April 30, 2014
It takes a lot more than a static analysis tool, a web scanning service, and a few paid hackers to make your mobile development lifecycle, team, and eventually, your applications secure. Finding flaws in an individual mobile application is easy (assuming you have the right technical skill set). What is a lot harder is actually stopping the creation of mobile application security flaws in the first place.
To achieve the lofty goal of a truly secure mobile application development program takes a rethinking of how we have traditionally secured our applications in the past. Mobile development brings many changes to enterprise engineering teams including additional new device sensors, privacy impacting behaviors that cross the security chasm between consumer and enterprise isolation, and even faster release cycles on the order of days instead of months. Smaller teams with little to no experience in security are cranking out mobile applications at a fevered pace. The result is an accumulation of security debt that will eventually be paid by the enterprises and consumers that use these applications.
Forrester interviewed some of the most prominent application security consulting and research firms to help understand exactly what nontechnical development risks enterprises have and what they can do to secure their mobile application development process. There are lots of tools and services around that can help with the technical steps required to secure mobile development, but these can only take you so far. Changing the culture of your organization and development teams can go a long way to improving the security of the products you create thus improving your user experience, brand, and even revenue. More detail can be found in my latest report: "Address The Top 10 Nontechnical Security Issues In Mobile App Development." At the end of the day, security isn't only a technology problem, it's a people and process problem, and understanding the nontechnical steps to improve can only help your business.