Denim Group, the leading secure software development company, today announced it has expanded its services to the mobile arena, now offering secure software development, mobile application security assessments and developer training to help make mobile devices a more trusted platform for business and e-Commerce. Mobile applications offer a unique challenge to security in that a single application involves dealing with native code, web services as well as complex application programming interfaces (APIs). In addition, mobile devices provide capabilities unavailable on the desktop or laptop. As a result, there are risks specific to mobile applications that are significantly different from web application environments, and must be dealt with appropriately.
"The importance of the mobile market is clear as not only have mobile device shipments soared beyond PCs, over eight billion mobile application downloads occurred in 2010 alone, and are predicted to increase exponentially, however, there are significant security concerns because mobile applications can be manipulated to reveal sensitive data if they are not built correctly," said John Dickson, Denim Group principal. "Denim Group is offering software development, security assessments and developer training services focused on overcoming the unique challenges of the mobile platform to address those concerns and help advance development of secure mobile applications across the industry."
Smartphones and tablet platforms have capabilities beyond that of the typical desktop because of the integration of technologies such as cameras, GPS locators, and audio recorders as well as network resource access, allowing organizations to build innovative applications that deliver unique service solutions to both customers and employees. However, these capabilities create additional security risks because as sensitive data and operations move from servers to mobile devices, there is a greater opportunity for data breaches and the exposure of other security vulnerabilities.
The issues enterprises must address when deploying custom mobile applications include protecting sensitive corporate data on devices that are prone to loss or theft. Even encrypted data on devices may be at risk because of application key handling and data storage issues. In addition, the open networks mobile devices use to communicate are often unencrypted, making that data subject to capture as well. Relying on the security of the mobile device to protect the server-side assets is a mistake many application developers make. However, network services deployed to support mobile applications without server-side protections such as authentication and authorization present attractive targets for exploitation by malicious attackers. Finally, mobile applications can be reverse engineered to reveal private client information or corporate credentials on those devices, forcing the application to unintentionally expose sensitive corporate information.
Denim Groups new services are intended to help organizations building and deploying mobile applications for their customers and employees to proactively address these associated risks. Practices such as integrating threat modeling into the software development lifecycle can help to identify potential issues during the design stage of application development and minimize costly post-deployment remediation. Security testing for mobile applications and their server-side infrastructure is also an important check to ensure security efforts during the applications design and development were successful.
In an additional announcement today (see Denim Group Launches Industrys First Secure Mobile Software Development e-Learning Courses through ThreadStrong), Denim Group also announced the industrys first e-Learning courses designed to teach developers how to secure mobile applications. Taught through its ThreadStrong Learning Management System (LMS) - compatible program, Denim Groups training can be particularly valuable for mobile application developers who may not be versed in secure design and development practices and may also be creating applications for unfamiliar platforms with unknown security characteristics. The Overview of Mobile Application Security class familiarizes new students with the challenges specific to the mobile platform. Supplementing the introduction are two initial classes focused on Authentication and Authorization for the Android OS and the iPhone OS platforms. Denim Group will be adding additional in-depth secure mobile training classes in the next few months.
In addition to e-Learning for mobile, ThreadStrong offers a variety of secure application
programming courses that cover topics such as Secure Coding for Java and .NET applications, Threat Modeling, Software Security Remediation Basics as well as a publicly free class explaining Cross-Site Request Forgery (CSRF). Denim Group also offers public classes and instructor-led training, as well as in-house mentorship services.
Denim Groups services are based on its experience assessing and building mobile applications for a variety of industries and its methodology uses emerging industry standards such as those defined by the Open Web Application Security Project (OWASP). These capture the major classes of vulnerabilities and weaknesses that might exist in systems incorporating mobile applications. In fact, Dan Cornell, leading technologist for Denim Group, is spearheading the platform-specific guidance section for OWASP which will produce detailed information on how to handle the security issues for specific mobile platforms. Additionally, Denim Group examines security risks and usability weaknesses that are common in a mobile computing environment, including, but not limited to the systems application permissions model, encryption APIs and hardware-supported encryption capabilities as well as the security of network communications and data transmissions to name a few.
Denim Group has identified the likely threat agents and vulnerable components associated with specific application classes to produce a holistic structured view that enumerates possible areas of weakness. Every application is built or assessed with a dataflow diagram, a list of identified threats, detailed countermeasures for these threats, and any areas where additional security measures should be considered kept in mind. Automated source code scanning and manual source code review are used to ensure the security state of the mobile application as well as its associated services. Additionally, Denim Group performs manual security testing of the web services supporting an application. This testing simulates the activities of an attacker who would bypass the mobile application client to attack web services directly as well as attackers who could gain access to user devices in order to try and recover sensitive data stored on the device.
Denim Groups services are designed to ensure the additional layers of security and access control needed are built into the mobile applications developed for leading mobile device smartphone and tablets including the Android, Blackberry, the Apple iOS and Windows Phone 7 operating systems. While increasing confidence in mobile business, banking, e-Commerce and data access is critical, enabling a seamless mobile application user experience is just as important to ensure corporate resources are protected from unauthorized access without any usability impact to the end user. Denim Groups suite of services enable organizations to address security concerns for mobile applications in a proactive manner to reap the benefits of creating new and innovative applications without exposing the companys assets to undue risk.
About Denim Group
Denim Group is the leading secure software development firm. The company builds custom large-scale software development projects across multiple platforms, language
No comments:
Post a Comment