CIOs repeatedly say "Security is a top priority." But, how can that be? The truth is that most apps out there are incredibly insecure. CIOs and developers are in a tight spot -- and why? -- because they know that security must be a focus, yet they aren’t delivering it.
Unfortunately, they also know that it's their butt on the line if one of their apps is hacked. According to Gartner, more than two-thirds of CIOs say that security, hacking, and malware is their number one priority? Confused? You’re not alone.
Thousands of apps are being deployed into production every day. Gartner analyst Richard Marshall predicts that "market demand for mobile app development services will grow at least five times faster than internal IT organizations' capacity to deliver them, by the end of 2017."
Therein lies the rub. How can this be happening if security is all CIOs are thinking about and it keeps us awake at night?
Let's Break It Down
It's happening for a few reasons, but really it comes down to features, budget and time. I've been building software for a long time, and this is not a problem that is unique to mobile app development. I can't count how many times a customer has said, we have $50,000 and 60 days and need an initial MVP with most of the functionality of the Facebook app. Wait -- WHAT?!?
We then talk them down from the ledge and discuss a much more reasonable expectation, which always includes the time for security, scaling and testing. Then, the project begins and there's constant pressure to build more, more, more for less, less, less.
I'm sure the first caveman contractor had this problem, too. He priced a 200 square ft modest cave, but his customer envisioned a 3,000 square ft luxury penthouse cave. He tried to deliver what he could with the time and money he had, but in the process, he just forgot the doors and locks and skipped some of the details, like floors. I recognize that I am making a joke about this, but it's a very old problem: We are humans. We like to please, even if it might include some risk.
Praying a Data Breach Won't Happen Is Not the Solution
It is important to note that 65 percent of organizations state the security of their apps is often put at risk because of customer demand or need, and 77 percent cite "rush to release" pressures as a primary reason why mobile apps contain vulnerable code. CIOs don't have the time or the resources to build security in from the start. Instead, we bite our nails, say a few "Hail Mary's," and hope a breach doesn't happen.
Security is not easy. It never has been. It takes a great deal of time and effort to learn and stay on top of the multitude of tasks, such as how to implement cryptography, protect against data leakage, secure your server side controls, prevent client side injection, and protect against application tempering to name just a few. And, all the while, ensuring these protections are present on all of the multitude of devices available to an end user in this day and age. It's a fact: it is challenging.
But, do you remember when scaling your website or app was also a challenge? Think back to the mid to late '90s. Back then, I was running tech at a startup called Bolt.com. We were pretty big and had a dedicated rack at a hosting facility in New Jersey and our offices were located in downtown Manhattan. Whenever we had a problem with a server (yes, a physical server!) one of our System Administrators had to hop on the train and get over to our rack to troubleshoot it.
Eventually, things got better. First, Managed Hosting came in and there was an Admin we could call who would help us troubleshoot. Then, the Cloud and our friends at Amazon Web Services (AWS) started offering amazing options for hosting. It saved us huge amounts of money, time, and -- most importantly -- helped us deploy incredibly stable and scalable sites.
This is where we are with security today. There are options, but you need to plan upfront and we definitely don't need to reinvent the wheel every time we build a new app.
What's a CIO To Do?
I believe CIOs and developers when they say security is and needs to be a number one focus. The rest of the enterprise needs to believe it and act as well. The lack of resources and pressure from above mean that supplying insecure apps feels like the only option. The reality is that it simply is not. CIOs should consider the following three things:
Start with replicable architecture or framework. Don't make it custom for every application; nearly all modern web development leverages a framework to protect against things like SQL injection, cross site scripting, session hijacking, and cross site request forgery. Mobile development is no different than traditional development. Use an established mobile security framework / platform as a base.
Use Mobile Application Management (MAM) as a Solution, employing existing infrastructure tools. With so many organizations adopting the "Bring Your Own Device" (BYOD) policy, using a MAM platform allows your IT staff to easily deploy your application(s) to your employees' devices, control access to sensitive business data, and remove locally cached business data from the device if it is lost or when the employee leaves the company.
Use coding that encrypts at the base level using a combination of MAM and a replicable architecture. When a MAM solution is integrated within a mobile security framework, you can ensure that you are leveraging all of the features necessary to managing your mobile platform (such as secure data storage, application updating, and analytics) using secure encryption technology.
The road ahead for creating secure enterprise apps might not be easy, but it will be worth it. Afterall, the average data breach cost was $6.5 million per incident in the U.S. alone in 2015. That's money on the table that can be put to good use. It's time to think ahead.
Author Mark Stutzman is CTO of Appmobi, the secure mobile services platform that promises to make hybrid HTML5 and Cordova-based enterprise-grade apps secure in minutes, not months.