regulation (GDPR) — covering all of EU and British citizen information, wherever it is stored — includes requirements for rapid provision of consumer data upon request by owners along with strict control of access, transmission and storage of this data. The result? Apps not built to reflect this standard could lead to sanctions, fines and serious damage to corporate reputation.
• PCI DSS — PCI DSS also requires organizations to assess app security vulnerabilities using reputable outside sources and assign a severity ranking to these vulnerabilities. Best bet? Build in these collection capabilities from day one rather than trying to add-on security layers after the fact.
• HITRUST CSF — Not only are commercial software products required to undergo security assessments before implementation, automated security controls are mandated for all applications.

Building Best Practices for Protecting your Apps and Data

It’s one thing to know that software and applications security regulations are starting to standardize and solidify — and another to build out best practices that deliver natively secure applications. Start with the big questions when you’re designing new applications: Can security requirements be tested? Reliably? Can the results be accurately measured? Are security outcomes and processes clear and unambiguous? Do they meet relevant requirements for distribution? For example, if you’re designing an application to handle global, retail mobile traffic does it comply with PCI-DSS and GDPR expectations?

The nitty-gritty is up next. This means building in automated security controls capable of detecting common threat vectors such as SQL injection, session hijacking and credential spoofing, in addition to reporting potential breach incidents in real-time. Other strong options include the use of post-compile injection to provide anti-root, anti-tamper and runtime checks — these are especially useful for critical software already deployed across corporate networks, since you aren’t on the hook to recode critical functions from the ground up.

Today, application hardening and layered security measures are recognized as a critical feature of overall IT compliance. The result? Regulation is on the rise. Make sure you are compliant: Get familiar with applicable standards and implement app development best practices to boost basic security for all your apps worth protecting.

PreEmptive’s Protection Tools harden and shield your applications protecting them against reverse engineering and dynamic analysis and live attacks. If you are building Java, Android, .NET or iOS applications that are worth protecting, get a free evaluation copy and get started hardening your apps today; and join thousands of companies in over 100 countries that already do.