This post is from the Arxan blog and has not been updated since the original publish date.
Vulnerability Epidemic in Financial Mobile Apps - Episode 4 [Video]
Defense in depth for apps
Down the rabbit hole?
The other thing was this research obviously trickles down into three completely separate research papers. And one of them was API security. It's almost like that--you know that analogy which I think is used way too much, is networks have become this hard candy exterior, soft, gooey interior. I just want to smack whoever says that to me now, because I'm so tired of hearing it. But it's almost like that soft, gooey interior has kind of just like the shell broke and it's like oozing out with APIs.
And really, it's an unknown [INAUDIBLE], that companies are think, oh, well, why do we need ARXAN, or application shielding to secure, when we have a WAF. It's like, dude, because it's two completely separate things. We're authenticating and authorizing our API traffic. Because you're not obfuscating your code. There's all these other different attack vectors that I think we as--I think chief information security officers, buyers, security engineers, need to understand that there's multiple attack vectors here. It's not just one.
And that's why you're looking at solutions like ARXAN that aren't a one-trick pony, that have these security controls around multiple attack vectors. It's not just one thing. It's-- is this operating on a routed or jailbroken device? What does that lead to? All of those things are issues that are addressed with shielding.
So you've previously self-described yourself as a layer seven enthusiast. The question that comes up a lot, especially as we're talking about transport security and SSL, is SSL enough to protect the data being transferred to and from APIs?
No, because, if you think--OK, so that's-- you're talking about data in transit security. So we've already seen vulnerabilities being published in SSL. There's no such thing as something that's un-hackable. I think for my approach, as a practitioner, I've always preached defense in depth.
To me, security needs to be like an onion. You've got-- like, OK, what are you trying to protect, and building your security controls as layers like an onion around it. And this shouldn't be just one layer. Because you're talking about multiple things. And if you have an adversary that has enough time, and patience, and interest to actually breach something, they're going to get in. And if you've shielded your app, there's other things that they can try and go after. I mean, even with obfuscation. There's a way to de-obfuscate. I mean, you can go out there and Google it, and there's all sorts of articles you put that explain how to address that. It needs to be multiple layers of defense. It needs to be data in transit, data at rest. It needs to be all of this stuff, API security. It needs to be multiple security checks on the mobile device itself.
We are going to be doing a webinar soon called Building the Zero Trust Enterprise. So ZTE is like a big term being thrown around right now. And it's really interesting, because if you think about application shielding, it really is the antithesis-- to me, application shielding is just that one thing, that one piece of the puzzle in building that whole ZTE infrastructure. It's just one piece that you need to be doing in addition to everything else.
You can't trust the mobile device that the app is on, because you don't own it.
These companies are making apps, creating apps, and pushing them out to devices that they have absolutely no control over. How do you secure that?
Like think about it--let's really just think about this for a second. It's like our military sending soldiers out into an Area Of Responsibility, an AOR, that they have absolutely no visibility, no control, no security controls, no forward operating bases, nothing to protect that soldier.
And a lot of times, no feedback.
How do you do that? And no feedback, no communication, nothing. You don't know what's happening in that theater of operation. You have no idea what's going on in that area. And you're expected to protect this asset. And you've got this asset there that's your company, and a way into your company is Enterprise, and you have no idea what's happening in the environment of the device that it's running on.