Mobile Application Security Assessment By the Numbers – a Whole-Istic View

In addition to exposure from their web applications, organizations are realizing  their expanding portfolio of mobile applications also provides avenue of attack for malicious actors. The challenge is that mobile applications are often more complicated than their web-based counterparts – they have code that runs on untrusted user devices, code running on corporate web services, and often also rely on untrusted 3rd party web services. In addition, testing these applications can be challenging – given the array of available static (SAST) and dynamic (DAST) scanners as well as a variety of manual testing options what sort of testing needs to be done to achieve an acceptable level of coverage?

We looked at the data from a number of mobile application security assessments and ran some of the numbers. The goal was to answer questions like:

  • What types of vulnerabilities are most common in mobile applications?
  • In what component – mobile device code, corporate web services or 3rd party web services – are the most serious vulnerabilities found in mobile application systems?
  • What type of testing – SAST versus DAST and automated versus manual – found the most and most serious vulnerabilities?

Unfortunately we didn’t find any single magic answer, but the data does provide some insight into pros and cons for different testing approaches and what you can expect as you try to craft a cost-effective mobile application security testing program that gives you sufficient test coverage.

You can see a copy of the slides from my presentation at RSA 2014 online:

The abstract for the talk is:

Typically, mobile application assessments myopically test only the software living on the device. However, the code deployed on the device, the corporate web services backing the device and any third party supporting services must be “whole-isticly” tested AS WELL AS testing the interactions between these components to reach an acceptable level of software assurance for mobile applications.

Contact us for help crafting a mobile security assessment plan that reduces your exposure without breaking the bank.

About Dan Cornell

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

Leave a Reply

Your email address will not be published. Required fields are marked *