subscribe: Daily Newsletter

 

Naivety no excuse for poor app security

0 comments

The security war will never be won until all stakeholders – developers, service providers, consumers and everyone else in the value chain – start collaborating, sharing information and having open discussions about the threat landscape.

This common sentiment emerged during an F5 Networks-hosted roundtable on security and consumer hyperawareness in Johannesburg. Chaired by media personality Aki Anastasiou, roundtable participants, including F5 representatives, its partners and the media, agreed that today’s network and application security solutions are no longer up to the job.

Security is not about implementing solutions and hoping they work. Today, security is multifaceted, involving software, people and processes, and no single party can be responsible for security from end to end. Rather, security should be thought of as an ecosystem in which everyone in the value chain plays a role, especially as we become increasingly connected and as more business and personal functions migrate to applications.

But this is not currently the case.

It will never happen to me
While consumers are becoming more aware of the risks involved with putting personal information online, and while they are beginning to question how their data will be used, there is still a sense of naivety, especially when it comes to using apps. The majority of consumers blindly accept the terms and conditions of usage, granting apps access to their personal information and assuming that the information they submit is secure. They trust that the device they’re using is automatically protected, and that Google Play, iTunes and the like have vetted and secured the apps. Ironically, both the device manufacturer and the app store assume that the consumer will protect their device, accepting that the onus of security is not only on them.

This is likely to become a bigger problem, as younger generations are accustomed to living their lives online and don’t think twice about uploading pictures and other personal information. It’s easy to find the answers to common security questions; a Facebook search of someone’s friends list is likely to spit up a mother’s maiden name, while a quick scan of Instagram will probably produce a photo of Fido, the teen’s first dog. With the abundance of information online, it’s almost too easy to steal someone’s identity or hack into their personal accounts.

You cannot manage what you can’t measure
While there is a lot of effort within the software development industry to develop secure code, developers have no control over how consumers use their apps once they download them, especially if they do not update their security settings and allow the public to access their profiles.
Take a water glass as an example. The glass was designed to be filled with liquid and used as a vessel to drink from. But if someone decided to turn the glass upside-down and spill the liquid, there’s not much the designer can do – that is how the user chose to use the glass.

And herein lies the key to effective security – understanding how consumers use and consume apps. Simply securing data in the app is no longer sufficient. Consumers are defining how they want to use apps and this is changing the way they need to be secured, especially within the enterprise.

Once businesses realise that people are the weakest link in the security chain, they can start to drive awareness and educate staff on the effect their behaviour could have on the enterprise. Organisations can have the best software in place, but this will be useless if staff do not start owning their behaviour and if vendors and partners do not take responsibility for their own security.

Many hands make light work
Which brings us back to the notion of the security ecosystem and trust in the value chain. When shopping online, we might trust the bank or the online store to protect our credit card information, but do we trust the courier service to do the same with our contact number and home address? It is therefore crucial that every party in the ecosystem understands what they’re trying to secure and takes responsibility for it, whether that’s the developer protecting the app, the enterprise protecting the network, or the end-user protecting the device – security is everyone’s business.

Equally important is understanding that security is a daily process that requires organisations and vendors to consistently enhance and adapt their approaches, because what worked today may not work tomorrow.
There will never be a security revolution. The war will be won through evolving strategies and collaboration but the industry has a lot of work to do in terms of sharing information.

Security is bigger than every one of us. We need to start talking to each other and there needs to be a level of maturity from an enterprise and end-user perspective to ensure that any apps that are installed are secure and that the information we give out is protected. If we don’t, hackers will remain a step ahead of us while we will keep chasing our tails.

Roundtable participants:
* Gary Newe, director for Field Systems Engineering for the UK, Ireland and sub-Saharan Africa, F5 Networks;
* Carlos Marques, sales director for sub-Saharan Africa, F5 Networks;
* Martin Walshaw, senior engineer, F5 Networks;
* Bruce Busansky, CTO, Aptronics;
* Alex Russell, sales director, EOH; and
* Scott Carver, Information Security Consultant, Aptronics.