Application security initiatives and programs are getting good at getting down to where an organization’s data lives and protecting it against threats, but that is only one piece of the security puzzle. With limited amounts of time, resources, and people available to tackle security, organizations prioritize what gets protected.
“For instance, an organization may develop 100 different applications. Since it is not always cost-effective or time-efficient to come up with a customized security plan for each application, only the applications considered critical receive top priority, maybe five or six of them, and the remaining 95 or so are deprioritized in terms of security” according to Chad McDonald, chief information officer, and chief information security officer at Digital.ai, a software solutions provider. “That doesn’t mean those 95 applications don’t require protection; it just means that the risk is somewhat lower,” he noted.
McDonald explained that this lack of resources and forced prioritization results in poor endpoint security. Endpoint security becomes an even more significant concern with mobile devices. These devices are often connected to highly vulnerable data, including banking information, credit cards, and medical records and equipment. According to a recent report, a majority of all financial applications are vulnerable to basic reverse engineering attacks because they lack simple binary code protections that validate whether or not an application is running in a safe environment.
“There is a whole host of information that now lives on your mobile device or is accessed via your mobile device via an application,” said McDonald. “We haven’t yet seen security controls get pushed down broadly to that point.”
It’s difficult to tackle mobile endpoint security when several different programming languages are used to make up an application. Operating systems are constantly evolving and being refactored, making things more complicated and tolling application security. But mobile endpoint security cannot be ignored or only applied to the more business-critical applications. McDonald explained that even those “lesser important applications” can still touch other parts of the organization and do significant damage.
“The bad guys only have to be right once. They only have to get into one app,” he said. “You very rarely see an attacker come indirectly through the system they’re trying to attack. More often, they attack a vulnerable system, gain some level of control inside the perimeter, and then pivot to something more critical.” In a mobile app, that would translate to a hacker exploiting one of those lesser critical applications, looking for ways to jump into a more relevant system or elevating privileges from a user to an administrator, and interrupting operations or shutting down the server.