Hello, I'm Alan Snyder. I'm the CEO of Now Secure and uh sadly we're coming to an end of Now Secure Connect. We sincerely hope that you've gotten a lot of really useful information that you can use within your organization and ideally within the general community to help avoid the apocalypse. Our goal is to make sure that you can do this in a cost-effective in a secure fashion to reduce risk in your environment and that you know what we want to see is we want folks to use mobile apps. We want to see them flourish. We know that they add a lot of value and we want to make sure that that happens in a safe, secure and cost-effective manner. So when we uh want to review a little bit about what ideally everyone has learned and taken away from this and that is mobile app risk does equal business risk and that's because the mobile app has more of a business impact today than ever before. They are important to revenue generation. They are important to that customer connection and interaction. They're important to business operations. They drive the business forward. And with uh the onset of all of the innovation that is coming in the use of AI, we think that you're going to see mobile apps leading the way yet again. not just to transform uh the way business has been done historically, but we think you're going to see it transform what happens in the use of AI when you have not just one, but you have six, seven, or 20 different AIs in your pocket and available, all delivering value through specific applications that are going to help you achieve and do things that you could never do before. We're really excited about that. We think that's something that is spectacular. We're excited to play a small part in making that better. And we think that the most important thing when you go do it is to recognize we need to do it in a way that is secure. We need to do it in a way that protects privacy. We need to do it in a way that you don't get any big surprises. We don't want to see the apocalypse occur. Uh we would like to avoid that. And so that starts with understanding that mobile apps are different. They should not be treated the same as web apps, right? They're not protected by um a web firewall. They're not protected by CNAP solutions. Basically, the cloud piece maybe is, but you know that app lives on the local device. It has to be protected there. We see attackers using the mobile apps to do reconnaissance on your organization to understand your APIs. You need to understand that the attacker is very aware that the mobile app provides a really good view and also a gateway into your organization. Therefore, you should be applying more security protections, more uh higher security posture to protecting the mobile app because it runs different. It is different. The other piece you understand is 60% or more of a mobile app is somebody else's code. It's a third-party component. That means that those components maybe they were vetted before they were put in the mobile app. Our experience says that they were likely not. But then were they vetted each time they were updated? And by vetting it's not just saying we looked at it to find, you know, we ran, you know, SCA to find a CVE. I'm going to use as many buzzwords I possibly can. Um because what we see is there just aren't many CVEes for mobile apps and certainly fewer for their components. So it makes you feel better but it doesn't actually identify and address the issue. So our view is do not assume that those third party components are safe and secure. Our data shows that more than 50% of the issues that we find are in those third party components. They must be protected. Very very different from what you see in other types of applications. because of the high rate of reuse of those components and the attackers are aware of that. They know if I compromise one component that gets spread across mobile app and like I've said multiple times that mobile app that is the best surveillance tool ever put in the planet and you have an obligation, we have an obligation to make sure they're protected and secured. Those third party components are also sending data outside of your organization, sending your data, sending your customer data. Where is it going? What data is being sent? How's it being used? Is it being fed into somebody's AI? These are all things that you ought to know. And our goal is to help make sure that you do know and that if something changes, you're aware and you can make sure that it was an authorized change as opposed to this component was perfectly fine and now it's malicious. We don't want to see that happen, but we have seen instances of that before. We know that's a problem. Remember these apps have authenticated access into your back-end infrastructure and critical systems. The number one successful attack vector for the last two years has been the same compromised credentials. And that means MFA, your your multi-factor, your uh all things related to identity in that mobile app very much need to be protected because that is your first and in some cases last line of defense against compromised credentials and compromised credential attacks. So from our standpoint, these are things that are well known, but they're very different in a mobile app versus a web app. And as a result, you need to have security toolings and security products that are tuned to the mobile app to actually guard against and reduce that risk. It is not the same. So the f the piece that's really exciting about this is that mobile app risk management is easy. It is the mobile apps are built on a better security uh platform. They're easier to secure. It does take some work to go do it. You need to first start with step one. Step one is develop and implement a mobile app risk management program. We've got uh examples we talked about in one of the sessions to go through about what that looks like. But in many cases, we see customers have already done this for their web apps. They need the corresponding program for the mobile app. And you need to take into account that the mobile app is indeed different. So your program is going to be similar but not exactly the same. What we also would highly recommend is when you implement standards testing to the OAS MASVS, you implement a consistent regimen in terms of what is uh a high business impact versus a medium versus a low. What is the testing regimen you're going to apply? What is the depth of coverage? When you have answers to those questions, you also get a level of consistency and you get a level of provability in terms of how you're doing security in your mobile app that then you can show regulators, auditors, you can show your board of directors that you are indeed taking reasonable care to protect the company and to protect your customers. Our view is automation is the way to make this work. There's a lot of things that can be automated for speed, for consistency to make sure that we get rid of the routine and the things that now secure can help you do on an automated fashion. Why? Because we want to free up your cyber security analysts. We want to free up your developers to focus on the things that only they can do to focus on the value added things that go above and beyond where maybe now secure can tell you this looks strange but we need somebody to investigate. That's our goal is how do we get automation to do the things that can be automated and should be automated because it's faster, cheaper, and more consistent. And then to free up the developers and the security analysts to really focus on those things that they need to do in terms of adding value. And the final reminder on this is you need to do this for both your first party apps and your third party apps because if it has an impact to the business, it doesn't matter who built it. If it has your company IP or has customer information in it, you still have an obligation to protect it. So our view is a risk management program needs to take all these factors into account. So the bottom line, privacy issues and data leakage, they're going to impact your brand. An outage is going to lead to an operational disruption and is going to impact revenue. We don't want any of those things to happen. That is the apocalypse. That's not good for us. That's not good for mobile apps. It's not good for your business. We as security professionals, as risk management professionals, as privacy professionals, we want to avoid that and make sure that that doesn't happen. So existing methods and this is what we see uh folks doing all the time. Static source code analysis, pen testing once a year, maybe uh third party mobile app vetting mostly for mobile not happening at all. Our view is that existing method, the status quo, that must change. It's not working. We see it in our data in terms of mobile apps. They have lots and lots of issues which is why we are afraid of the apocalypse. Our data shows that it's probably already occurring or if it hasn't it's going to because the opportunity and the risk is legitimately there and we see it in our data and we now secure her would like to avoid that. We would like to help you avoid that and it's easy to do. It's not that hard. Follow the process, the best practice, the procedures, the programs, all the things that we've laid out here at Connect. That can help you do it. You don't have to do it all at once. You can start incrementally and build and grow over time. The most important thing is starting with a program and then becoming an advocate to drive that change forward and making that happen. It is, like I said, it's easy, it's cost-effective, it's good for your business. I sincerely hope that we've proven that and given you the tools, the knowledge, the skills that you need to go back into your organization to be an advocate and a champion to help make that happen. At Now Secure, we're here to help, but we recognize we're here to support you. So, let us know what we can do to help you. Let us know how we can make it better because we all want to work together to avoid the apocalypse. I thank you for your time and uh we really sincerely thank you for participating in nowhere connect and I really really wish you the best and uh let us know how else we can be helpful. We're always available. Thank you.