App DevelopmentWeb Development

Mobile app security best practices: introduction to the four pillars of code security

2016 was a record-setting year, and not in a good way. Last year, in the 4,149 data breaches reported, over 4.2 billion records were exposed. That’s an increase of 566% from 2015. If you think about it, that is an astounding number. The way things are going, I only expect the number of breaches and leaks to grow. Adversaries are not only going after well-known data records, like credit card numbers, passwords, and PII, but also unstructured data such as email archives, business documents, intellectual property and source code. Even some of the best mobile apps are being targeted, because mobile app security testing and training is inconsistent across the industry…even at some of the top mobile app development agencies!

Not only do we have to worry about preventing records from being leaked, mitigating damage when attacks occur, and understanding the underlying causes of attacks – we also have to worry about how much a breach will cost in penalties and fines. With increasing frequency, state Attorneys General offices are bringing lawsuits and seeking settlements with companies that have fallen victim to these breaches and haven’t done everything they can to protect user data. All of which begs the question: are you striking the best balance between industry standard security and development velocity and costs?

All of these outside forces have impacted the mobile application development lifecycle in some way, from ideation, to design, development, testing, and through to production. And when changes to the process of creating great digital experiences are made to address growing threats aren’t managed properly, it could lead to damage to your brand. What new actions can we take to provide some level of protection from breaches and lawsuits alike?

The Risk:

Security is a vast umbrella, but in this series of posts, we will focus on security and risk as it relates to your digital product(s). In my opinion, it breaks down into three major parts:

  • Third-party software libraries
  • Bugs in server-side code
  • Bugs in client-side code

Bottom line, mistakes happen in mobile application development. They can be caused by a simple distraction, mis-implementation, misunderstanding, lack of knowledge…the list goes on and on. There is no such thing as completely perfect and completely secure code.

The four pillars of mobile app security

We attack this with a mix of four different types of reviews or safeguards. Four pillars of security, if you will. There is nothing new here; we have just taken what we have learned from traditional SDLC practices, and applied it to mobile with a heavy emphasis on third-party library management. Each pillar has its gaps, as no single solution is perfect, and that’s why we believe the combination of all four is critical.

  1. Third-party Software Library Management
  2. Static Testing
  3. Dynamic Testing
  4. Code Reviews

There’s a lot to unpack here, so we’ll be taking a deeper dive into each of the “Four Pillars” of security in your digital products in a series of blog posts. First up – Pillar 1: “Third-party Software Library Management." Stay tuned for posts on each of the other pillars…but we’ll update links to them in this post as they’re published.

Xcode Cloud: Choosing the Right Continuous Integration and Delivery Tool for Your Team

Apple recently announced the release of Xcode Cloud at the latest iteration of their...

Read the article