Why application security is more important than you think!
Where would we be without our apps? From paying bills on our mobile banking platform to booking flights to streaming radio stations, apps are a part of life. And they’re here to stay. Although young people (“Generation Z”) are the biggest consumers of apps, all age groups and demographics use mobile applications to some extent. The number of app downloads has been steadily increasing since 2015. In 2020 the combined app downloads from both the Apple App Store and the Google Play Store exceeded 35 billion.
If you run an enterprise, particularly a B2C business, it’s likely you have an app, whether mobile or web-based. How secure is it? Do you carry out PEN-testing on it? Or is your PEN-testing confined to your network systems? If it’s the latter, you could be exposing your business and your reputation to significant risk. Apps, by definition, are customer-facing, and customers these days are all too eager to voice any dissatisfaction they may have with suppliers on the various public forums available to them (reviews in the App Store, on Google, Twitter, Hello Peter, etc.). So you can’t afford to get it wrong when it comes to the security of your apps.
Types of PEN-testing
Firstly, here’s a reminder of what penetration (PEN) testing is. A penetration test is an ethical cybersecurity evaluation that identifies and helps to eliminate vulnerabilities and misconfigurations across an organisation’s external and internal IT environment. The tester looks for vulnerabilities, misconfigurations and development flaws by attempting to penetrate the system, hence the name. There are multiple types of PEN-testing: network, wireless, web application, mobile application, API, and build and configuration review. This article is concerned with web and mobile application testing.
What is application security?
Application security, or “appsec” for short, is what an organisation does to prevent cyber attackers from exploiting bugs in any software it uses. The security measures required will vary, depending on whether the application is third-party or custom developed. Custom apps should be subject to more stringent application security testing, or AST. A 2017 report by application security vendor CA Veracode found that over half of enterprises surveyed sometimes do appsec testing, but it is not sufficiently consistent. According to the report, “83 % of organisations have released code before testing or resolving security issues.” The report analysed data from 40,000 tests of 250 billion lines of code in 2016 and 2017, and more than three-quarters of the custom applications scanned contained at least one vulnerability. With AST, the number of applications that passed the vulnerability scan increased by 13%.
Why PEN-testing should be part of your appsec
Penetration testing for custom apps works in the same way as network PEN-testing. Experienced cybersecurity experts, such as NEWORDER, mimicking hackers, attempt to penetrate the defences of the application. The benefits to your enterprise are many. Any data breach causes disruption to business processes and ranges from an inconvenience to a disaster. It consumes resources, costs money, and diverts attention away from productive activities. But a data breach carries risks that go beyond the immediate aggravation. Your reputation is at stake, and you may be in danger of breaching regulatory standards.
South Africa’s Protection of Personal Information Act (POPIA) came into effect on 1 July. No doubt you sent a communication to your customers about your use of their personal data. Many other countries have implemented similar privacy laws in recent years; Europe’s GDPR is the best known, but Singapore, Indonesia and other countries have introduced similar regulations. The global emphasis on data protection makes compliance with regulations a priority activity for organisations that handle data. Non-compliance could result in penalties, a loss of your licence to operate or, in the worst-case scenario, prosecution.
PEN-testing as a service will help you find and address vulnerabilities, development & configuration flaws, comply with regulations, and assess the related risks to safeguard your company processes. Think of PEN-testing as one of the things you do to protect your valuable assets, just as you insure your vehicles and your property.
What does apsecc PEN-testing test?
If you’ve never carried out PEN-testing on your custom apps, whether web-based or mobile, you may be wondering what’s involved. Web application testing is a test of websites and custom web applications delivered over the internet. It aims to identify issues resulting from weaknesses in design, coding and development practices. Mobile application testing reviews all apps across mobile operating systems, including Android, iOS and Windows, to identify issues with authentication, authorisation, data leakage and session handling.
When we work with you to plan your PEN-test, we will request certain information to scope the assessment. As part of the scoping process, we will set up a meeting to discuss the scope and requirements.
NEWORDER – your cybersecurity partner
NEWORDER is one of Africa’s leading information security and corporate threat protection services. We provide custom business application PEN-testing services (including application program interface or API). We give you strategic and tactical insight into your cybersecurity status.
To find out more about our range of cybersecurity services, contact Bennie Barnard.
Mobile: +27 82 577 5000
Last modified: August 11, 2021