Application security has never exactly been a simple matter. In the past few years, though, it's become far more challenging than ever before, for a number of key reasons. Most notably, the number of threats has increased dramatically, while both nefarious forces' techniques and coding itself have become far more complex. At the same time, though, the stakes have gone up, meaning that effective application security must be a priority for virtually every enterprise, not just software firms.
"Among the top 100 paid Android apps, all but three have been successfully hacked."
A recent Arxan Technology report put the application security threat landscape into perspective. The study found that among the top 100 paid Android apps, all but three have been successfully hacked. For the top Apple iOS apps, 87 percent had been hacked. As for popular free apps, more than three quarters of both Android and iOS applications were infiltrated by cyberattackers.
Android app security breaches were more pronounced in several key verticals. Most notably, 90 percent of health care and medical Android apps were hacked, and the same percentage of retail/merchant apps were breached. Apple iOS fared better in these areas, with only 35 and zero percent of apps in these verticals experiencing intrusions, respectively. When it came to mobile financial apps, though, both Android and Apple iOS saw hacking rates of at least 70 percent.
This speaks to a number of separate issues. On one hand, it's clear that individuals and organizations need to be careful when utilizing apps, as these resources may be vulnerable to cyberattacks, which in turn can lead to data breach, identity theft, fraud and other negative outcomes. However, these statistics also highlight the fact that companies are not doing enough to ensure the apps they release are actually secure.
When this happens, the organization runs the risk of experiencing a significant backlash, as its reputation will be severely damaged. Consumers are becoming increasingly aware of the importance of protecting themselves and their sensitive information from cyberthreats. They will consequently avoid patronizing firms that have failed to safeguard their clients' data in the past.
The difficulty of protecting applications from cybersecurity threats is exacerbated by the evolution of coding in recent years, as Dark Reading contributor Jeff Williams recently explained. He pointed out that the average midsize financial firm now has a portfolio of more than 1,000 applications, each of which will have hundreds of thousands of lines of code.
Clearly, this is a massive amount to oversee. Yet mistakes affecting any aspect of this code can potentially lead directly to a security issue. Considering these numbers, it's not surprising that so many companies have experienced cybersecurity breaches in recent years.
A new approach
According to Williams, this new coding landscape demands an updated approach to application security. He noted that while manual penetration testing and code review were sufficient in the past, they are simply inadequate for the more complex and larger code sets that companies now utilize on a regular basis.
One key new approach, the writer asserted, is the use of high-quality tools that are automated and instantaneous.
"These tools instrument the software development process, gathering security information in real time as applications are built, integrated, tested and deployed," he wrote. "Most importantly, these tools, like continuous integration and continuous delivery tools, don't disrupt the normal software delivery process. Security tools that interfere with or slow down software delivery don't get used."
Code refactoring and static code analysis techniques that fit into existing development environments and workflows are two key examples of application security tools that meet these criteria. With these resources, developers can speed up the testing process while simultaneously improving their ability to identify and correct potential coding flaws.