"Through 2017, Gartner predicts that 75 percent of mobile security breaches will be the result of mobile application misconfigurations, rather than the outcome of deeply technical attacks on mobile devices. A classic example of misconfiguration is the misuse of personal cloud service through apps residing on smartphones and tablets. When used to convey enterprise data, these apps lead to data leaks that the organization remains unaware for the vast majority."
it made me stop and wonder what was going on the world of software development when basic security was being totally missed by developers. They certainly have missed some security details in the past development of operating systems and enterprise applications, but 75% seems like a big number. What is going on here?
More people can be a developer now without knowing a bunch of diverse sets of languages and o//perating systems. They can write for one type of O/S and that can be for a phone. Kids are doing it in school where they probably don't get the basics of security like they should. When they go to college they will get it, right? No. They don't get the basics of security in software development there either. Some professors gloss over it. A few don't cover it at all but give references that have to be read. Some don't know anything about security and leave it out entirely. I know because I worked with Universities and Colleges for years trying to get them to put more security into their course work. The vast majority just won't do it. They think security is something Security people do.
By the time they work their way into a company (or start one on their own) they begin to have to have more responsibility for inclusion of basic security as a part of doing business on the Internet. That should be part of a business due diligence for a product that is going to be operated in a hostile environment. We don't see them getting blamed for the way they write software, and they always promise to fix it "in the next release". I can't tell you how often I heard that phrase. Vendors very carefully avoid any liability to products they produce. They make you sign long agreements that you have to agree to or you don't get the software or the upgrade. I have always thought of this as extorsion. They deny you the right to the product after you have paid for it, by adding conditions nobody should have to agree to. If they sold cars the way they sell software, I would still have my .first one.
How about a description of what basic security features every app should have, with the types of behavior that are prohibited? We used to do that in systems I worked on. It is called a Security Policy and every system is tested for adherence to it. Apple does do this type of testing, but the Android systems generally ignore it. Google announced on the 16th that they will be reviewing apps for compliance with its policy and devoted some internal resources to doing it. Other Android OEMs are in such a rush to have apps available that they want to work out the operational aspects with patches and updates. In the meantime, every user that downloads that app is at risk until the vendor changes the software.
A few standards and a little testing would go a long way to correcting some of the deficiencies in the system that produces apps. If the software doesn't meet the testing standards, it can't be sold. If it fails a basic security test, don't let it be sold until those things are corrected. All sides of the industry seem willing to dump the testing off on a user who has to be hacked and complain before anything gets done. This is like GM putting off ignition switch repairs until they finally had enough complaints to take a closer look. Eventually the software industry will have to look more closely at itself and accept responsibility for what it is producing.
No comments:
Post a Comment