Consolidated Edition. 5th Annual State of Application Security Report Perception vs. Reality

Similar documents
State of Cloud Survey GERMANY FINDINGS

Key Findings from the Global State of Information Security Survey 2017 Indonesian Insights

IBM Future of Work Forum

2010 Online Banking Security Survey:

C1: Define Security Requirements

THALES DATA THREAT REPORT

Rethinking Information Security Risk Management CRM002

Security in India: Enabling a New Connected Era

KNOWLEDGE GAPS: AI AND MACHINE LEARNING IN CYBERSECURITY. Perspectives from U.S. and Japanese IT Professionals

OWASP Top 10 The Ten Most Critical Web Application Security Risks

FDA & Medical Device Cybersecurity

Effective Strategies for Managing Cybersecurity Risks

270 Total Nodes. 15 Nodes Down 2018 CONTAINER ADOPTION SURVEY. Clusters Running. AWS: us-east-1a 23 nodes. AWS: us-west-1a 62 nodes

MOBILE SECURITY 2017 SPOTLIGHT REPORT. Information Security PRESENTED BY. Group Partner

Medical Device Cybersecurity: FDA Perspective

Weak Spots Enterprise Mobility Management. Dr. Johannes Hoffmann

Cyber Security: Threat and Prevention

JAPAN CYBER-SAVVINESS REPORT 2016 CYBERSECURITY: USER KNOWLEDGE, BEHAVIOUR AND ATTITUDES IN JAPAN

REPORT. proofpoint.com

Second International Barometer of Security in SMBs

Birmingham Community Healthcare NHS Foundation Trust. 2017/17 Data Security and Protection Requirements March 2018

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

Operationalizing Cybersecurity in Healthcare IT Security & Risk Management Study Quantitative and Qualitative Research Program Results

CHIME and AEHIS Cybersecurity Survey. October 2016

Mastering The Endpoint

How to Improve Your. Cyber Health. Cybersecurity Ten Best Practices For a Healthy Network

2017 THALES DATA THREAT REPORT

Engaging Executives and Boards in Cybersecurity Session 303, Feb 20, 2017 Sanjeev Sah, CISO, Texas Children s Hospital Jimmy Joseph, Senior Manager,

Putting security first for critical online brand assets. cscdigitalbrand.services

Cyber Security in Timothy Brown Dell Fellow and CTO Dell Security

HEALTH CARE AND CYBER SECURITY:

Canada Highlights. Cybersecurity: Do you know which protective measures will make your company cyber resilient?

Moving Workloads to the Public Cloud? Don t Forget About Security.

The Android security jungle: pitfalls, threats and survival tips. Scott

European Union Agency for Network and Information Security

Bring Your Own Device (BYOD)

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

Panda Security 2010 Page 1

Protect Your Organization from Cyber Attacks

mhealth SECURITY: STATS AND SOLUTIONS

JUST WHAT THE DOCTOR ORDERED: A SOLUTION FOR SMARTER THERAPEUTIC DEVICES PLACEHOLDER IMAGE INNOVATORS START HERE.

Methodology USA UK AUSTRALIA CANADA JAPAN N=1,008 MOE=+/-3% N=1,044 MOE=+/- 3% N=1,028 MOE=+/- 3% N=1,025 MOE=+/- 3% N=1,005 MOE=+/- 3%

Security for Financial Services: Addressing the Perception Gaps in a Dynamic Landscape

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

VIETNAM CYBER-SAVVINESS REPORT 2015 CYBERSECURITY: USER KNOWLEDGE, BEHAVIOUR AND ATTITUDES IN VIETNAM

Tripwire State of Container Security Report

2016 Survey: A Pulse on Mobility in Healthcare

The Third Annual Study on the Cyber Resilient Organization

BACKUP TO THE FUTURE A SPICEWORKS SURVEY

Psychology of Passwords: Neglect is Helping Hackers Win

CompTIA Security Research Study Trends and Observations on Organizational Security. Carol Balkcom, Product Manager, Security+

Making Security Agile

Secure Access & SWIFT Customer Security Controls Framework

ACHIEVING FIFTH GENERATION CYBER SECURITY

Unisys Security Insights: Australia A Consumer Viewpoint 2015

Cyber fraud and its impact on the NHS: How organisations can manage the risk

Cyber Security in Smart Commercial Buildings 2017 to 2021

Todd Sander Vice President, Research e.republic Inc.

GLOBAL ENCRYPTION TRENDS STUDY

THE STATE OF MEDIA SECURITY HOW MEDIA COMPANIES ARE SECURING THEIR ONLINE PROPERTIES

THE POWER OF TECH-SAVVY BOARDS:

December 10, Statement of the Securities Industry and Financial Markets Association. Senate Committee on Banking, Housing, and Urban Development

Conducted by Vanson Bourne Research

Managing Cybersecurity Risk

Fundamental Shift: A LOOK INSIDE THE RISING ROLE OF IT IN PHYSICAL ACCESS CONTROL

CSWAE Certified Secure Web Application Engineer

Converged Security - Protect your Digital Enterprise May 24, Copyright 2016 Vivit Worldwide

KEY FINDINGS INTERACTIVE GUIDE. Uncovering Hidden Threats within Encrypted Traffic

Safeguarding company from cyber-crimes and other technology scams ASSOCHAM

The Evolving Threat to Corporate Cyber & Data Security

AGILE AND CONTINUOUS THREAT MODELS

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

Combating Cyber Risk in the Supply Chain

Adobe Security Survey

PONEMON INSTITUTE RESEARCH REPORT 2018 STUDY ON GLOBAL MEGATRENDS IN CYBERSECURITY

Governance Ideas Exchange

Building a Threat Intelligence Program

Mid-Market Data Center Purchasing Drivers, Priorities and Barriers

Building a Business Case for Cyber Threat Intelligence. 5Reasons Your. Organization Needs a Risk-Based 5Approach to Cybersecurity

What It Takes to be a CISO in 2017

The data quality trends report

Gaps in Resources, Risk and Visibility Weaken Cybersecurity Posture

Cybersecurity Survey Results

Professional Services Overview

Something missing in Cloud certification

Cyber Risk and Networked Medical Devices

Cybersecurity and Data Protection Developments

10 Hidden IT Risks That Might Threaten Your Business

PULSE TAKING THE PHYSICIAN S

Spotlight Report. Information Security. Presented by. Group Partner

Cybersecurity 2016 Survey Summary Report of Survey Results

Evaluating Cybersecurity Coverage A Maturity Model. Presented to: ISACA Charlotte Chapter Vision for IT Audit 2020 Symposium

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

Cyber Security and Data Protection: Huge Penalties, Nowhere to Hide

COST OF CYBER CRIME STUDY INSIGHTS ON THE SECURITY INVESTMENTS THAT MAKE A DIFFERENCE

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

Cyber Security and Cyber Fraud

What can we lose not implementing proper security in our IT environment? Aleksandar Pavlovic Security Account Manager Cisco

MOVING MISSION IT SERVICES TO THE CLOUD

2015 HFMA What Healthcare Can Learn from the Banking Industry

Transcription:

Consolidated Edition 5th Annual State of Application Security Report Perception vs. Reality January 2016

State of Application Security Report Consolidated Edition 2 Table of Contents Executive Summary... 2 Methodology... 3 Research Findings... 4 Recommendations... 6 Executive Summary Nearly half (48%) of consumers who use mobile health and mobile finance applications expect their apps to be hacked within the next six months. So too do executive IT decision makers (46%) who have oversight or insight into the security of the mobile healthcare and mobile finance apps they produce. This sentiment makes it sound like mobile applications are at a hopeless state of security where, despite Herculean efforts to thwart attackers, adversaries are expected to prevail. But it s not hopeless. It s careless. Especially when you consider that 50% of organizations have zero budget allocated for mobile app security 1. It is crucial for organizations with mobile apps to double-down on app security. Why? If they don t, they risk losing customers. 80% of consumers indicated they would change providers if they knew the apps they were using were not secure. And 82% of consumers would change providers if they knew alternative apps offered by similar service providers were more secure. While millennials are driving the adoption of mobile apps, their views on the importance of app security were equally as strong as the older non-millennials. In general, survey results showed very little geographical discrepancies across the US, UK, Germany, and Japan, and also very little discrepancy between health apps and finance apps. Interestingly, however, while the ios operating system is often viewed as more secure than Android, ios apps were shown to be more vulnerable than Android apps in this study. 82% of app users would change providers if apps offered by similar providers were more secure.

State of Application Security Report Consolidated Edition 3 Executive Summary (cont d.) So should we expect a critical mass of consumers to walk away from organizations because their mobile apps do not have the level of security protection they expect? Based on these research findings, perhaps. When put to the test, the majority of mobile apps failed security tests and could easily be hacked. Among 126 of the most popular mobile health and mobile finance apps tested for security vulnerabilities, 90% were shown to have at least two OWASP Mobile Top 10 Risks 2. Such vulnerabilities could allow the apps to be tampered and reverse-engineered, put sensitive health or financial information in the wrong hands and, even worse, potentially force critical health apps to malfunction or redirect the flow of money. Surprisingly, US Food and Drug Administration (FDA)-approved apps and formerly UK National Health Service (NHS)-approved apps were among the vulnerable mobile health apps tested, indicating that there is more work to be done by governing bodies to better understand the cybersecurity threats to mobile apps and to improve the minimum acceptable security standards or regulations for mobile app development. Mobile app security is becoming an increasingly important decision-making factor for consumers seeking to do business with organizations they can trust to protect their privacy and provide robust security. For businesses with mobile apps, this means that security can be used as a competitive differentiator to help attract and retain customers. While it s clear why organizations should mitigate the security, financial, and brand risks associated with vulnerable mobile apps, it s less clear what organizations and consumers should do to improve protection. This report provides recommendations for how organizations and consumers can minimize the risk of their mobile apps being hacked. Methodology Arxan commissioned a third-party, independent research organization in November 2015 to undertake an electronic survey of 1,083 individuals in the US, UK, Germany, and Japan: 815 consumers who use mobile health and mobile finance apps 268 IT decision makers within organizations that produce mobile health and mobile finance apps and who also have oversight or insights into the security of those mobile apps Also in October and November 2015, a third-party independent analysis of a total of 126 popular mobile health and mobile finance apps from each of the four countries was undertaken leveraging Mi3 solutions. Arxan selected the apps from among the most popular mobile health and finance apps for the Android and ios platforms for each region. Included among the apps tested were 19 mobile health apps approved by the US Food and Drug Administration (FDA) and 15 mobile health apps that were previously approved 3 by the UK National Health Service (NHS).

State of Application Security Report Consolidated Edition 4 The Findings 84% feel their mobile apps are adequately secure (83% consumers / 87% app execs) Folks think their apps are adequately secure. Thumbs up both consumers and IT decision makers with security insights into the mobile apps they develop strongly believe that their mobile apps are secure. In fact, the majority feel that app providers are doing everything they can to protect their apps. 63% feel everything is being done to protect the mobile apps (57% consumers / 82% app execs) 90% 90% of 126 apps tested had at least two critical security vulnerabilities However, perception is not reality. Thumbs down most apps have significant vulnerabilities. Vulnerability assessments of 126 mobile health and finance apps in the US, UK, Germany, and Japan revealed that 90% were not adequately addressing two or more of the Open Web Application Security Project (OWASP) Top 10 Mobile Risks. 100 80 Percentage of OWASP Mobile Top 10 Risks Not Addressed M3 83% M1-10 Vulnerability Type M10 98% 60 M4 58% 40 20 0 M1 18% M2 2% M5 2% M1: Weak server side controls M2: Insecure data storage M3: Insufficient transport layer protection M4: Unintended data leakage M5: Poor authorization and authentication M6 0% M7 19% M8 30% M9 4% M6: Broken cryptography M7: Client-side injection (malware) M8: Security decisions via untrusted inputs M9: Improper session handling M10: Lack of binary protection

State of Application Security Report Consolidated Edition 5 50% 48% 50% of organizations have zero budget allocated for mobile security Source: IBM/Ponemon 48% feel that their app will likely be hacked within the next 6 months Shocking? Not really. Many companies are not investing in mobile app security. According to IBM Security/Ponemon 4, 50% of organizations allocate no budget for mobile app security. Perhaps this is why nearly half of all respondents feel that their apps are likely to be hacked within the next six months. 82% 82% of consumers would change providers if an alternative app was more secure. Who cares? You do. Even without experiencing an attack on their mobile apps, 80% of consumers would change providers if their app is known to be vulnerable or if an alternative app is more secure. Interestingly, more than 90% of app executives also believed that consumers would change providers if they knew their apps were insecure or if a similar provider offered a more secure mobile app. Ignorance must be bliss. If folks actually knew how vulnerable their apps really were, according to this study, we should expect a mass exodus of customers fleeing to providers of more secure, trusted mobile apps. Among the most prevalent OWASP Mobile Top 10 Risks identified among the mobile health and finance apps tested are: 1) lack of binary protection (98%) this was the most prevalent vulnerability; and 2) insufficient transport layer protection (83%). These vulnerabilities make applications susceptible to reverse-engineering and tampering, in addition to privacy violations and theft. According to Arxan CTO Sam Rehman, The impact for businesses and users can be devastating. Imagine having your mobile health app reprogrammed to instruct you to deliver a lethal dose of medication. Or imagine your mobile finance app draining your bank account by redirecting funds.

State of Application Security Report Consolidated Edition 6 Recommendations What can be done? A lot. While it s clear why organizations should mitigate the security, financial, and brand risks associated with vulnerable mobile apps, it s less clear what organizations and consumers should do. Among the recommendations: For businesses: Set your security bar above the regulators Regulatory bodies (and likely will always) lag behind cyber criminals. Apps approved by trusted sources such as regulatory / governing bodies like the US FDA or the UK NHS are no more secure than unapproved apps. 35% 30% 25% 20% 15% 10% Security risks vs. spend Security Risk Spending Spend Risk Strengthen the weakest links. Address elements of the OWASP Mobile Top 10 Risks that are being neglected. 83% of the apps tested had a transport layer vulnerability. 98% of the apps tested lacked binary code protection. 5% Application Layer Source: IBM Security / Ponemon research 1 Data Layer Network Layer Make security a source of competitive advantage. Market the strength of security you offer to attract and retain customers. Align spending with risks: IBM Security and Ponemon research 5 reveals that the majority of risks are happening at the application layer, but the spending is largely focused on networks and data. For consumers: Get apps only from authorized app stores. Most authorized app stores have some security protocols in place to help ensure apps can be trusted. Don t jailbreak or root mobile devices. Jailbreaking/rooting devices negates security measures that are designed to help protect you and your data. Demand more transparency about the security of the apps you are using. As cliché as it is, knowledge is power many foods you eat are usually required to be labeled with nutrition information to help you make better-informed decisions. Before you download a mobile app, wouldn t you want to know what risks you may be opening yourself up to? Become an advocate for app security certification and risk transparency.

State of Application Security Report Consolidated Edition 7 For policymakers and regulators: Establish a Good Housekeeping seal of approval for app security. Require apps to make available an OWASP Mobile Top 10 risk rating for critical apps. Consumers need to know what risks they are accepting before downloading or consuming an app. And the healthcare community and financial services industry need to incorporate risk as a fundamental consideration before making app recommendations to consumers, patients and app users. Learn More View and share the infographic: https://www.arxan.com/resources/state-of-application-security/ Download a Mobile App Security Handbook: https://www.arxan.com/resources/mobile-application-protection-handbook/ Contact Us Stephen McCarney Arxan Technologies Tel: +1 301-968-4295 Email: smccarney@arxan.com Footnotes 1 IBM Security / Ponemon study: The State of Mobile Application Insecurity (February 2015) 2 The Open Web Application Security Project identifies the most critical application security risks facing organizations 3 The UK NHS Health Apps Library included 79 apps, which were approved by the NHS. The NHS library of approved apps closed in October 2015 after Arxan had tested a sample of 15 NHS-approved apps 4 Ibid. 1 5 Ibid. 1

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback