The expanding information perimeter needs to be tested
Business Intelligence has changed the way we drive commerce. Better informed decisions are delivering critical competitive advantages, in virtually every sector of enterprise. Executive judgement and analytical skills have therefore never been as important to a business’s success.
It’s no small wonder then that executives want more access to their data — not just from the office but at home via a laptop, or even on a mobile device such as the Apple Watch. In 2015, this has given rise to emergence of mobile business intelligence apps in the cloud, which is a great innovation. However with the increasing sophistication of cybercrime, there is an increasing security risk that sensitive confidential information and monetary assets could be the target of hackers.
In recent years hackers have increased the frequency and effectiveness of their attacks by finding and exploiting the application vulnerabilities within the app code to get at the underlying data. For example they can manipulate applications to steal or tamper with information by using techniques such as SQL injection or cross site request forgery.
New application delivery models and platforms (such as a cloud and mobile) and technologies (such as mobile app programming languages and frameworks) inherently pose new security risks. The application security technologies and processes have not been developed or matured for them. But the pressure to push more and more sensitive information to be available on demand will only grow in the next few years.
Enterprises therefore need to protect their information — be it financial or perhaps personal information in the case of HR professionals. They can only do this by implementing a comprehensive, life cycle approach to application security and by increasing their investment into security penetration testing. We at Experior have seen a growing awareness of the amount of sensitive data that is now being viewed and used outside of the office walls — but there’s still a lot of ignorance on the topic.
Business leaders need to be asking the right questions to their IT provider: How do we stop someone outside of the company to access the information on mobile? If it’s in the cloud and being called down to a mobile app, what’s stopping them?
Fortunately, there are application security testing (AST) products (such as those offered as HP, IBM and Veracode) that are used to analyze apps and test applications for weakness and can be delivered as a tool or as part of a service. Mobile AST products enable the testing of mobile applications security by testing web services interfaces and analyzing the application behavior statistically and dynamically to identify the security risks. Security testing will point to the applications functions that do not follow the enterprise security rules such as those governing the sharing of corporate information to external locations.
This is an important first step in the battle to make increasingly valuable data available whenever and wherever it is needed. But there is a long way to go before business intelligence applications for the enterprise will carry the security promise of a consumer banking application. This is a challenge that is not going to go away — as more and more data is going mobile. This means the CTO and CISO must start thinking mobile too. As the perimeter of information expands, so must the security measures they take — from the application’s conception through to its continued use when it goes live.
Originally posted January 6, 2016, by Muriel Wren, Experior Group