Veracode Takes On Mobile Application Security in the Cloud

Rapid adoption of mobile devices and mobile apps as a critical part of an enterprise IT strategy has created a significant and unbounded security risk. Challenged to implement enterprise-wide application security policies, CIOs and CISOs are realizing they have significantly lower visibility, expertise and control over mobile apps and devices compared to other layers of their IT infrastructure. To mitigate emerging mobile threats, Veracode, Inc., provider of the world’s only independent cloud-based application risk management platform, today launched the industry’s most comprehensive mobile app security verification service. The company also announced the “Mobile App Top 10 List” to establish an industry-wide security standard to enable organizations to implement application security policies across their mobile app environment.

Veracode currently provides application security verification for RIM’s BlackBerry operating system (OS) and Windows Mobile. Support for Google’s Android OS will be available this quarter with Apple iOS support in Q2 ’11. Veracode is accepting all mobile app submissions, regardless of platform, for security verification as part of its extensive beta program. Veracode will discuss its new mobile application security services at the RSA Conference 2011 in San Francisco, February 14-18 at booth #629.

Security Shouldn’t Be An Afterthought

Secure coding, security testing and basic security precautions may often be an afterthought in today’s rapid mobile app development process, as evidenced, in-part, by the lack of encrypting bank account access codes in Citbank’s iPhone app last year. The mobile app malware threat is also quickly progressing from simple “premium SMS and call” attacks that directly monetize by running up the victims bill, to full- blown mobile botnet functionality, such as the recently discovered Geinimi Trojan for Android phones.

“More and more enterprises are realizing that 2011 is quickly becoming the tipping point for mobile security issues,” said Nigel Stanley, practice leader, IT security, Bloor Research. “For both active and passive attacks ranging from GSM air interface attacks through to the use of Trojan malware to target users, with Veracode I share my intense interest in best practices for mitigating these risks and what steps users, businesses, developers and organizations need to take to secure their smartphones and apps. With this launch, enterprises failing to investigate and act on mobile app security vulnerabilities due to lack of a pragmatic and cost-effective solution are no longer excusable.”

Enterprises are threatened by applications built in-house, off-the-shelf, outsourced and with third-party components that are deployed via the cloud, web and on mobile platforms. To manage this mounting, and what appears to be uncontrollable, risk CIOs and CISOs must implement policy-driven application risk management programs and seek independent security verification of all their applications including mobile applications from all their stakeholders across their entire software supply chain.

“CIOs and CISOs are increasingly aware that next generation software infrastructure for their enterprise is increasingly ‘cloud-sourced’ and developed from unknown or untrusted third-party app stores and developers,” said Matt Moynahan, CEO, Veracode. “While the cost and functional benefits of embracing the cloud are many, it is critical to ensure the security risks associated with this model are controlled. Veracode’s broadened platform support will enable security professionals to implement mobile app security policies as easily as they do for internally developed applications.”

Setting New Mobile Security Standards

To increase industry awareness and dialogue about mobile app threats specifically, Veracode has established its “Mobile App Top 10 List.” The goal of the list is to serve as an industry standard for categorizing malicious functionalities and to serve as a checklist of vulnerabilities that developers and security teams can collectively utilize to determine what mobile app risks exist and how they can be effectively and efficiently mitigated. While traditional security vulnerabilities can be compounded by mobile use case specifics and new, platform-particular challenges, the same best practices established in other environments should be adhered to.

“While much has been done in terms of setting standards for the security of web applications, we felt it was necessary to extend the same rigorous framework to mobile,” said Chris Wysopal, CTO, Veracode. “In the mobile app market, we see both inadvertent coding errors and intentional, malicious code as security culprits. We strongly recommend industry-wide adoption of the Mobile App Top 10 for the development of apps, as part of an app store vetting process, for acceptance testing of an app, or for use by providers of security software running on mobile devices.”

The Mobile App Top 10 List can easily be adopted by enterprises seeking to gain focus and control, and support more well-informed discussions with development teams about the security of their applications. It can also be an important foundation for understanding specific threats such as activity monitoring and data retrieval; unauthorized dialing, SMS and payments; system modification; and sensitive data leakage, which can be magnified in a mobile environment.

Most importantly, The Mobile App Top 10 can serve as the standard to which compliance must be demonstrated through independent testing, much like the OWASP Top 10 or CWE/SANS Top 25 are used for verifying traditional, third-party applications. Visit The Mobile App Top 10 to learn the complete list including threat details and examples. To engage the community in discussion visit the ZeroDay Labs Blog “Mobile App Top 10 List” and post a comment.

About Veracode

Veracode is the only independent provider of cloud-based application intelligence and security verification services. The Veracode platform provides the fastest, most comprehensive solution to improve the security of internally developed, purchased or outsourced software applications and third-party components. By combining patented static, dynamic and manual testing, extensive eLearning capabilities, and advanced application analytics Veracode enables scalable, policy-driven application risk management programs. Veracode delivers unbiased proof of application security to stakeholders across the software supply chain while supporting independent audit and compliance requirements for all applications no matter how they are deployed, via the web, mobile or in the cloud. The company’s more than 175 customers include Barclays PLC, California Public Employees’ Retirement System (CalPERS), Computershare and the Federal Aviation Administration (FAA). For more information, visit www.veracode.com, follow on Twitter: @Veracode or read the ZeroDay Labs blog.

Copyright © 2011 Veracode, Inc. All Rights Reserved. All other brand names, product names, or trademarks belong to their respective holders.