Why Mobile-First Organizations Must Invest in App SecurityPosted by Alan Snyder
Mobility has revolutionized the way customers interact with brands and paved the way for mobile-first organizations. We know that attackers will follow the traffic as they always do. But while mobile app risk continues to increase, security spending continues to fight the battles of yesterday and hasn’t shifted to safeguard the mobile attack surface.
Airbnb, Grubhub, Uber and others pioneered pure-play mobile organizations. Traditional organization have shifted to mobile first as well. For example, McDonald’s has invested a whopping $6 billion in digital transformation. Today, 60% of Domino’s Pizza orders occur online. And with 23.4 million users in 2018, the Starbucks mobile app eclipses Apple Pay for mobile payments, demonstrating just how important mobile ordering is to the company.
Mobile App Traffic Tops Mobile Web
Companies engage more with customers and prospects via mobile apps than by the web. Mobile apps dominate digital media usage, accounting for 87% of time spent on mobile as compared to 13% for mobile web, according to Comscore.
According to Statista, 52% of all website traffic worldwide was generated through mobile phones. And by 2021, mcommerce will represent the majority of ecommerce spending, forecasts eMarketer.
This is a significant shift that executives must take seriously and plan accordingly. I challenge you to examine your mobile vs. web traffic levels to see how customers engage and perform transactions — you will see the shift that is occurring. No matter your industry, customers, clients and users of all ages predominantly interact with organizations like yours via a mobile app rather than the web. But are you safe? How do you know?
Hackers have taken notice and they have followed the mobile traffic. Questioned why he robs banks, famous criminal Willie Sutton, Jr., is said to have responded, “Because that’s where the money is.”
Risky Mobile Business
Consider this sobering fact: NowSecure analysis of 45,000 public mobile apps shows that 85% have security vulnerabilities stemming from insecure data storage, network communications or coding practices. I am consistently shocked at how little executives understand about mobile app security. Common misconceptions include:
- Treating mobile apps like they are the same as web apps
- Mobile apps are secure because Apple and Google review them
- Believing that an outsourced penetration test once per year is sufficient.
But as traffic shifts to mobile and the risk of security vulnerabilities and privacy gaps increases, organizations aren’t properly aligning application security spending to best counter threats. I find it amazing that companies still spend the bulk of their security budgets on network and web solutions — and don’t prioritize protecting the mobile attack vector. If more than 50% of your customer-facing traffic comes from mobile apps but the security spend on mobile apps is less than 1% of your security spend, then you’re destined to be breached and be forced to react to a very predictable risk.
Enterprises are looking in the rear-view mirror fighting the last war and will be surprised yet again by an attacker. I believe that MANY mobile apps HAVE been compromised, but organizations lack sufficient visibility to even detect the breach.
Mobile Threat Mitigation
The most successful organizations that we work with mitigate security threats by building security into their mobile app development process. Automating security testing as part of the DevSecOps pipeline costs a lot less than finding and fixing vulnerabilities post-production. It’s much quicker to detect issues prior to release than conduct manual penetration testing at the end of the cycle. This practice is also better for your overloaded application security team and protects your customers.
A reasonable investment in mobile application security today to incorporate security into the development process will save you from having to respond to a breach tomorrow. In fact, for less than the cost of an annual outsourced pen test, you can have automated, continuous testing in your SDLC.
Designed for use by developers, security analysts and quality assurance pros, the NowSecure automated mobile appsec testing platform enables organizations to deliver secure mobile apps faster. Get a demo to see the solution in action for yourself and how cost effectively it can reduce risk. An ounce of prevention is worth a pound of cure, so please get out ahead of this very real issue.