Share this article on:
The Sans Institute has recently released the findings from this year’s mobile app security survey. The report, “2015 State of Application Security – Closing the Gap”, explores the differences in attitude between mobile application developers and security operations teams: Those responsible for protecting the data recorded, stored and transmitted by applications.
The survey was conducted on 435 individuals, of which 35% were application developers, with the remaining 65% comprising respondents from the data security industry.
The Gap between Developers and Security Professionals is Closing
One of the main issues limiting the adoption of mobile applications – especially in the healthcare industry – is a lack of robust data security protections for mobile devices. Developers are excellent at creating useful and fully functional apps, but they lack the knowledge to make the apps secure; a necessity before health apps can be used by medical professionals.
Security professionals excel at securing mobile applications, but many do not understand the App development process. To make matters worse, there is very little dialog between the two groups.
It is difficult for developers to build 100% secure applications when they do not know exactly what is required, and hard for security experts to develop protections if applications have not been developed with data security in mind.
Fortunately, over the past few months, conversations have been taking place and progress is being made. Security is being discussed at App industry conferences and the gap between the two groups finally appears to be closing; however, Sans Institute researchers are well aware there is still some ground to cover.
Main Challenges for Developers and Security Professionals
The survey asked both groups their opinions on the main challenges they faced. For security professionals charged with defending applications, the main challenges were identified as:
- Identifying all applications within the portfolio
- Fear of breaking an app applying security protections
- A lack of communication between developers, security teams and other organization members
For mobile app developers, the most difficult challenges to overcome are:
- Delivering mobile application features within an agreed time-frame
- A lack of knowledge about how to make applications secure
- A lack of management funding
The solution to many of the problems is better communication between the two groups. Each group lacks understanding of the other’s needs, and both teams need to work more closely together and explain their needs.
The main priority for developers is to create a fully functional application and release it to market on time. Ensuring the application is secure has long been seen as being somebody else’s responsibility. Not enough consideration has been given to making mobile applications secure. Many developers do not even perform any security testing prior to the release of new applications.
Developers and Defenders see Eye to Eye on Industry Challenges
The two groups may have different objectives and views on the main challenges being faced by the industry, but when it comes to protecting mobile apps the two groups share the same opinions; the biggest security risk comes from public-facing web applications, and therefore the main priority should be securing interfaces.
The Sans survey indicates 74% of developers and security professionals believe web applications to be one of the biggest risks to application data security; a significant increase compared to last year’s survey, when web applications were rated as being of concern by 38% of respondents.
Drivers for Application Security Programs
Mobile developers share the same views as physicians and health IT professionals when it comes to the drivers behind developing enhanced security controls: Complying with regulations and passing security audits. 71.5% of respondents rated compliance as the main driver. Limiting the economic impact of security breaches was in close second, with 69.6% of respondents ranking this is a major driver.
Moving Forward Together to Address Application Security Issues
The report provides a valuable insight into the challenges facing both developers and security teams, and suggests a number of ways the two groups can work more closely together to achieve common objectives and to make each others working lives easier.
Fortunately, respondents believed that mobile application security budgets would increase over the course of the coming year, which will help in this regard.
Both groups are all too aware of the challenges that are coming. New applications are being developed in different languages, a wide variety of frameworks are being used, and the threat landscape is forever changing. Fortunately developers also appreciate this and are keen to make their apps secure. The best way to help them develop secure mobile applications is for security teams to tell them exactly what is needed.
The full Sans Survey can be downloaded here.