Ihor
Feoktistov
CTO at Relevant

C-Level Guide to the Security of Web and Mobile Applications

#Tech label

Even if you’re not a CTO, as a C-level manager, you have to deal with cybersecurity quite a lot. Whether your business is offering products or services, you need to ensure all your IT infrastructure, business data, and personal information of your customers are safe. This is why ensuring security for applications is crucial for all organizations and any C-level executives.

You may be thinking hackers won’t go after a small fish like you when there are Google and Facebook security breaches, Amazon and Apple to crack. But if your organization has even 10 workstations and a couple of servers running, you are a potential victim of data theft. 

There were 1.6 billion data breaches since 2005, and above 1 billion of them took place since 2018. Every two seconds, there is a new victim of identity theft, and more than 31% of them later become victims of social engineering, credit card fraud, and other malicious activities. 

No one is 100% protected from cybercrimes, but what you can do is constantly ensure the application security of your web and mobile products. This article explains how to implement and perform security testing for web and mobile applications in a reliable and cost-effective way.

What is application security?

Application security is an umbrella term for a software engineering practice of ensuring the cybersecurity of your applications through testing, finding and fixing cybersecurity vulnerabilities. 

Application security must be the cornerstone of application architecture design, development, and implementation and should be delivered through hardware, software, and procedures your organization employs. These procedures differ based on the types of applications you need to secure.

Application security scheme visualization

Application software types and how to secure them

Different types of application software (desktop and data center-based apps, cloud-based, web, and mobile apps) require different approaches to application security:

  • Desktop software. As desktop apps are quite rarely updated, checking them for cybersecurity flaws on installation and during updates is a must. 
  • On-prem data center-based apps. There are multiple cases when in-house software engineers create custom apps for the specific needs of your organization. These should be rigorously checked for security faults and backdoors and adhere to industry-grade security standards. 
  • Cloud-based applications. Cloud software adds several layers of security risks to the ones listed above. The key here is to treat all your future cloud infrastructure as potentially insecure and work on protecting mission-critical assets first.
  • Mobile apps. Just like cloud SaaS tools, mobile apps installed on your staff’s devices can pose cybersecurity risks. A nice way of mitigating those would be to establish an enterprise mobility management platform with a corporate app store of whitelisted tools.
  • Web applications. Running web-based apps is one of the biggest exposures enterprise cybersecurity should handle. Data encryption and granular access management are a must, as well as DDoS protection, the configuration of web access firewalls, and regular penetration testing performed by internal or external Managed Security Service Provider (MSSP) experts.

Let’s take a closer look at the security checklists different software types should be tested against.

Desktop software security checklist

You should track your inventory of desktop software, continuously check for security updates and patches for it, and have established patch management processes in place. You would need a strong identity management policy in place to enforce the use of strong passwords. Securing the infrastructure is vital for protecting the desktop apps that run on it, so installing firewalls and configuring network policies correctly is mandatory.

Data center-based custom apps security checklist

To secure custom apps running in your on-prem data center, ask your developers to follow cybersecurity best practices, implement DevOps and DevSecOps approaches to software delivery, and keep a close eye on your open-source app components and libraries to check for known security vulnerabilities.

Cloud application security checklist

Monitor the SaaS tools your employees are using, as many of them have security vulnerabilities. Employ all the security features the cloud vendor provides. All the data at rest or in transit within your infrastructure should be encrypted at all times. Instate robust authentication procedures to enable granular control over who can do what in your cloud infrastructure and monitor admin actions.

Mobile application security checklist

Have a mobile behavioral analysis tool in place to flag apps and devices that engage in potentially malicious activity, so your IT department can take action. Mobile data at transit and at rest should always be encrypted. Two-factor authentication and granular access control are also among the most useful features for enterprise mobility.

Web application security checklist

Manually review all apps in use in your organization to find entry points, client-side code, and third-party hosted content. Exercise granular access control to prevent insecure direct object references, missing authorization, horizontal and vertical access control issues, etc. Ensure all data you work with is encrypted using robust algorithms. Configure strong filtering and auto-scaling resources to protect your mission-critical digital assets from DDoS attacks. The customer-facing parts of your web apps are best protected using CDNs (Content Delivery Networks) like Cloudflare or AWS CloudFront.

Now that we’ve talked about software types and how to secure them, let’s discover the breaches applications are usually affected by.

Web application security process and checklist

Cloud, mobile, and web application vulnerabilities

Cybersecurity breaches are different for various types of apps. The typical vulnerabilities in cloud-based applications include:

  • Server-side injections. Hackers can infest your app’s backend logic with their own malicious code to alter access rights and compromise user data.
  • Client-side injections. XSS vulnerabilities or cross-site scripting happen when hackers send users a link, and once it’s clicked, malicious code is executed in the user’s browser.
  • Session management. Every user that’s connecting to a cloud app begins a unique session and is issued some form of session ID for authentication. The app must create a secure HTTPS channel to exchange data within this session. Forging such IDs can lead to gaining unauthorized access to sensitive data. This, however, can be prevented by advanced techniques like certificate pinning.
  • Sensitive data storage and exposure. From storing cookies to auto-filling your passwords on various websites, there is a lot of sensitive information we operate in the cloud. Securing this information requires strong encryption running on the client’s side before any data is sent to the cloud. Otherwise, your users essentially broadcast their credentials for anyone to steal.
  • Logical mistakes. As mentioned above, hackers can use errors in machine logic to forge session IDs and gain access to other users’ data. This should be prevented by implementing additional authorization checks within a session to ensure users actually access the data they stored themselves in your cloud app.

Mobile application vulnerabilities fall under the following types:

Why these 200 tech companies & startups outsource to Ukraine
Download the whitepaper
  • Insecure API connections. Most mobile apps rely on RESTful API calls to exchange data between the frontend and backend parts. While these connections should be protected by SSL certificates by default, not all certificates are safe enough (SSLSocketFactory ones are not, FYI). Besides, every session must create a sticky OAuth 2.0 token having Authorization Code Grant with Proof Key for Code Exchange (PKCE) to adequately protect sensitive information.
  • Open-source code security vulnerabilities. Many mobile apps are built using open-source frameworks and libraries, and security vulnerabilities in these components can affect the entire app. To mitigate this risk, it’s best to perform a third-party code review now and then.
  • Insecure data storage. It’s tempting to store user data in p-list files for simplicity, but that is the first place a hacker will check. So, it’s wiser to store users’ sensitive local data on Android or iOS keychains and encrypt everything that can’t be put there.
  • Library auto-updates. Once again, if your mobile app relies on third-party libraries, having the latest secure version of them seems the right way to go. However, there were cases when hackers infected the source code of widely-used open-source libraries and gained access to a variety of app and customer data. It is best to hardcode the open-source library version to use when building your app and manually check every update before incorporating it into your builds — which, again, emphasizes the need for regular external code reviews.
  • Outdated authentication methods. Visual signs or passcodes are not secure enough as they can be sneak peeked, eavesdropped, or guessed. Facial recognition or fingerprints are much more secure.
  • Reverse-engineering. A very widespread hacking technique, reverse-engineering involves using the output of debuggers to understand how your code works. Xamarin and Java apps are more susceptible to it than C++ applications as they can be decompiled much easier. To prevent this, use non-linear operations within your app and minimize the amount of information exchanged between the components to provide minimum input for debuggers.

Web application vulnerabilities are multiple and well-known, yet very harmful:

  • SQL injection. This manipulation of your databases using malicious SQL code can result in damaged database tables, an unauthorized elevation of access rights, and more.
  • XSS injection. It targets users to force them to activate Trojans or modify page content to execute malicious code.
  • Remote file inclusion. This is an attack aimed at uploading malicious files to the server, forcing an application to run them and provide the hacker with access to your data.
  • Cross-Site Request Forgery (CSRF). An attack that makes the app perform an action on a website where the user is logged in.
Cyber Attack Taxonomy, mobile and web app vulnerabilities

All in all, the main goals of hackers that exploit app vulnerabilities are gaining admin access to your cloud resources or client data and infesting devices with malicious code.

The cost of implementing security for an application

We’ve covered the dangers of cybersecurity data breaches, their most common types, and checklists of how to prevent such issues. Which are all important, but preventing a breach is always cheaper than dealing with the aftermath of an attack. What is the cost of implementing security for an application, then?

In general, it can be described by a (features x time) x hourly rate = cost formula. The more security features you want to implement, the more time it will take, and when multiplied by the software engineers’ hourly rate, this can give you an approximate cost. 

Of course, the cost of infrastructure required to develop and test solutions should also be considered, but these investments are lower than the potential damage of losing all your business data. A detailed report on implementing cybersecurity from Kaspersky lab has all the costs sorted, and you’re welcome to check it out.

Also, you can contact our security team that will perform a detailed assessment of your cybersecurity needs and will provide a quote of the scope of work needed.

Tools for testing and ensuring application security 

Now, let’s look at the main approaches to monitoring and improving the security of your applications.

Static Application Security Testing (SAST)

This is a kind of white-box testing where the tester knows the software architecture and has access to the source code. SAST testing helps analyze the code at rest to detect potential cybersecurity vulnerabilities. Some SAST tools work with the source code, some with the compiled binary code, some with both.

Dynamic Application Security Testing (DAST)

Quite the contrary to SAST, this is a black-hat testing method where the tester has no knowledge of the software he tests and tries to identify security vulnerabilities based on responses from the running app. DAST is used to detect injections, issues with interfaces, user sessions, and more. It involves fuzzing — overloading the app with incorrect and unexpected commands to find breaches based on the app’s behavior under load.

Software Composition Analysis (SCA)

This approach relies on finding the origins of all libraries and components of your software. It is especially useful for finding security vulnerabilities in the open-source components of your applications based on the continuously updated NIST Common Vulnerabilities and Exposures list. However, it’s not effective for finding vulnerabilities in custom-written libraries.

Database Security Scanning (DSS)

“Don’t touch it if it works” is a known byword in the IT world, and it generally works — unless we deal with security. All security patches should be applied immediately to avoid situations like the 2017 malware attacks by the NotPetya virus. These could have been prevented had all system admins installed the cumulative Microsoft Windows security updates released half a year prior to the attacks. 

DSS tools scan databases at rest to find weak passwords, outdated security patches, data errors, or malicious admin actions logged. Some DSS tools can also work with running databases.

Interactive Application Security Testing (IAST) tools

Standard DAST and SAST tools can be too time-consuming for dynamic DevOps-based Agile development as they can only work with pre-configured test cases. This resulted in the development of hybrid IAST tools that perform dynamic application testing on the run and use the output from the previous test cases to build new ones. 

This way, the more IAST tools work on an app, the more information they provide and don’t require to cease development for testing.

200+ companies from 25 countries outsourced software development to Relevant

We provide companies with senior tech talent and product development expertise to build world-class software. Let's talk about how we can help you.

Schedule a call

Mobile Application Security Testing (MAST)

MAST tools provide forensics analysis in addition to static and dynamic testing. They are a blend of various analyzers specializing in checking mobile app code against the ten main mobile risks listed by OWASP. They handle cases like jail-breaking, spoofing Wi-Fi connections, correct validation of certificates, and more.

The six approaches to testing application security we’ve mentioned are the most popular ones, but the list isn’t exhaustive, and you can look for others that fit your operations better.

Ten best practices for building secure applications

Ensuring application security by design is much easier and cheaper than patching it incessantly or dealing with the consequences of data breaches. We know it’s easier said than done, and that’s why we’re listing the ten key aspects of building secure applications you should adhere to.

Treat your infrastructure as an insecure and dangerous place

Your products must have their own application-level security checks and not rely entirely on security features provided by your cloud vendor or enterprise on-prem data center. Enough data breaches are happening in global enterprises like Sony or Target to illustrate that the environment your app will run in can never be secure enough.

Secure each app component

Use appropriate security features for every component of your application. Binaries require intrusion detection/prevention features, databases and file storages need access control to prevent unauthorized access to critical data. Firewalls must be configured to allow only appropriate traffic to interact with your app resources, etc. The exact measures can differ based on your app components, but the overarching idea is the same: every module must be secured.

Implement DevSecOps

Manually deploying and managing security features is slow, prone to human errors, and can be surpassed based on the business urgency — which can lead to huge losses. DevSecOps, or automation of software delivery with security in mind, isn’t easy to implement, but it is a critical step that allows mitigating most dangers and ensuring the consistency of software development and management.

Perform penetration testing

Security measures can become inadequate quite quickly after infrastructural or operational updates. Periodic penetration testing by third-party providers helps analyze the efficiency of enacted cybersecurity measures and address the inconsistencies found. Security Monkey is an excellent tool from Netflix that can analyze your AWS infrastructure and highlight the components in need of reconfiguring security measures. 

Utilize cloud-based security tools

Security budgets should not be humongous. Many cloud vendors provide PaaS security features that do not require huge CAPEX to be installed and run — like Amazon CloudTrail or Google StackDriver. This way, your IT team can configure them and start using sooner — and cheaper — than proprietary cybersecurity solutions that charge huge annual subscription fees.

Focus on monitoring and smart alerting

New applications with AR/VR features or blockchain, ML/AI algorithms utilize additional resources that cannot be covered by outdated monitoring tools. Alerts and notifications from critical systems can easily drown in a stream of white noise. Luckily, both cloud vendors and independent providers offer new monitoring solutions aimed at smart alerting. With their help, critical notifications will always reach the IT personnel in charge on time.

Implement proper logging

There will always be bugs you overlooked, that’s just the way it is. Being able to respond to these bugs and handle the situation before it goes awry — this is what matters. Logging using ElasticSearch+Logstash (or FluentD)+Kibana (the so-called ELK stack) is the industry-wide gold standard of keeping an eye on your infrastructure performance and security. 

There also are SaaS products like Splunk or SumoLogic, as well as cloud platform-specific tools like Amazon CloudWatch. Use them to the brim; they are well worth the investment.

Protect from OWASP’s top ten threats

Open Web Application Security Project, or OWASP, should be the starting point for all your security-related initiatives. They analyze thousands of security reports across various IT domains and regularly form the top ten lists of the most prominent application security threats. Keeping an eye on these lists and following their recommendations is a wise choice for any IT professional.

Encrypt the data

We know we mentioned this several times already, but this can never be stressed enough! Both the data at rest and the data in transit within your infrastructure must be encrypted using secure algorithms. In that case, should it even be stolen, hackers won’t be able to decipher it. 

And have an ultra-safe storage for the backups of your mission-critical data. This storage should not be automatically accessible even for superadmins, but managing it manually for five minutes every day can save you from a ton of headaches down the track.

Delegate non-critical digital assets

Almost every IT department today is understaffed, overloaded, and has to deal with an enormous potential attack surface. The best way to make IT operations more productive is to delegate the management and security of non-critical digital assets to specialists. A reliable third-party MSSP will handle most common hacker attack vectors, allowing your IT team to concentrate on other tasks.

At this point, you may be asking…

Is it safe to outsource application security?

As we’ve mentioned already, there is a severe shortage of cybersecurity skills on the market, and gathering an A-grade team can be too costly of an endeavor for a company. On the other side, contracting Managed Security Service Providers like Relevant Software can grant you instant access to skilled professionals that deliver a wide variety of cybersecurity services:

  • Vulnerability assessment. Test your infrastructure and applications for breaches and vulnerabilities.
  • Mobile and web security. Protect your digital assets from penetration.
  • Cloud security. Configure your cloud-based systems correctly to avoid common security pitfalls and mistakes.
  • Startup immunity. Design, deploy and transfer to your team (or keep supporting) powerful cybersecurity measures to ensure you can withstand cyberattacks.

You will have to choose between trying to ensure security for applications using internal resources or delegating this task to a trustworthy technology provider. Either way, make sure the people you’ll be working with are genuine professionals.

Summary

Ensuring the security of web and mobile applications, as well as the infrastructure and processes in use, is a long-term and effort-intensive initiative. However, it is crucial for the survival of any business. It’s important to understand, though, that while you can cover some basics on your own, deploying and maintaining full-scale cybersecurity measures requires access to specific expertise, which means you might have to collaborate with a reliable MSSP. Like Relevant Software, for example.

Thanks to employing senior cybersecurity engineers, ample experience with data leak prevention, and exercising the security-first approach to infrastructure design, we are chosen as a trusted partner by many clients. Contact us to become one of them!

How to Choose a Software Development Company?
Download the ebook
Written by
Ihor Feoktistov
CTO at Relevant
I make sure our clients get the highest code quality and the best tech talent on the market. I am also a Software Engineering Advisor for startups. Let's connect.

What are you looking to do?

Do you want a price estimate for your project?