Mobile application security in the cloud

Rapid adoption of mobile devices and mobile apps as a critical part of an enterprise IT strategy has created a significant and unbounded security risk.

Challenged to implement enterprise-wide application security policies, CIOs and CISOs are realizing they have significantly lower visibility, expertise and control over mobile apps and devices compared to other layers of their IT infrastructure.

To mitigate emerging mobile threats, Veracode launched a mobile app security verification service. The company also announced the “Mobile App Top 10 List” to establish an industry-wide security standard to enable organizations to implement application security policies across their mobile app environment.

Veracode currently provides application security verification for RIM’s BlackBerry operating system (OS) and Windows Mobile. Support for Google’s Android OS will be available this quarter with Apple iOS support in Q2 ’11.

Security shouldn’t be an afterthought

Secure coding, security testing and basic security precautions may often be an afterthought in today’s rapid mobile app development process, as evidenced, in-part, by the lack of encrypting bank account access codes in Citbank’s iPhone app last year.

The mobile app malware threat is also quickly progressing from simple “premium SMS and call” attacks that directly monetize by running up the victims bill, to full- blown mobile botnet functionality, such as the recently discovered Geinimi Trojan for Android phones.

Enterprises are threatened by applications built in-house, off-the-shelf, outsourced and with third-party components that are deployed via the cloud, web and on mobile platforms.

To manage this mounting, and what appears to be uncontrollable, risk CIOs and CISOs must implement policy-driven application risk management programs and seek independent security verification of all their applications including mobile applications from all their stakeholders across their entire software supply chain.