Why breaches could be good for mobile device security
Bryan Casey 270003BSJV BFCASEY@US.IBM.COM | | Tags:  application mobile ibm security appscan innovate
0 Comments | 3,250 Visits
One of the greatest challenges of the world becoming more digitized and interconnected is the fact that we are always in state of evolution. There has never been a point in computing where we have thrown everything out and started all over again. Over the last few years nowhere have elements of this conversation been more clear than in the space of cloud computing. Was this something new, the next logical step in the evolution of computing, or have we been doing cloud for years before ever calling it cloud? These issues raise questions about the way we think about and use computer systems over the long term.
The problem with evolving some systems, without evolving all systems, is that many times systems and applications were designed to make sense within the context of the world where they were originally conceived and built in. They were not designed understanding how the world would change over time or how they might be asked to do something they weren't originally asked to do. While there are obvious issues that come up like compatibility, perhaps the greatest challenge is in security. When we look at the electrical grid for example, we see huge benefit attached to making the grid "smarter," yet at the same time, the original design of the grid hasn't fundamentally changed much since it was originally conceived, and when it was originally conceived something like Stuxnet had never been appreciated as a potential risk.
The threat landscape has been constantly intensifying over the years, with IBM's own X-Force Research and Development team referring to 2011 as "the year of the security breach." Perhaps the greatest opportunity that we have had in security in years comes from the fact that the BYOD trend was introduced almost simultaneously with unprecedented breach activity. Executives at every level care more about security than they ever have before. As a result, organizations all over the world are looking very closely at best practices in mobile device security as they confront the obvious security risk of, "I, as a company, do not own this device, but I am going to allow it to access my network anyway."
While even Smartphones do represent the next logical evolution of making computing smaller and more powerful, that platform is still very new, and it is being developed and built today in a world where we understand security risk. For that reason, we have an opportunity with mobile devices to build them more securely, from the very beginning, in a way that we never had with traditional computers, or even the internet in general.
New mobile applications are being created all the time, but the number of mobile applications compared to web applications is still not even a conversation. We are still in the infancy of mobile application development, and with that infancy comes opportunity. For the last several years, 40-50% of every publicly disclosed security vulnerability has been in a web application. As a result, the total number of vulnerable applications on the internet just keeps compounding. What's really interesting is that we have seen improvement in the introduction of new vulnerabilities over time because people who care about security can and have made efforts to be more diligent about eliminating vulnerabilities before deployment. Now, with mobile applications, there is no historical backlog of applications that require modernization. This is the beginning.
In security, perhaps the worst practice is only addressing risk once attackers begin actively exploiting that risk- fixing things not just after we know they are broken, but fixing them after we have already lost. We can turn the tide with mobile applications because we fortunately have years and years of best practices built up in secure engineering that enables us to design this new wave of applications more securely from the very beginning.
This is an opportunity that does not come around very often for all users of technology, and that is the opportunity to take a new platform, and really design it, and the applications on it, from the very beginning with security as a core consideration. With the right approach and diligence, we can actually make mobile devices a more secure computing platform than anything else we currently use today.
For more information about how IBM can help secure mobile devices, visit us at: http://www.ibm.com/software/solutions/mobile-enterprise/security/solutions.html