Where Mobile App Security Fits within a Broader Security Strategy

Mobile application security unfortunately falls by the wayside within many organizations. According to Verizon’s 2020 Mobile Security Index, 43 percent of organizations admitted they sacrificed mobile security in the past year, and those that did were twice as likely to experience a compromise. Despite these risks, many organizations’ development teams are under pressure to deliver mobile applications quickly and focus on customer experience. This often makes security an afterthought, even though a vast amount of traffic, sensitive data, and revenue may flow through mobile apps. 

So, where does mobile application security typically fit within the broader security landscape today? And, perhaps more importantly, how can teams refocus their efforts to protect these highly critical assets? 

Where Does Mobile App Security Fit Today?

For many organizations, there’s a bit of misalignment on who really “owns” mobile security — and whether that responsibility lies within the software development team or the security team. The answer may be, “A little of both.” Where mobile app security fits may also depend on the size and type of organization.

Today, many larger companies incorporate their mobile application security strategy into their organization’s overall security risk assessment. Certain risk triggers — for example, onboarding new companies as a part of an M&A process and having to secure their assets — may bring about an application security review. Or, in other cases, compliance regulations drive security mandates for applications, especially if they process sensitive customer data.

However, for some mobile-first and/or SaaS companies, mobile app security is an integral part of the overall security strategy. These companies may consider mobile app security under the same umbrella as network and data security. Mobile-first companies may be more advanced in secure coding best practices for mobile, especially since their applications comprise a critical part of their businesses’ revenues. 

Regardless of an organization’s size and type, mobile has become one of the primary channels through which people get their information. Globally, 5.19 billion people use mobile phones. As distributed teams become even more common, people rely on mobile applications to process increasing volumes of valuable data. As a result, app security needs to become a must-have for many organizations instead of a nice-to-have.

How to Prioritize Mobile App Security

Prioritizing mobile application security within the organization boils down to three big areas of focus: 

• Making the board and management team aware of mobile app security as a concern.
• Educating developers on common mobile app attacks, as well as secure coding best practices.
• Deploying tools that save time, rather than drag processes down.

While making executive leadership aware of the need for mobile application security is easier said than done, it’s a critical first component to ensuring these assets are safe. Mobile applications should be considered among the top priority assets for the organization to secure since they contain several potential points of vulnerability for the organization. For example, unsecured mobile apps could expose the sensitive customer or company data stored within them, among many other risk factors.

In addition, educating developers on how mobile app attacks occur, as well as secure coding best practices, is crucial. Developers are the ones who ensure that mobile application security measures are actually implemented and baked into the code of the app. Bad actors often look for applications that are easy targets, with easily identifiable code, insufficient encryption, insecure data storage and more. Fortunately, there are simple measures that any team can make in the development process to prevent such attacks from occurring.

Finally, deploying tools that save time, rather than drag the development process down, is key to success. Most DevOps teams love automation and have embraced tooling to help with various parts of their development, testing and deployment processes. Security tools should be no different; they should help automate many aspects of the secure coding process and relieve some of the burden from individual developers and testers. Device-level security, as well as hardening techniques, should be key considerations for any organization.