I’ve been a part of several development organizations, and, for several of those teams, security was an afterthought to the development process. We’d secure databases and even implement field level encryption but we rarely had to consider many attack vectors as we were building internal apps for enterprises and the risks were there, but not as great.
Fast forward to the Mobile First world we live in and that lazy attitude is no longer acceptable. S&R teams have real concerns and actively work to protect their computing environments – both internal-facing and external-facing. Development teams work the other side of that and implement secure code as part of their daily activities (right?). With an appropriate level of trust between the two organizations, many use code scanning utilities to verify delivered code and hunt for vulnerabilities. There are many sources of vulnerabilities; it could come from code written by the company’s developers, code pasted in from Stack Overflow or even added through some third-party or open source library. In my experience, static code scanning tools are effective and can catch a lot of potential vulnerabilities but, from a developer behavior standpoint, what the ultimately do is simply teach developers how to get their code to pass the scans, not actually deliver more secure code.
That’s how one customer described the importance of Automated Malware Analysis technologies in their security workflow. After months of demonstrations, reference calls, and analysis we are thrilled that The Forrester Wave™: Automated Malware Analysis, Q2 2016 is live! Many clients we talked to used multiple vendors to analyze malware in order to maximize analysis results.
The underlying mechanisms for automated malware analysis are fascinating for the technophile - combining content security, hypervisor-driven execution, behavioral analytics, and algorithmic API analysis. Incredibly sophisticated software engineering and statistical modeling adds another layer of intrigue. Mix those together with evasive adversaries attempting to bypass the technology and it's an intense discussion!
We used the importance of AMA solutions as the dominant element of detection and prevention in client environments to inform our assessment.
Here’s an overview of our approach:
Visibility is a cornerstone of detection and protection. In order to detect it, you must see it in the first place.
Flexible deployment models are key to dynamic production environments. If it is hardware or on-premise only, then it only fits in environments that match the form factor.
Scalability avoids creating a problem as the environment grows. Scalable infrastructure allows the business to orchestrate workloads based on need and priority, AMA solutions should offer the same capabilities to better align with technology needs.
I recently completed preparing a presentation for the Forrester Digital Business Forum in Chicago this fall. The session I’m delivering is on delivering mobile app quality, and through my research, I’ve learned that security is an important part of app quality. My colleagues Michael Facemire and Tyler Shields recently published a report on The Future Of Mobile Security Development and that, plus some experiences I had working with a development team in a previous position, started me thinking about what it takes to make a developer that understands how to code apps securely. The report I listed above covers the security topic well, and makes some recommendations on how the security aspect of app development is likely to change, but beyond security capabilities and tools, how do you ‘create’ the type of developer that understands exactly what to do to build security into their apps?
I know trial and error works, but that’s expensive. Tools exist that can validate security aspects of an application, even tools that enforce security on apps, especially mobile apps, but those are last mile solutions – what do you do to help developers implement solid security into their apps in advance of those tools? If you have insights into this topic, can you reach out to me and let me know? I think this would be an interesting report to write.
Once a month I use my blog to highlight some of S&R’s most recent and trending research. This month I’m focusing on application security and asking for your help with some of our upcoming research into the security and privacy risks associated with Internet of Things (IoT). IoT is any technology that enables devices, objects, and infrastructure to interact with monitoring, analytics, and control systems over the Internet. The illustrious and debonair, Tyler Shields (@txs), will lead our research into IoT security, but as the risks become more and more concrete for various verticals, you can expect the entire team to engage in this research.
Take our IoT security survey and talk with our analysts! If you contribute to the emerging IoT market, please fill out this brief survey (http://forr.com/2015-IoT-Security-Survey). Participants will receive a complimentary copy of the completed research report and we'd be happy to interview anyone who would like to discuss IoT and security in detail. Be sure to reach out to Tyler (firstname.lastname@example.org) or Jennie Duong (email@example.com) if you’re interested.
Roughly a year and a half ago I began a process of measuring the importantance of technologies in the mobile security space. I'm currently beginning that same process for the application security market. Many technologies exist that provide business value to enterprises for the security of their applications, but which ones are better at delivering on the business value that the enterprise really wants? Have any of these technologies outlived their usefullness, falling to innovation and new ideas? Which technologies should the enterprise prioritize spending their limited security budget on? I hope to answer these questions and more!
I've identified nine distinct application security technologies that make up the application security market. (Link to additional details!). I'm sure there are technologies that I've missed and arguments to be made to remove something. As always, my research is significantly improved with your help!
If you are interested in participating in this research or have feedback on the technology list, respond via this web form, in the comments below, or via email / tweet to firstname.lastname@example.org (@txs).
We’ve all done it. We've spent hours flinging birds at pigs, only to be frustrated with that one little piggy that got away. We can all thank the phenomenon “Angry Birds” for this wonderful experience. Today marks the fifth birthday of the release of the original Angry Birds. Since its release, the highly successful mobile game creator Rovio has gone on to sell hundreds of millions of dollars of mobile apps, licenses, and merchandise amassing $216M in revenue in 2013 alone. Who knew that a simple change in game mechanics could gain such a cult foothold with the public? From a business perspective, the team at appfigures did a great write-up on the history of the franchise, along with its successes and failures in the eyes of the public. If you’re interested in the business life cycle of apps in the public app store, I highly recommend you go read their research: Angry Birds Turns Five: What We Can Learn From The Franchise’s Success.
If you have implemented or used either application wrapping or containerization technologies, please COMPLETE THIS SURVEY.
Application wrapping versus containerization: Which technology provides better security to an enterprise mobile deployment? What are the use cases for each technology, and which technology has a longer shelf life when it comes to being the de facto standard for enterprise mobile security? Are there times when containerization provides a better user experience than application wrapping? And more simply speaking . . . what the heck is the difference between these two technologies, and which one should you purchase?
In the sport of boxing, "the tale of the tape" is a term used to describe a comparison between two fighters. Typically, this comparison includes physical measurements of each fighter as taken by a tape measure before the bout, thus the term "the tale of the tape." I'm currently conducting research for a "tale of the tape" report between mobile containerization technologies and mobile application wrapping. There has been a significant amount of discussion lately regarding which of these technologies is better suited for enterprise deployment. In order to settle this dispute, I'm going to get out the virtual tape measure and analyze the fighters!
Understanding the terms and technologies in the mobile security market can be a daunting and difficult task. The mobile ecosystem is changing at a very rapid pace, causing vendors to pivot their product direction to meet the needs of the enterprise. These changes in direction are creating a merging and twisting of technology descriptions being used by sales and marketing of the vendor offerings. What we considered “Mobile Device Management” yesterday has taken on shades of containerization and virtualization today.
Mobile antivirus used to be a standalone vision but has rapidly become a piece of the mobile endpoint security market. Where do we draw the lines, and how do we clearly define the market and products that the enterprise requires to secure their mobile environment?
In an attempt to help the enterprise S&R professional understand the overlapping descriptions of mobile security products, I am working on new research that will help organize and quantify the market. Understanding the detailed state of each of the technology offerings in the market, and their potential impact on a five- to 10-year horizon, will help enterprises make more-educated purchasing decisions.
To begin the process of covering all of the technologies being offered today, I’ve divided the solutions in the space by technology type. Not only am I analyzing technologies that are available now, but I’m also researching any additional products, services, and vendors in the mobile security space that have innovative new concepts that they are bringing to bear. These new-age offerings will help shape the future of mobile security, and we need to get ahead of the concepts now if we wish to have a better understanding of the impact of the innovation.
Yesterday, WikiLeaksreleased emails taken in the highly-publicized Stratfordata breach. While many of the emails are innocuous, such as accusations regarding a stolen lunch from the company refrigerator; others are potentially highly embarrassing to both Stratfor and their corporate clients. The emails reveal some messy corporate spycraft that is usually seen in the movies and rarely is illumined in real life. For example, one email suggests that Stratfor is working on behalf of Coca-Cola to uncover information to determine if PETA was planning on disrupting the 2010 Vancouver Olympic Games.