Ajoy Kumar, a financial industry security expert and (ISC)2 advisory board member is looking to expand his team in the second quarter to support a significant growth in the number of applications employees are using on personally-owned mobile devices in the workplace.
"We need to hire more staff to put controls on each application used on personally-owned devices," Kumar says. "Our growth is reflected in our need to protect the increased data and applications on these devices."
Many organizations are now allowing employees to use their personally-owned devices for work purposes with the goal of achieving improved employee satisfaction and productivity. The need for more resources to effectively secure applications is common among many organizations that are embracing the "bring your own device" trend, in which consumer preference, not corporate initiative, drives the adoption of technologies and applications within the enterprise.
Jeff Williams, CEO of Aspect Security, a web application consulting company, says his team has grown 10 percent since last year to support his clients' growing reliance on mobile technology.
As companies focus on building custom applications for these devices, he says, "It is directly driving growth for application security practitioners, who are deeply involved in ensuring that policies and controls are set right."
A catalyst behind the BYOD trend is the personal preferences of employees for devices other than those that companies have typically provided.
For example, until recently, HDFC Bank, an Indian financial services company, allowed its employees to use only Blackberry devices to connect to its corporate network because the bank perceived the devices to offer better security than other options. But last year, the bank, bowing to employee demand, began accommodating a variety of personally-owned devices.
Vishal Salvi, HDFC Bank's chief information security officer, believes the shift from a device-control approach to BYOD is inevitable and has created a new trend: "Instead of managing devices, [we're] managing the data and applications on these devices."
Therefore, many organizations now need more application security specialists to help ensure that every type of employee-owned device, and the applications running on them, is up to par in terms of meeting performance and security standards. "This can get daunting, especially when the program moves beyond iOS [Apple] and BlackBerry to operating systems with more variants," says John Pironti, president of IP Architects, a global IT security consulting company and an advisor with ISACA.
Another trend pushing the growth for application security professionals is the need for companies to invest in building their own mobile application stores. Employees want their user experience tailored to their devices. As a result, companies, in order to balance IT security requirements and their employee's needs, are building their own app stores.
For example, IBM has implemented an app store called WhirlWind as a way to deal with the operating system fragmentation that occurs when employees are allowed to use their own tablet or smart phone at work instead of receiving a company-issued device. IBM's store is a one-stop shop for Android, BlackBerry, iOS and Windows apps.
HDFC Bank plans to set up its own app store as well. Salvi predicts demand for application security professionals will grow as more companies like his build and distribute custom mobile applications. "I envision their role getting more defined in access control and in proper distribution of these apps," Salvi says.
When it comes to mobile apps, application security professionals typically are involved in writing custom code, designing controls and verifying that these controls are functional and work properly. However, as more companies build custom applications, "there will be greater collaboration and overlap of app professionals into areas like IT security, authentication, access control and encryption," Pironti predicts.
3 Must-Have Skills
As a result, application security professionals will need to have the right skills to effectively manage the complexities and IT security requirements for multiple mobile platforms and applications. Those skills include:
- Writing code. The ability to flawlessly write codes for building custom applications and to securely accommodate web applications and a variety of mobile platforms within the corporate infrastructure is critical. Williams hires those who have a strong background in coding languages, including Java, C++ and other object-oriented languages, as well as developers who are good at manual code reviews. Professionals who are skilled in these languages "are the ones who can go to the root of the problem and identify solutions," Williams says.
- Implementing access controls and authentication. Application security pros need to understand how to help enforce access control rules for new mobile applications. For instance, if sales employees do not need access to certain applications and data types, app security professionals must ensure they build role-based controls and functions for restricting access to those systems. That means app security specialists need to understand authentication processes as well as how to use encryption on different mobile platforms. "It's almost certain that people will lose their devices and unauthorized users will try to gain access to confidential data," Kumar says. That's why adequate security precautions are essential, he adds.
- Understanding vulnerabilities. When helping to design mobile applications, security pros need to understand how to mitigate risks. "What we're finding out is, even if the code is efficient, it's very easy to fake or to hack into different web applications and take advantage, if vulnerabilities are not addressed right," Williams says. But many security professionals lack the skills needed to identify potential flaws in mobile apps, he adds. His advises them to explore Web Goat, a purposely flawed application that helps professionals to identify vulnerabilities.
Hiring App Developers
One of the biggest challenges holding companies back in developing custom mobile applications is the lack of qualified app security practitioners.
Kumar says it recently took him three months to hire a specialist for his team. "It is very hard to find qualified developers with adequate web security experience," he says.
To fill the resource gap, both Kumar and Williams look for strong developers and coders who can be trained in IT security. Kumar specifically prefers candidates to hold web application certifications from the SANS Institute or the secure software credential offered by (ISC)2.
Many organizations turn to associations, such as (ISC)2, SANS Institute and OWASP, to find recruits.
"Our expectation today from application security is to proactively think of safeguarding upcoming applications and how they can apply their knowledge specifically to the mobile environment," Kumar says. "Practitioners have to continue learning and strengthen their coding roots to effectively cater to different web platforms."