4 Van de Graaff Drive
01803 Burlington, MA, us
+49 (7950) 033370
Veracode Takes On Mobile Application Security in the Cloud
The Industry's Most Comprehensive Service for Independent Application Security Verification Expands Support to Android and Apple's iOS to Protect Enterprises from Mobile App Risks(PresseBox) ( BURLINGTON near Boston, Mass., )
Veracode currently provides application security verification for RIM's BlackBerry operating system (OS) and Windows Mobile. Support for Google's Android OS will be available this quarter with Apple iOS support in Q2 '11. Veracode is accepting all mobile app submissions, regardless of platform, for security verification as part of its extensive beta programme.
Veracode will discuss its new mobile application security services at the RSA Conference 2011 in San Francisco, February 14-18 at booth #629.
Security Shouldn't Be An Afterthought
Secure coding, security testing and basic security precautions may often be an afterthought in today's rapid mobile app development process, as evidenced, in-part, by the lack of encrypting bank account access codes in Citibank's iPhone app last year. The mobile app malware threat is also quickly progressing from simple "premium SMS and call" attacks that directly monetize by running up the victims bill, to full- blown mobile botnet functionality, such as the recently discovered Geinimi Trojan for Android phones.
"More and more enterprises are realizing that 2011 is quickly becoming the tipping point for mobile security issues," said Nigel Stanley, practice leader, IT security, Bloor Research. "For both active and passive attacks ranging from GSM air interface attacks through to the use of Trojan malware to target users, with Veracode I share my intense interest in best practices for mitigating these risks and what steps users, businesses, developers and organizations need to take to secure their smartphones and apps. With this launch, enterprises failing to investigate and act on mobile app security vulnerabilities due to lack of a pragmatic and cost-effective solution are no longer excusable."
Enterprises are threatened by applications built in-house, off-the-shelf, outsourced and with third-party components that are deployed via the cloud, web and on mobile platforms. To manage this mounting, and what appears to be uncontrollable, risk CIOs and CISOs must implement policy-driven application risk management programmes and seek independent security verification of all their applications including mobile applications from all their stakeholders across their entire software supply chain.
"CIOs and CISOs are increasingly aware that next generation software infrastructure for their enterprise is increasingly 'cloud-sourced' and developed from unknown or untrusted third-party app stores and developers," said Matt Peachey, VP EMEA, Veracode. "While the cost and functional benefits of embracing the cloud are many, it is critical to ensure the security risks associated with this model are controlled. Veracode's broadened platform support will enable security professionals to implement mobile app security policies as easily as they do for internally developed applications."
Setting New Mobile Security Standards
To increase industry awareness and dialogue about mobile app threats specifically, Veracode has established its "Mobile App Top 10 List." The goal of the list is to serve as an industry standard for categorizing malicious functionalities and to serve as a checklist of vulnerabilities that developers and security teams can collectively utilize to determine what mobile app risks exist and how they can be effectively and efficiently mitigated. While traditional security vulnerabilities can be compounded by mobile use case specifics and new, platform-particular challenges, the same best practices established in other environments should be adhered to.
"While much has been done in terms of setting standards for the security of web applications, we felt it was necessary to extend the same rigorous framework to mobile," said Chris Wysopal, CTO, Veracode. "In the mobile app market, we see both inadvertent coding errors and intentional, malicious code as security culprits. We strongly recommend industry-wide adoption of the Mobile App Top 10 for the development of apps, as part of an app store vetting process, for acceptance testing of an app, or for use by providers of security software running on mobile devices."
The Mobile App Top 10 List can easily be adopted by enterprises seeking to gain focus and control, and support more well-informed discussions with development teams about the security of their applications. It can also be an important foundation for understanding specific threats such as activity monitoring and data retrieval; unauthorized dialing, SMS and payments; system modification; and sensitive data leakage, which can be magnified in a mobile environment.
Most importantly, The Mobile App Top 10 can serve as the standard to which compliance must be demonstrated through independent testing, much like the OWASP Top 10 or CWE/SANS Top 25 are used for verifying traditional, third-party applications. Visit The Mobile App Top 10 to learn the complete list including threat details and examples. To engage the community in discussion visit the ZeroDay Labs Blog "Mobile App Top 10 List" and post a comment.
Die Nutzung von hier veröffentlichten Informationen zur Eigeninformation und redaktionellen Weiterverarbeitung ist in der Regel kostenfrei. Bitte klären Sie vor einer Weiterverwendung urheberrechtliche Fragen mit dem angegebenen Herausgeber. Bei Veröffentlichung senden Sie bitte ein Belegexemplar an firstname.lastname@example.org.