If you like this presentation – show it...
MOBILE APPLICATION SECURITY BY DESIGN
WHY SHOULD SECURITY MATTER? Mobile security breaches have affected more than two-thirds (68 percent) of global organizations in the last 12 months, according to a study from BT. This is something that can cause both reputational and economic harm for you as a business. So does this mean we all need to get ourselves a Blackphone? We don’t think so. In this presentation we provide you with a comprehensive break down of the different security threats that are out there, help you assess where you stand, and explain why you should consider using Security by Design for all your mobile applications.
SECURITY AGAINST WHAT? Unauthorized access to corporate or personal data Unauthorized use of user’s privacy protected data and information (e.g. location) Theft of funds, banking credentials, or credit card numbers Stealing of user corporate or personal credentials Hacker compromising end user’s devices as conduit to corporate network Hacker accessing mobile device features and other applications Loss of productivity (e.g. when environment is not stable or employees battery is drained out) Regulatory violations
WHAT KIND OF THREATS ARE OUT THERE? (WEB VS. NATIVE) There are different types of risk level linked to different platforms. For example: Computers have viruses and malware that come from malicious code spawned from opening a document, running a script on a web site, or launching an executable. Mobile devices don’t yet have this risk; their primary risk are the applications being executables themselves, trying to access data on the phone, or in the case of Android, embedding itself deep into the operation system in something called a rootkit.
WHAT KIND OF THREATS ARE OUT THERE? (EXT. VS. INT.) External threats Hackers, organized crime, corporate espionage: these people are looking at stealing money from financial transactions, intellectual property, credentials or personal profiles they can sell, or getting a foothold into a corporate network to be able to better access one of the above assets of value. Internal threats Users who are authorized to use systems and access data with applications. However, they can intentionally or unintentionally amplify their privilege, or perform functions that they should not be authorized to do. This would allow them to view, delete, or steal data they shouldn’t have access to.
HOW TO ASSESS WHERE YOU STAND? (PART 1 OF 2) Understand your current plans and also future plans for security in: Infrastructures This may include the overall network infrastructure, internet points of presence, mobile gateways, and business continuity contingencies. Implement encryption and other secure mechanisms in place for both the transport and storage of data. Security policies These policies should support regulatory requirements as well as industry best practices. This includes ISO 27001:2013 requirements as well as Data Security implementation. Examples of this include utilizing physical security measures such as passwords to control access to data, establishing monitoring processes for user access rights and roles at regular intervals, and creating procedures to ensure security eve
HOW TO ASSESS WHERE YOU STAND? (PART 2 OF 2) Development, Testing and QA This should assess the process for development, system testing & QA, security testing and deployment process. Environment The environment should be adequate to needs and mitigate the risks. Mobile environments should have fail-over site to ensure redundancy and high availability. Training of employees Training of employees will increase compliance to security policies and decrease breaches caused internally. Education of users Users can be customers or employees. There should be transparency towards the users of your mobile apps about the level of security that can be expected within your application. This should be communicated within the user journey.
KEY RECOMMENDATION: SECURITY BY DESIGN Think security at all stages of app development. Mobile application development should include security checks within the development life cycle, including design, testing and QA process. Preventive maintenance should be performed to regularly improving the codes of the apps.
CASE STUDY: CEMEX Goal Identify potential security risks and propose recommendations to mitigate these while identifying immediate activities that would aid CEMEX in securing its mobile environment. Solution Golden Gekko (A DMI Company) performed a risk assessment of CEMEX’s mobile infrastructure and architecture, CEMEX’s mobile app development process and two existing apps, Sales 360 and MyCEMEX. Results Golden Gekko (A DMI Company) put forward a proposal with key activities to safeguard CEMEX’s Mobile environment.
TRUSTED AQUA PARTNER The App Quality Alliance (AQuA) is the mobile industry’s organization supporting quality app development. Golden Gekko (A DMI Company)’s Trusted Status endorsement means that our app development services and QA practices have been assessed, validated and endorsed by AQuA in a stringent process that ensures only the highest quality output. “Golden Gekko (A DMI Company)’s approach of agile software development life and iterative QA processes demonstrate that they share our vision when it comes to developing real quality in the app market.” – Martin Wrigley, Executive Director, AQuA
INTERESTED IN DOING A MOBILE SECURITY AUDIT OF YOUR COMPANY? WANT TO LEARN MORE ABOUT HOW TO PROTECT YOUR CUSTOMERS’ DATA AND HELP MANAGE THEIR PRIVACY? WHY DO IT? CONTACT US FOR A CALL OR MORE INFORMATION. Text goes here. web www.goldengekko.com email firstname.lastname@example.org