In mid-November 2011 IBM announced its first BYOD device management product, which we detailed in IBM's New Hosted Mobile Device Security - A Winning Hand?
It was IBM's first formal foray into mobile device management (MDM) and security and its first real focus on enterprise BYOD (Bring Your Own Device). IBM has now followed it up with new IBM Security AppScan portfolio software, that is focused on helping organizations develop mobile applications that are more secure by design.
What does this mean exactly? Mobile device management focuses primarily on the status of a given device, as well as what a user may be doing on that device. MDM, however, does not look at what a mobile application may actually be doing - and it is entirely possible that a mobile app can misbehave (e.g. collect inappropriate data and send it somewhere it shouldn't) with neither the MDM platform nor the user actually knowing it is doing so.
The idea behind the new security technology IBM has announced is that IBM customers can now build security into the initial design of their mobile applications so that vulnerabilities will be detected early in the development process. The new product further expands IBM's strategy to provide its customers with a mobile platform that spans application development, integration, security and management.
The shift to mobile devices as the primary form of connecting to corporate networks is increasing rapidly, as evidenced by the fact that there are now more than five billion mobile devices in the world - and only 2 billion computer. Securing those mobile devices is now a top priority for security executives and CIOs. As companies embrace the growing BYOD trend, the need to secure the applications that run on them is becoming far more critical.
According to the 2011 IBM X-Force Trend and Risk Report, mobile exploits increased by 19 percent in 2011. In addition, according to recently released data from the IBM Center for Applied Insights study, 55 percent of respondents cited mobile security as a primary technology concern over the next two years.
The rapid consumerization of mobile endpoints, applications and services has created the urgent need to secure corporate applications on employees' devices. With the latest release of the IBM Security AppScan portfolio, IBM now offers a robust application development security solution, allowing clients to integrate mobile application security testing throughout the application lifecycle.
Security On the Go
Mobile applications represent a new threat target, since they carry a higher risk of attack compared to web application vulnerabilities. Attackers are increasingly focusing on mobile applications because many organizations are not aware of the potential security risks introduced by the most basic mobile applications.
Beyond the traditional threats, for example, a hacker could perform a SQL injection or scripting attack on an application. Mobile applications also come under attack from malware and phishing, or scanning QR codes with malicious scripts. Additionally, mobile applications have vulnerabilities specific to mobile devices because they often store sensitive data that can be leaked by and to malicious applications. This data, once stored locally, typically is outside the protection of corporate security programs.
AppScan delivers new analysis capabilities will find these vulnerabilities to help developers build more secure mobile applications. For IBM AppScan isn't only for customers - "With more than 120,000 of our own employees accessing IBM's network through mobile devices, we have had to focus heavily on developing a way for employees to work safely and securely," notes Marc van Zadelhoff, vice president of Strategy and Product Management, IBM Security Systems. "Providing our customers with the ability to scan mobile applications, whether developed in-house or outsourced, for vulnerabilities as we do at IBM is the next step of our mobile strategy," Zadelhoff adds.
Mobilizing the Workforce
The latest release of AppScan extends its static application security testing to native Android applications, which allows clients to conduct their own testing for mobile applications. In the past, for mobile application security testing to be done, customers needed to send their applications and software IP (Intellectual Property) to an offsite vendor to test for vulnerabilities. This approach doesn't scale and the response time is too slow, as mobile applications undergo constant revisions and updates. Organizations need to address mobile application security testing in-house early in the software development life cycle.
In addition to the mobile application testing capabilities, there are significant new capabilities from which customers can benefit:
- Integration with IBM's QRadar Security Intelligence Platform allows for increased Security Intelligence when an application is moved into production. By correlating known application vulnerabilities with user and network activity, QRadar can automatically raise or lower the priority score of security incidents
- A new Cross Site Scripting (XSS) analyzer which uses a learning mode to quickly evaluate millions of potential tests from less than 20 core tests. This new XSS analyzer finds more XSS vulnerabilities faster than any previous version of AppScan
- New static analysis capabilities help companies adopt broad application security practices through simplified on-boarding of applications and empowering non-security specialists to test faster than with prior releases
- Predefined and customizable templates that provide development teams the ability to quickly focus on a rule set prioritized by their security teams, helping corporations focus on key issues for them across their organization
In addition to the QRadar integration, AppScan offers integration points with IBM Security Network IPS and IBM Security SiteProtector, and is a regular complement sold with IBM Guardium and IBM Security Access Management solutions for end-to-end application security. The approach is to provide a comprehensive and integrated security framework for applications across the development and production lifecycle.