Justifying the investment to secure mobile apps is a common challenge that IT and security professionals find themselves facing as they approach budget or project planning. Proper investment in mobile security can often be overlooked as part of the planning process.
These are just a few ways that we see this happening:
- Insufficient budgets for security – often times it is hard to justify the investment for services that don’t yield a direct ROI. Mobile security services/software would fall into this type of investment – when you invest in security, you aren’t investing in something that will yield a monetary return. Instead you’re paying to mitigate or minimize the cost of damages incurred – kind of like an insurance policy.
- Insufficient development time – mobile app developers are constantly pushed to meet deadlines surrounding features and services. In this scurry, secure development practices are often overlooked. This results in apps that are rushed to market with insecure code and without proper security testing. In a playing field like mobile, where often times first-to-market wins, it is understandable why some businesses do this. This is a very costly practice however.
- Insufficient training and talent – developing secure code for mobile apps isn’t something that comes naturally to most developers. There are nuances to mobile platforms that require some training and talent to understand. In the words of Godfrey Nolan, a well-known security researcher, companies are hiring “mobile code jockeys” who don’t have a complete understanding of what it takes to securely develop an app.
What Is The Cost of Not Securing Your App?
Recently Credit Karma and Fandango were nailed with pretty hefty orders from the FTC due to not properly implementing SSL into their mobile apps. Both companies are being required to establish comprehensive security programs that are aimed at addressing security risks during app development AND to undergo independent security assessments every other year for the next twenty years. Twenty years? For not implementing SSL…a development best practice? Ouch!
Twenty years of security assessments may not be the consequence in every situation, but the point stands: investing in security for your mobile app will help mitigate and minimize costly consequences later.
Invest in Security
Investing in security early is important to minimizing damage later. Train your developers, plan your projects to account for sufficient security testing, and equip your security teams with the necessary tools to secure your app as it operates in the wild.