On Monday April 20, 2015 the biggest security event in the USA, the RSA Conference, kicks off with the ever popular Innovation Sandbox event. This event brings in hundreds of submissions from security startup companies around the world all hoping to make the top 10 finalist list, and eventually be declared the winner. The Innovation Sandbox has been running for the last ten years resulting in a great quantity of security startup data to analyze along with some very notable winning companies.
Previous sandbox winners include SourceFire, Imperva, AlertEnterprise and most recently Red Owl Analytics. Many security companies have been declared finalists, fared well with additional funding, and found reasonable financial success, specifically acquisition. The graph to the left shows the acquisition trends for Innovation Sandbox finalists since 2009. Security start up success is on the rise and the Innovation Sandbox is there to build on that success.
On February 25, 2015, Google publicly announced its latest functionality and updates to the Android OS, titled "Android for Work" (AFW). Some of the new functionalities include secure work profiles, secure personal information management, and an enterprise app store through "Google Play for Work." These new changes in AFW will impact the businesses, the Android ecosystem, and the overall market in a far-reaching way. EMM vendors and enterprise EMM buyers must review these technology changes and understand how they will influence future product direction before making any purchases. It took just a few years for core MDM functionality to commoditize to a $0 price tag. I wonder how long until the advanced security components being folded into Android via AFW are also essentially free?
Roughly a year and a half ago I began a process of measuring the importantance of technologies in the mobile security space. I'm currently beginning that same process for the application security market. Many technologies exist that provide business value to enterprises for the security of their applications, but which ones are better at delivering on the business value that the enterprise really wants? Have any of these technologies outlived their usefullness, falling to innovation and new ideas? Which technologies should the enterprise prioritize spending their limited security budget on? I hope to answer these questions and more!
I've identified nine distinct application security technologies that make up the application security market. (Link to additional details!). I'm sure there are technologies that I've missed and arguments to be made to remove something. As always, my research is significantly improved with your help!
If you are interested in participating in this research or have feedback on the technology list, respond via this web form, in the comments below, or via email / tweet to firstname.lastname@example.org (@txs).
The CES Tech West Expo has a number of specific areas of coverage including fitness and health, wearables, connected home, family safety, and some young innovative companies located in the startup area of the section. I spent a few hours interviewing and discussing the Internet of Things (IoT) with as many vendors as I could find. I had many good laughs and shed a few tears during the process. To describe the process, the general communication would go something like this:
Me: "Can you point me at the most technical person you have at your booth? I'd like to talk about how you secure your devices and the sensitive / personal data that it accesses and collects."
Smartest tech person at the booth: "Oh! We are secure; we [insert security-specific line here]."
Me: "Never mind . . ." (dejected look on my face).
We’ve all done it. We've spent hours flinging birds at pigs, only to be frustrated with that one little piggy that got away. We can all thank the phenomenon “Angry Birds” for this wonderful experience. Today marks the fifth birthday of the release of the original Angry Birds. Since its release, the highly successful mobile game creator Rovio has gone on to sell hundreds of millions of dollars of mobile apps, licenses, and merchandise amassing $216M in revenue in 2013 alone. Who knew that a simple change in game mechanics could gain such a cult foothold with the public? From a business perspective, the team at appfigures did a great write-up on the history of the franchise, along with its successes and failures in the eyes of the public. If you’re interested in the business life cycle of apps in the public app store, I highly recommend you go read their research: Angry Birds Turns Five: What We Can Learn From The Franchise’s Success.
A few months ago I posted a blog entry entitled: "Containerization vs. Application Wrapping: The Tale Of The Tape." Well... the bout is finally over and a winner has been decided. Using a virtual tape measure, I analyzed the mobile application technology spectrum to determine which technologies are better suited to deployment in the enterprise and why. The results were about what I expected. The fight went right down to the wire and nobody scored a knockout with the winner being decided with a slim margin over the 8 rounds. Here is the judge's score card:
On May 19, 2014, Google announced that it is acquiring containerization and dual persona vendor Divide. Divide's technology is designed to create a security and user interface division between the personal and the enterprise content, applications, and data on a single mobile device. This model meets the goal of separating the highly sensitive work data from the games and other potentially malicious content of a consumer nature. The big question is what is Google going to do now that it owns a technology leading containerizaiton play.
Selling Divide as a standalone solution isn't going to be lucrative enough, in the long term, to make the acquisition worthwhile. It makes a whole lot of sense for Google to embed Divide into the Android operating system. Just as rising tides raise all ships, containerization in Android will help the entire Android ecosystem shed the market perception of a technology that isn't quite yet enterprise appropriate. If this acquisition is any indication, Google has just put some power behind its push into the enterprise market and I don't expect it to subside any time soon.
All enterprises and vendors in the mobile security space should reconsider their future purchases and road maps based on this acquisition. Even if you are creating or buying mobile security technologies that don't play at the application layer, mobile security technologies are inseparably intertwined and this acquisition will have ripple effects that must be considered.
If you have implemented or used either application wrapping or containerization technologies, please COMPLETE THIS SURVEY.
Application wrapping versus containerization: Which technology provides better security to an enterprise mobile deployment? What are the use cases for each technology, and which technology has a longer shelf life when it comes to being the de facto standard for enterprise mobile security? Are there times when containerization provides a better user experience than application wrapping? And more simply speaking . . . what the heck is the difference between these two technologies, and which one should you purchase?
In the sport of boxing, "the tale of the tape" is a term used to describe a comparison between two fighters. Typically, this comparison includes physical measurements of each fighter as taken by a tape measure before the bout, thus the term "the tale of the tape." I'm currently conducting research for a "tale of the tape" report between mobile containerization technologies and mobile application wrapping. There has been a significant amount of discussion lately regarding which of these technologies is better suited for enterprise deployment. In order to settle this dispute, I'm going to get out the virtual tape measure and analyze the fighters!
This morning, BlackBerry announced the release of the BlackBerry Z3 Jakarta Edition. This new device is targeting the lower end of the market in Indonesia with lessened technical specifications and a reduced price point. It is unclear if the new device will be successful with the Southeast Asian buyer; however, I don't think it matters much to the US-based enterprise.
In the United States, BlackBerry has lost its hardware brand cachet. Over the last five fiscal quarters, BlackBerry total revenue has decreased by 64% from $2.7B to $976M. If we break out the revenue into separate streams -- hardware, software, and services -- we see that all three segments slowed in that same time period. The hardware revenue stream continues to be the boat anchor that is pulling down the other revenue segment, with a loss of 78%, while the software revenue stream only lost 15%.
It takes a lot more than a static analysis tool, a web scanning service, and a few paid hackers to make your mobile development lifecycle, team, and eventually, your applications secure. Finding flaws in an individual mobile application is easy (assuming you have the right technical skill set). What is a lot harder is actually stopping the creation of mobile application security flaws in the first place.
To achieve the lofty goal of a truly secure mobile application development program takes a rethinking of how we have traditionally secured our applications in the past. Mobile development brings many changes to enterprise engineering teams including additional new device sensors, privacy impacting behaviors that cross the security chasm between consumer and enterprise isolation, and even faster release cycles on the order of days instead of months. Smaller teams with little to no experience in security are cranking out mobile applications at a fevered pace. The result is an accumulation of security debt that will eventually be paid by the enterprises and consumers that use these applications.