25% off all training courses Offer ends July 30, 2026
View HIPAA Courses
25% off all training courses
View HIPAA Courses
Offer ends July 30, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

2015 Application Data Security Study Released

The Sans Institute has recently released the findings from this year’s mobile app security survey. The report, “2015 State of Application Security – Closing the Gap”, explores the differences in attitude between mobile application developers and security operations teams: Those responsible for protecting the data recorded, stored, and transmitted by applications.

The survey was conducted on 435 individuals, of which 35% were application developers, with the remaining 65% comprising respondents from the data security industry.

The Gap between Developers and Security Professionals is Closing

One of the main issues limiting the adoption of mobile applications – especially in the healthcare industry – is a lack of robust data security protections for mobile devices. Developers are excellent at creating useful and fully functional apps, but they lack the knowledge to make the apps secure; a necessity before health apps can be used by medical professionals.

Security professionals excel at securing mobile applications, but many do not understand the App development process. To make matters worse, there is very little dialog between the two groups.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

It is difficult for developers to build 100% secure applications when they do not know exactly what is required, and hard for security experts to develop protections if applications have not been developed with data security in mind.

Fortunately, over the past few months, conversations have been taking place and progress is being made. Security is being discussed at App industry conferences and the gap between the two groups finally appears to be closing; however, Sans Institute researchers are well aware there is still some ground to cover.

Main Challenges for Developers and Security Professionals

 

The survey asked both groups their opinions on the main challenges they faced. For security professionals charged with defending applications, the main challenges were identified as:

  • Identifying all applications within the portfolio
  • Fear of breaking an app applying security protections
  • A lack of communication between developers, security teams, and other organization members

For mobile app developers, the most difficult challenges to overcome are:

  • Delivering mobile application features within an agreed time frame
  • A lack of knowledge about how to make applications secure
  • A lack of management funding

 

The solution to many of the problems is better communication between the two groups. Each group lacks an understanding of the other’s needs, and both teams need to work more closely together and explain their needs.

The main priority for developers is to create a fully functional application and release it to market on time. Ensuring the application is secure has long been seen as being somebody else’s responsibility. Not enough consideration has been given to making mobile applications secure. Many developers do not even perform any security testing prior to the release of new applications.

Developers and Defenders see Eye to Eye on Industry Challenges

 

The two groups may have different objectives and views on the main challenges being faced by the industry, but when it comes to protecting mobile apps the two groups share the same opinions; the biggest security risk comes from public-facing web applications, and therefore the main priority should be securing interfaces.

The Sans survey indicates 74% of developers and security professionals believe web applications to be one of the biggest risks to application data security; a significant increase compared to last year’s survey, when web applications were rated as being of concern by 38% of respondents.

Drivers for Application Security Programs

 

Mobile developers share the same views as physicians and health IT professionals when it comes to the drivers behind developing enhanced security controls: Complying with regulations and passing security audits. 71.5% of respondents rated compliance as the main driver. Limiting the economic impact of security breaches was in close second, with 69.6% of respondents ranking this is a major driver.

Moving Forward Together to Address Application Security Issues

 

The report provides valuable insights into the challenges facing both developers and security teams and suggests a number of ways the two groups can work more closely together to achieve common objectives and to make each other’s working lives easier.

Fortunately, respondents believed that mobile application security budgets would increase over the course of the coming year, which will help in this regard.

Both groups are all too aware of the challenges that are coming. New applications are being developed in different languages, a wide variety of frameworks are being used, and the threat landscape is forever changing. Fortunately, developers also appreciate this and are keen to make their apps secure. The best way to help them develop secure mobile applications is for security teams to tell them exactly what is needed.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist