Gary Sidaway

Applications are nothing new to the consumer. Apple recently celebrated its store’s fifth birthday and announced that a whopping 50 billion apps have been downloaded from the store.

We are interacting through social and business applications, and we play and entertain through applications more than ever before. We are reaching the point where we won’t even need to type, but instead we can speak to an application. We no longer have to enter a web address into our browser either – we simply open an app.

Even businesses are developing applications as a way to build their brand and identity. This method also allows their employees, partners and customers to access data, increase efficiency, communicate and share.

We now have an app for everything, which tells us one thing: Applications are the new web.

The changing face of communication

We have moved away from face to face interaction to the ultimate social application Facebook, and away from books to a more convenient, lighter device capable of holding thousands of books. We are seeing a different way that we learn and remember. Author of Future Minds, Richard Watson, highlights how our brains are changing the way we hold and retain information.

We no longer have to remember information as we have instant access to it through applications. This places a huge amount of trust in the data sources and retrieval of information. Trust also in the fact that we are sharing more and more of our personal lives and business to enrich our interaction with the world. As we look at the constant and progressive threatscape these applications and data sources are increasingly coming under threat.

Applications are the new target

The fact we have an app for everything – and businesses are developing their own apps – now means that hackers are targeting apps to steal valuable data. Not only do they have their eyes set on the applications themselves, but also attacking how they are developed. Most development is now done through collaboration in the cloud, which poses even more security risks.

Applications rely on data sources that have to prove confidentiality (assurance that information is shared only among authorised persons or organisations), integrity (assurance that the business infrastructure is secure and robust) and finally availability (assurance that the systems are accessible when needed and by those who need them).

Applications require more than technology to meet these goals to define and implement development processes and procedures to ensure that apps and data can be trusted. As we increasingly replace fixed typed information with apps and shared context, we need to build a better trust model in these applications.

Continuous risk management approach

The threat landscape is continually changing and so too are the associated risks within your business. In order to develop a secure application for your business – whether for employees, partners or customers to use – the risks must be managed in the context of your organisation’s commercial objectives so you can make informed decisions.
Typically most application developments will follow an application development lifecycle. It is recommended businesses take the following approach:

Governance, Risk, Compliance
– Align your application security architecture to your business models and risk profile – in-house developed, COTS (Commercial Off the Shelf), cloud
– Understand your compliance requirements in terms of data management and privacy for example
– Educate not only the users of the applications, but also the developers to ensure security is architected in at the start and not bolted on after

Enterprise Security Architecture
– Control the development to leverage best practice and security features
– Re-use tested and secure modules wherever possible
– Review overall architecture, not just the application security, but the security of the infrastructure that supports them
– Review and ensure that availability is maintained – is the infrastructure susceptible to DDOS (Distributed Denial of Service) attacks against the applications?
– Review and architect data security

Testing
– Review the application’s code
– Perform application security testing and penetration testing
– Stimulate threat scenarios against new and emerging threats

Operations
– Perform configuration management to establish and maintain consistency of the application’s performance
– Plan code and patch management
– Update review and enhancement, and change management testing
– Implement vulnerability management to identify, classify, remediate, and mitigate vulnerabilities
– Prepare for disaster recovery to ensure your assets are protected in the case of a disaster

As more businesses choose applications as their new web, it is inevitable hackers will target intellectual property that is shared and stored. By resolving complex security, risk and compliance issues, it is possible to create an application that meets your specific business objectives and addresses individual security components. That way, users can open your app with little effort and focus on a new, more efficient way of interacting.