Programmers cranking out the latest mobile applications aren’t necessarily preoccupied with security. But CompTIA, an IT industry association, and viaForensics, a digital forensics and security firm, aim to address that issue. The organizations are working on a secure mobile-application developer credential, which is scheduled for availability this year. CompTIA already runs a number of technical certification programs such as A+, Network+, and Security+. Terry Erdle, CompTIA’s executive vice president for skills certifications, and Andrew Hoog, chief investigative officer for viaForensics, recently discussed their mobile security initiative with Intelligence in Software.
Q: Over the years, developers of enterprise applications have been working toward building security into applications from the start rather than inspecting software security after the fact. Are you seeing that pattern in mobile software development as well?
Andrew Hoog: The general consensus from security experts is that security has got to be built in — engineered in from the start. It is very difficult to come in later in the game and bolt that stuff on.
Mobile was very exciting at the beginning, and everyone was rushing to get features out. But awareness of security is beginning to grow. The architects, the developers, are saying, “We are going to have to slow this down a little bit and we are going to have to make sure we are baking in security from the get-go.”
That’s why the certification that we announced is going to be very important. That education has to occur at the developer level and has to happen at the security-analyst level so they know how to develop and test for security on mobile apps.
Terry Erdle: With something as explosive and exciting as mobile applications, you’ve got a lot of people who are up to the task and doing it right, and a lot of people who are not up to the task. These developer credentials are the way for a potential employer to differentiate between those who do know what they are doing and those who don’t.
Q: What type of guidance are you giving developers through the credential program?
A.H.: One of the things that we spend a lot of time telling people is that mobile is different from the traditional applications that people are used to securing. Enterprises are used to securing Web apps and apps that run inside the business: client/server apps. With the credential, the main focus is educating folks on the differences — Why is mobile different? How is the threat model different? — and giving them practical experience in writing secure mobile apps.
We’ve done extensive security testing of mobile applications, and we see what the common mistakes are that the developers make. We have a list of 44 best practices. It is very helpful for developers to know the things you can do and the things you have to absolutely avoid to develop a secure mobile application.
Q: What are some of the common mistakes?
A.H.: One of the big issues companies are struggling with is data being cached on these devices. Once that data is stored on a mobile device, it is very, very hard to delete. We found banks and health care companies that end up storing information on these devices. If someone gets their hands on an iPhone, how do they make sure user data is not at risk?
I also see an issue with how data is sent over the network. Developers don’t have to worry about secure communications when they build Web apps — the browser makes sure the security certificate is valid. Mobile app developers actually have to get involved in that — secure communications channels and certificates — to make sure they’re not vulnerable to man-in-the-middle attacks. It’s a shift where more and more of that responsibility is falling on their shoulders. There is a real need to up the ante for developers. You don’t get security automatically out of the box when you develop these things. There are some steps you have to take. Certification is going to help up the ante.
Q: How will the credential program be structured?
T.E.: We will put this in the context of the broader mobility area. We are doing a credential suite. The first four certifications — Mobility+ — are Wi-Fi, Enterprise Mobility Management, Wireless Security, and Wireless Technical Architecture. Then we will start splintering off, building some certifications that are specific to operating systems. We have to recognize that there are a couple of different operating environments and security environments. We’ll get more specific on iOS and Android and, in the future, maybe others.
Q: With mobile technology rapidly evolving, how often will developers need to renew their credentials?
T.E.: We will have to determine the exact model, whether it is renewal or continuing education. We actually have a continuing education process that we developed for a security certification for the federal DoD 8570 initiative. We plan to tap into that.
We do a rewrite every two years with most exams. This one mobile developer credential will go much more aggressively than that. We’ll be putting out significantly new questions at least every six months if not every three months. We may have little bridge exams that come out every four to six months. It’s not worthwhile if it’s not current.