This post is from the Arxan blog and has not been updated since the original publish date.
Vulnerability Epidemic in Financial Mobile Apps - Episode 6 [Video]
Pros & cons of app security approaches
Do you think we do enough as an industry in educating developers about not just how their code functions, but how it is actually composed in the end? You know, you write a program in C, C++, Java, and then you end up distributing that. Do you think we spend enough time actually teaching people what's inside their apps?
So, when you say we--what do you mean by we?
You mean, like, analysts, or--
The state of information security, or what best practice is.
Do we focus enough on the end result?
I don't think so. So one of the companies that I used to work with made smart meter apps. So they would drive by and they would collect information wirelessly from their water pumps, right? Their water information. It was for smart metering. And I recall where the final product--and this was, of course, a mobile app--the final product had been through multiple revs, and multiple versions had been published for the app, and it had never gone through any kind of OWASP Top 10--an application patent had never performed. And it was almost like they didn't stop to think about it until this came up in ISO 27001. Like, OK, we're getting certified for ISO 27k. Oh, wait a minute. We need to send our developers to secure code training. It's not really thought about. It's not really talked about.
It's almost like cybersecurity is, like, oh, that's their problem. That's them. Implementing firewalls, implementing VPN--that's cybersecurity. We have products to develop, we have apps to develop. That's not an us issue. And along those lines, it seems like there's a lot of attention now around cybersecurity insurance. Like, let's continue to move that ball to someone else's responsibility.
You've tested a number of apps. I assume that there's at least one of them that probably has a cyber insurance policy. Should they be getting these policies? How are they able to--
So I released a 2019 Trends Report where I prioritized the number based on interviews with CISOs of how much of their budgets were going to certain technologies. And cybersecurity insurance was in there. It was, like, number four. But basically, a lot of companies are beginning to adopt cyber insurance, realizing that it's no longer about if we're going to get breached, but when, and how quickly can we detect it, and how much can we actually lower or limit the amount of data exfiltrated, or how hard can we make it for them to find it?
Cyber insurance is an interesting thing. We have a completely separate practice devoted to that--to insurance. But I can tell you that in the CISOs that I interviewed, roughly 45% of their total annual budget was going to insurance, because they knew that they needed it, they knew it was going to happen, and they knew they couldn't defend against it. So I mean, you look at--what, is Target breach reached a total of over $600 million, right? It was, like, massive costs. As we get more data being published from these breaches about how much it's costing the companies, we're talking about existential threats to these organizations that are involved in a breach. And you need insurance to keep you alive. It's a part of doing business now.
If companies are investing 45% of their budget in cyber insurance, are they just letting that take the responsibility for their end customers' loss of data? If you're discovering these things are so easily in application--
So would they rather just buy the insurance to deal with in case this happens, versus actually implementing the security control?
I mean, this is almost similar to financial institution fraud methodology. If the margin is bigger on one side or the other, does that actually help us move any--For risk transference and other risk transference thing.
I can tell you that there was there's one particular CISO that I interviewed last year who had that mentality, that had that methodology. The problem is, though, that a lot of these CISOs who buy insurance instead of security controls-- it's speed to market, first to market, right? Just get it out there and buy the insurance in case it happens--don't realize that you now have to begin polishing your resume. Because the CISOs are the fall guy, or fall girl. They're the ones who--look at Target. And look at the Equifax breach. They went after her personally. Do you remember that? There were news reports that surfaced where they were going after the fact that she had a degree in botany, or something. It was like a really weird degree. But they were going after her personally, and who she was as a person. And CISOs are-- that is the handle that they pull when something happens. Like, oh, we had a CISO who didn't know what she was doing. You know? You need to blame somebody. CEO's not going to blame himself, right?
So we talk at Arxan a lot about customers adopting security as part of their dev ops, or their dev sec ops practice. And we've invested a lot of time and effort in making these things easy to adopt. Is that the right direction? Are these the kind of things that are going to change the behavior of big financial institutions and banks to actually start integrating security into their lifecycle?
I believe that 2019--the theme this year is going to be eliminating friction for the admin, for the developer, for the user. You look at these MFA apps, and a lot of the solutions out here at RSA--they're, like, easy security. We'll give you an SDK, recompile your app with our SDK. Whatever it may be. It's about being able to secure it. Like, shrink that attack surface. Not eliminate it-- shrink it-- but in something that can be done easily and quickly. And I agree with you, I think it's friction. I think a lot of the times--how many times have you--let's talk about PKI for a second.
How many times have you SSH'd into a server? Like, I meant to copy my private key over here, but I put it in that.ssh and then upload it to the--it's a pain in the ass. You know? I mean, PKI was always a pain in the ass. Aaron, have you ever tried to add an S/MIME certificate to Outlook? Seriously, like, how much alcohol did you need before you tried to do that? Right? It's like, pass the wacky tobaccky. Like, it took, what, 15, 20 minutes to figure it out, right?
So I think it's about user friction. And I think, much to your point, that the theme this year is, OK, we understand that based on this research, we need to consider this a real problem. What do we do about it? And how easily and quickly can we do it? Because we don't want it to disrupt our time to market.
Security's about enabling the business, not stopping it from happening.