Securing your app dev: a cloud + 6 tips Posted on July 23, 2015 by Tim Burke In my last post, I focused on the extent to which today’s cloud app development centers on mobility, IoT (the Internet of Things), and the backend integration of it all. While you were reading, you may have noticed that I didn’t mention cloud app security. That’s because I believe cloud app security —particularly the security of web, mobility, and IoT apps — deserves its own discussion. The dangers of neglect When I examined this topic early last year, I cited some pretty scary statistics. Sadly, it remains true that 40% of enterprises neglect the steps necessary to secure customer apps; many also have done a poor job of protecting corporate and BYOD assets from cyberattack. To their peril, some sectors are more at risk than others: healthcare, for instance, lags notably — a dangerous situation given that the value of personal health information is ten times greater than such financial data as credit card numbers. The question, then, is what to do about it. Now that you’re mobile: avoiding app dev potholes First, choose a cloud environment operated by an experienced, trustworthy, credentialed provider. Cloud apps and cloud app development in such an environment are inherently more secure than traditional in-house applications and datacenter-based app dev. Why? Because such an environment fields leading-edge security technologies operated by first-class experts. Next step: Avoid these six mobile and cloud app potholes: Storing data insecurely. It’s best to keep sensitive data off user devices entirely, but if you must store it there, do so securely. Leaky apps. Monitor the when, where, and how of the data your apps collect in order to avoid the sort of inadvertent leaks purportedly suffered by Angry Birds at the hands of the NSA. Wimpy server-side controls. Beware of backend legacy APIs unaware that devices outside the enterprise network will access it. Harden any servers against unauthorized data access by apps. Cracked crypto. Opt for state-of-the art encryption APIs, perform penetration testing and threat modeling, and use interactive tools that can record and modify an active session. Inadequate key management. Even if you’ve used strong encryption, all is lost if your app is deployed with keys stored in vulnerable places (e.g., byte code). Untrusted inputs. Insufficient encryption can allow attackers to modify inputs that in turn are used for authentication/authorization — and you may end up with a security breach. Fortunately, you don’t have to go it alone. The right cloud provider can also become your expert ‘white hat’ app dev provider and advisor.