SlideShare a Scribd company logo

Larry Ponemon of Ponemon Institute Explores Current State of Mobile Application (In)Security

IBM Security
IBM Security

The increasing size and scope of data breaches have become major concerns for today’s businesses. Research indicates that more than 1 billion personal data records were compromised by cyber attacks in 2014. Although many organizations have been successful at securing computers and servers that house sensitive information, a precious few devote the same level of attention to mobile apps. And hackers are waking up to this opportunity. In this session, Dr. Larry Ponemon of Ponemon Institute will review major findings from his IBM-sponsored survey, “The State of Mobile Application Insecurity.” You will learn: - Why mobile application security evades many organizations - Whether organizations are taking the right steps to secure their mobile applications - What impact the development “rush to release” phenomenon has on your security protection - How challenging it can be to control employees’ risky behavior View the on-demand recording: https://attendee.gotowebinar.com/recording/3439169382845984258

Technology
1 of 37
Download to read offline
Sponsored by IBM Dr. Larry Ponemon The State of Mobile Application Insecurity
Purpose of this study • To understand how companies are reducing the risk of unsecured mobile apps in the workplace. To find out how these organizations responded to data breaches they experienced in the past 24 months. • Ponemon Institute surveyed 640 individuals involved in the application development and security process in their organizations on the following topics: o Why mobile application security eludes many organizations. o The difficulty in controlling employees’ risky behaviors. o Are organizations taking the right steps to secure mobile apps? Ponemon Institute Presentation, sponsored by IBM Private and Confidential Copyright © 2015
Why the state of mobile application is insecure • The “rush to release” results in mobile apps that can have vulnerabilities. • Mobile apps are often tested infrequently and too late. • Malware-infected mobile apps and devices will increase. • Not enough is spent on mobile app security. • There is a dearth of trained and expert security professionals. • Organizations lack policies that provide guidance on employees’ use of mobile apps. Ponemon Institute Presentation, sponsored by IBM Private and Confidential Copyright © 2015
Level of difficulty in securing mobile apps 1 = not difficult to 10 = very difficult Ponemon Institute Presentation, sponsored by IBM Private and Confidential 7% 16% 77% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% Easy Moderate Hard Copyright © 2015
Why mobile application security eludes many organizations Ponemon Institute Presentation, sponsored by IBM Private and Confidential Copyright © 2015
Reasons why mobile application security is difficult to achieve Strongly agree and agree responses combined Ponemon Institute Presentation, sponsored by IBM Private and Confidential 58% 60% 61% 61% 65% 0% 10% 20% 30% 40% 50% 60% 70% My organization considers it very important to make applications tamper resistant My organization considers mobile app security a high priority The presence of malware-infected mobile apps/devices will increase over the next 12 months My organization believes the real risk to mobile apps is data leakage The security of mobile apps is sometimes put at risk because of customer demand or need Copyright © 2015
Why mobile apps are at risk Strongly agree and agree responses combined Ponemon Institute Presentation, sponsored by IBM Private and Confidential 29% 30% 41% 54% 0% 10% 20% 30% 40% 50% 60% My organization has ample resources to prevent the use of vulnerable or malware-infected mobile apps My organization has ample resources to detect vulnerabilities in mobile apps My organization has sufficient mobile application security expertise Cross-site scripting through insecure mobile apps will increase over the next 12 months Copyright © 2015
Table 1. Annual mobile app development & security budget Extrapolated Average Annual budget for mobile app development $33,812,500 Average percentage of annual budget spent on mobile app security 5.5% Estimated average spent on mobile app security $1,859,688 Ponemon Institute Presentation, sponsored by IBM Private and Confidential Copyright © 2015
Allocation of spending for application security categories Ponemon Institute Presentation, sponsored by IBM Private and Confidential 36% 21% 15% 12% 11% 5% Proprietary software Open source software Cloud services Source code testing Pen testing Other Copyright © 2015
The difficulty in controlling employees’ risky behaviors Ponemon Institute Presentation, sponsored by IBM Private and Confidential Copyright © 2015
How has the use of mobile apps by employees affected your organization’s security posture? Ponemon Institute Presentation, sponsored by IBM Private and Confidential 50% 32% 12% 6% 0% 10% 20% 30% 40% 50% 60% Very significant increase in security risk Significant increase in security risk Nominal increase in security risk No increase in security risk Copyright © 2015
Does your organization permit personal mobile apps on company assigned mobile devices and the use of business apps on personal devices? Ponemon Institute Presentation, sponsored by IBM Private and Confidential 39% 54% 7% 55% 23% 22% 0% 10% 20% 30% 40% 50% 60% Yes No NA (company does not assign mobile devices) Copyright © 2015  Are employees allowed to use personal mobile apps on company-assigned mobile devices?  Are employees allowed to use business apps on personally owned mobile devices?
What security techniques are used to vet mobile apps in an organization’s app store for security? More than one response permitted Ponemon Institute Presentation, sponsored by IBM Private and Confidential 10% 40% 14% 15% 19% 48% 0% 10% 20% 30% 40% 50% 60% Other None of the above Routine pen testing Code review Application assessment Scan for security flaws Copyright © 2015
Are organizations taking the right steps to secure mobile apps? Ponemon Institute Presentation, sponsored by IBM Private and Confidential Copyright © 2015
Extrapolated average of mobile apps tested for vulnerabilities & percentage with vulnerabilities Ponemon Institute Presentation, sponsored by IBM Private and Confidential 46% 30% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% Tested for vulnerabilities Contain vulnerabilities Copyright © 2015
At what stage are mobile apps tested? Ponemon Institute Presentation, sponsored by IBM Private and Confidential 8% 16% 21% 22% 33% 0% 5% 10% 15% 20% 25% 30% 35% All of the above Production Development Post development, but before deployment NA (we do not test mobile apps) Copyright © 2015
How often are internally developed & outsourced or purchased apps tested? Ponemon Institute Presentation, sponsored by IBM Private and Confidential 33% 22% 10% 23% 8% 2% 1% 1% 0% 33% 23% 14% 11% 9% 4% 2% 1% 3% 0% 5% 10% 15% 20% 25% 30% 35% NA (we do not test mobile apps) Unsure Testing is not pre-scheduled Every time the code changes Every week Every month Every 3 months Twice a year Annually Internally developed apps Outsourced or purchased apps Copyright © 2015
How does your organization scan code for vulnerabilities? Ponemon Institute Presentation, sponsored by IBM Private and Confidential 38% 10% 13% 14% 25% 0% 5% 10% 15% 20% 25% 30% 35% 40% NA (we do not scan for vulnerabilities) Pen testing Cloud services Open source software/tools Proprietary software/tools Copyright © 2015
Why mobile apps contain vulnerable code Ponemon Institute Presentation, sponsored by IBM Private and Confidential 2% 6% 18% 19% 39% 64% 68% 73% 77% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% Other Incorrect permissions Application development tools have inherent bugs Malicious coding errors Accidental coding errors Lack of internal policies or rules that clarify security requirements Lack of quality assurance and testing procedures Lack of understanding/training on secure coding practices Rush to release pressures on application development team Copyright © 2015
Mobile apps are difficult to secure and concern over malware is high. However, very few respondents say security is effective. Percentage of respondents selecting very high responses (7 to 10) only Ponemon Institute Presentation, sponsored by IBM Private and Confidential 14% 75% 77% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% The organization’s effectiveness in securing mobile apps Level of concern about the threat of malware to mobile apps Level of difficulty in securing mobile apps Copyright © 2015
End-user convenience is most important Very important and important responses combined Ponemon Institute Presentation, sponsored by IBM Private and Confidential 47% 50% 66% 0% 10% 20% 30% 40% 50% 60% 70% End-user privacy when building and/or deploying mobile apps in the workplace End-user security when building and/or deploying mobile apps in the workplace End-user convenience when building and/or deploying mobile apps in the workplace Copyright © 2015
How difficult is it to minimize the OWASP top 10 mobile app security risks? Difficult and very difficult responses combined Ponemon Institute Presentation, sponsored by IBM Private and Confidential 39% 40% 43% 45% 55% 55% 56% 67% 75% 80% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% Security Decisions Via Untrusted Inputs Lack of Binary Protection Improper Session Handling Weak Server Side Controls Insufficient Transport Layer Protection Client Side Injection Insecure Data Storage Poor Authorization and Authentication Unintended Data Leakage Broken Cryptography Copyright © 2015
The 10 most frequently used practices to secure mobile apps More than one response permitted Ponemon Institute Presentation, sponsored by IBM Private and Confidential 42% 42% 44% 47% 49% 52% 53% 53% 53% 55% 0% 10% 20% 30% 40% 50% 60% Sensitive information is stored in an encrypted data section or in encrypted storage in the internal app data directory Application runs in a safe environment Adheres to the software development process as defined Updates internal training & education for development teams to follow application security policies & best practices Monitors the run time behavior of the app to determine if tampering has or is occurring Security acceptance requirements are in place for outsourced applications A defined software development process exists for requirements, design, implementation & testing Automated scanning tools test applications during development Automated scanning tools test applications for vulnerabilities after they have been released Prevents unauthorized users from accessing data security measures in order to stop data leakage Copyright © 2015
The 10 least used practices for securing mobile apps More than one response permitted Ponemon Institute Presentation, sponsored by IBM Private and Confidential 20% 23% 25% 27% 28% 29% 29% 29% 29% 33% 0% 5% 10% 15% 20% 25% 30% 35% Applications are subject to a manual penetration testing effort by internal teams or third party Mobile app testing methods include tests of open source merged with proprietary applications Measures development teams for compliance with regulatory requirements or security best practices Ensures the “rush to release” does not impact coding practices Reviews code for adherence to secure coding standards Measures development teams for compliance with secure architecture standards Measures development teams for compliance with secure coding standards Uses the results of audits and assessments to improve application security policies and processes Uses the results of audits and assessments to improve architecture and coding standards Reviews application architecture against the secure architecture standards Copyright © 2015
Conclusions Ponemon Institute Presentation, sponsored by IBM Private and Confidential Copyright © 2015
Conclusions • Testing of mobile apps should be conducted frequently. The findings reveal many organizations are not testing apps. They are rarely tested in production. • Ensure the “rush to release” does not impact coding practices. • Conduct internal training and education programs for development teams to follow application security policies and best practices. • Increase the budget for mobile application security. The average budget is insufficient to have the technologies and expertise necessary to secure mobile apps. • Create policies and procedures to control employees’ risky behaviors. Most employees in the companies represented in this study are “heavy users of apps” but very often there are no policies that define the acceptable use of mobile apps in the workplace. Ponemon Institute Presentation, sponsored by IBM Private and Confidential Copyright © 2015
Demographics Ponemon Institute Presentation, sponsored by IBM Private and Confidential Copyright © 2015
About this research Ponemon Institute Presentation, sponsored by IBM Private and Confidential Sample Response Freq % Total sampling frame 19,890 100.0% Total returns 707 3.6% Screened or rejected surveys 67 0.3% Final sample 640 3.2% Copyright © 2015
Current position or organizational level Ponemon Institute Presentation, sponsored by IBM Private and Confidential 2% 16% 20% 15% 39% 5% 3% Vice President Director Manager Supervisor Technician Staff Contractor Copyright © 2015
Primary role in the organization Ponemon Institute Presentation, sponsored by IBM Private and Confidential 24% 22% 15% 14% 11% 5% 5% 3%1% Application development IT security IT management Application security Security architecture Quality assurance Risk management Compliance/audit Network engineering Copyright © 2015
Primary industry focus Ponemon Institute Presentation, sponsored by IBM Private and Confidential 18% 11% 11% 10%9% 8% 6% 5% 5% 5% 3% 3% 2%2%2% Financial services Health & pharmaceutical Public sector Retail Industrial Services Technology & Software Consumer products Energy & utilities Hospitality Communications Entertainment & media Education & research Transportation Other Copyright © 2015
Worldwide headcount of the organization Extrapolated value = 12,516 Ponemon Institute Presentation, sponsored by IBM Private and Confidential 16% 18% 21% 18% 11% 9% 7% Less than 100 100 to 500 501 to 1,000 1,001 to 5,000 5,001 to 25,000 25,001 to 75,000 More than 75,000 Copyright © 2015
Caveats There are inherent limitations to survey research that need to be carefully considered before drawing inferences from findings. The following items are specific limitations that are germane to most web-based surveys. •Non-response bias: The current findings are based on a sample of survey returns. We sent surveys to a representative sample of individuals, resulting in a large number of usable returned responses. Despite non-response tests, it is always possible that individuals who did not participate are substantially different in terms of underlying beliefs from those who completed the instrument. •Sampling-frame bias: The accuracy is based on contact information and the degree to which the list is representative of individuals who are IT or IT security practitioners located in the United States. We also acknowledge that the results may be biased by external events such as media coverage. We also acknowledge bias caused by compensating subjects to complete this research within a holdout period. •Self-reported results: The quality of survey research is based on the integrity of confidential responses received from subjects. While certain checks and balances can be incorporated into the survey process, there is always the possibility that a subject did not provide a truthful response. Ponemon Institute Presentation, sponsored by IBM Private and Confidential Copyright © 2015
Ponemon Institute Presentation, sponsored by IBM Private and Confidential Link to Complete Ponemon Institute Study: State of Mobile Application Insecurity SecurityIntelligence.com Blog: Ponemon Institute Study Reveals Alarming State of Mobile Security for Apps Press Release: March 19th Press Release YouTube Overview of IBM AppScan Mobile Analyzer: Identify & Remediate Application Security Vulnerabilities Effectively Learn More about IBM MobileFirst Protect: IBM MobileFirst Protect Improving Mobile Security at Your Organization Copyright © 2015
Questions? Ponemon Institute Toll Free: 800.887.3118 Michigan HQ: 2308 US 31 N. Traverse City, MI 49686 USA research@ponemon.org Ponemon Institute Presentation, sponsored by IBM Private and Confidential Copyright © 2015
Ponemon Institute Presentation, sponsored by IBM Private and Confidential Notices and Disclaimers Copyright © 2015 by International Business Machines Corporation (IBM). No part of this document may be reproduced or transmitted in any form without written permission from IBM. U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM. Information in these presentations (including information relating to products that have not yet been announced by IBM) has been reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM shall have no responsibility to update this information. THIS DOCUMENT IS DISTRIBUTED "AS IS" WITHOUT ANY WARRANTY, EITHER EXPRESS OR IMPLIED. IN NO EVENT SHALL IBM BE LIABLE FOR ANY DAMAGE ARISING FROM THE USE OF THIS INFORMATION, INCLUDING BUT NOT LIMITED TO, LOSS OF DATA, BUSINESS INTERRUPTION, LOSS OF PROFIT OR LOSS OF OPPORTUNITY. IBM products and services are warranted according to the terms and conditions of the agreements under which they are provided. Any statements regarding IBM's future direction, intent or product plans are subject to change or withdrawal without notice. Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary. References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business. Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation. It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law.
Ponemon Institute Presentation, sponsored by IBM Private and Confidential Notices and Disclaimers (con’t) Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other intellectual property right. IBM, the IBM logo, ibm.com, Bluemix, Blueworks Live, CICS, Clearcase, DOORS®, Enterprise Document Management System™, Global Business Services ®, Global Technology Services ®, Information on Demand, ILOG, Maximo®, MQIntegrator®, MQSeries®, Netcool®, OMEGAMON, OpenPower, PureAnalytics™, PureApplication®, pureCluster™, PureCoverage®, PureData®, PureExperience®, PureFlex®, pureQuery®, pureScale®, PureSystems®, QRadar®, Rational®, Rhapsody®, SoDA, SPSS, StoredIQ, Tivoli®, Trusteer®, urban{code}®, Watson, WebSphere®, Worklight®, X-Force® and System z® Z/OS, are trademarks of International Business Machines Corporation, registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at: www.ibm.com/legal/copytrade.shtml. Copyright © 2015

Recommended

The Internet of Things: Hype vs. Reality
The Internet of Things: Hype vs. RealityThe Internet of Things: Hype vs. Reality
The Internet of Things: Hype vs. Reality
Ecolab
 
Automation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOpsAutomation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOps
IBM Security
 
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
IBM Security
 
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
IBM Security
 
Integrated Response with v32 of IBM Resilient
Integrated Response with v32 of IBM ResilientIntegrated Response with v32 of IBM Resilient
Integrated Response with v32 of IBM Resilient
IBM Security
 
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
IBM Security
 
Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...
Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...
Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...
IBM Security
 
Accelerating SOC Transformation with IBM Resilient and Carbon Black
Accelerating SOC Transformation with IBM Resilient and Carbon BlackAccelerating SOC Transformation with IBM Resilient and Carbon Black
Accelerating SOC Transformation with IBM Resilient and Carbon Black
IBM Security
 

Recommended

The Internet of Things: Hype vs. Reality
The Internet of Things: Hype vs. RealityThe Internet of Things: Hype vs. Reality
The Internet of Things: Hype vs. Reality
Ecolab
 
Automation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOpsAutomation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOps
IBM Security
 
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
IBM Security
 
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
IBM Security
 
Integrated Response with v32 of IBM Resilient
Integrated Response with v32 of IBM ResilientIntegrated Response with v32 of IBM Resilient
Integrated Response with v32 of IBM Resilient
IBM Security
 
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
IBM Security
 
Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...
Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...
Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...
IBM Security
 
Accelerating SOC Transformation with IBM Resilient and Carbon Black
Accelerating SOC Transformation with IBM Resilient and Carbon BlackAccelerating SOC Transformation with IBM Resilient and Carbon Black
Accelerating SOC Transformation with IBM Resilient and Carbon Black
IBM Security
 
How to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
How to Build a Faster, Laser-Sharp SOC with Intelligent OrchestrationHow to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
How to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
IBM Security
 
Are You Ready to Move Your IAM to the Cloud?
Are You Ready to Move Your IAM to the Cloud?Are You Ready to Move Your IAM to the Cloud?
Are You Ready to Move Your IAM to the Cloud?
IBM Security
 
Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
Orchestrate Your Security Defenses to Optimize the Impact of Threat IntelligenceOrchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
IBM Security
 
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
IBM Security
 
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
IBM Security
 
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
IBM Security
 
WannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do NowWannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do Now
IBM Security
 
How to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security OperationsHow to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security Operations
IBM Security
 
IBM QRadar UBA
IBM QRadar UBA IBM QRadar UBA
IBM QRadar UBA
IBM Security
 
Mobile Vision 2020
Mobile Vision 2020Mobile Vision 2020
Mobile Vision 2020
IBM Security
 
Retail Mobility, Productivity and Security
Retail Mobility, Productivity and SecurityRetail Mobility, Productivity and Security
Retail Mobility, Productivity and Security
IBM Security
 
Close the Loop on Incident Response
Close the Loop on Incident ResponseClose the Loop on Incident Response
Close the Loop on Incident Response
IBM Security
 
Orchestrate Your Security Defenses; Protect Against Insider Threats
Orchestrate Your Security Defenses; Protect Against Insider Threats Orchestrate Your Security Defenses; Protect Against Insider Threats
Orchestrate Your Security Defenses; Protect Against Insider Threats
IBM Security
 
Ponemon Institute Reviews Key Findings from “2017 State of Mobile & IoT Appli...
Ponemon Institute Reviews Key Findings from “2017 State of Mobile & IoT Appli...Ponemon Institute Reviews Key Findings from “2017 State of Mobile & IoT Appli...
Ponemon Institute Reviews Key Findings from “2017 State of Mobile & IoT Appli...
IBM Security
 
See How You Measure Up With MaaS360 Mobile Metrics
See How You Measure Up With MaaS360 Mobile MetricsSee How You Measure Up With MaaS360 Mobile Metrics
See How You Measure Up With MaaS360 Mobile Metrics
IBM Security
 
Valuing Data in the Age of Ransomware
Valuing Data in the Age of Ransomware Valuing Data in the Age of Ransomware
Valuing Data in the Age of Ransomware
IBM Security
 
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network InsightsNowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
IBM Security
 
Top 12 Cybersecurity Predictions for 2017
Top 12 Cybersecurity Predictions for 2017Top 12 Cybersecurity Predictions for 2017
Top 12 Cybersecurity Predictions for 2017
IBM Security
 
Safeguard Healthcare Identities and Data with Identity Governance and Intelli...
Safeguard Healthcare Identities and Data with Identity Governance and Intelli...Safeguard Healthcare Identities and Data with Identity Governance and Intelli...
Safeguard Healthcare Identities and Data with Identity Governance and Intelli...
IBM Security
 
Cybersecurity In The Cognitive Era: Priming Your Digital Immune System
Cybersecurity In The Cognitive Era: Priming Your Digital Immune SystemCybersecurity In The Cognitive Era: Priming Your Digital Immune System
Cybersecurity In The Cognitive Era: Priming Your Digital Immune System
IBM Security
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
ThousandEyes
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 

More Related Content

More from IBM Security

Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
Orchestrate Your Security Defenses to Optimize the Impact of Threat IntelligenceOrchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
IBM Security
 
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
IBM Security
 
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
IBM Security
 
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
IBM Security
 
How to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security OperationsHow to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security Operations
IBM Security
 
Orchestrate Your Security Defenses; Protect Against Insider Threats
Orchestrate Your Security Defenses; Protect Against Insider Threats Orchestrate Your Security Defenses; Protect Against Insider Threats
Orchestrate Your Security Defenses; Protect Against Insider Threats
IBM Security
 
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network InsightsNowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
IBM Security
 
Safeguard Healthcare Identities and Data with Identity Governance and Intelli...
Safeguard Healthcare Identities and Data with Identity Governance and Intelli...Safeguard Healthcare Identities and Data with Identity Governance and Intelli...
Safeguard Healthcare Identities and Data with Identity Governance and Intelli...
IBM Security
 
Cybersecurity In The Cognitive Era: Priming Your Digital Immune System
Cybersecurity In The Cognitive Era: Priming Your Digital Immune SystemCybersecurity In The Cognitive Era: Priming Your Digital Immune System
Cybersecurity In The Cognitive Era: Priming Your Digital Immune System
IBM Security
 

More from IBM Security (20)

How to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
How to Build a Faster, Laser-Sharp SOC with Intelligent OrchestrationHow to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
How to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
 
Are You Ready to Move Your IAM to the Cloud?
Are You Ready to Move Your IAM to the Cloud?Are You Ready to Move Your IAM to the Cloud?
Are You Ready to Move Your IAM to the Cloud?
 
Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
Orchestrate Your Security Defenses to Optimize the Impact of Threat IntelligenceOrchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
 
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
 
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
 
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
 
WannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do NowWannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do Now
 
How to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security OperationsHow to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security Operations
 
IBM QRadar UBA
IBM QRadar UBA IBM QRadar UBA
IBM QRadar UBA
 
Mobile Vision 2020
Mobile Vision 2020Mobile Vision 2020
Mobile Vision 2020
 
Retail Mobility, Productivity and Security
Retail Mobility, Productivity and SecurityRetail Mobility, Productivity and Security
Retail Mobility, Productivity and Security
 
Close the Loop on Incident Response
Close the Loop on Incident ResponseClose the Loop on Incident Response
Close the Loop on Incident Response
 
Orchestrate Your Security Defenses; Protect Against Insider Threats
Orchestrate Your Security Defenses; Protect Against Insider Threats Orchestrate Your Security Defenses; Protect Against Insider Threats
Orchestrate Your Security Defenses; Protect Against Insider Threats
 
Ponemon Institute Reviews Key Findings from “2017 State of Mobile & IoT Appli...
Ponemon Institute Reviews Key Findings from “2017 State of Mobile & IoT Appli...Ponemon Institute Reviews Key Findings from “2017 State of Mobile & IoT Appli...
Ponemon Institute Reviews Key Findings from “2017 State of Mobile & IoT Appli...
 
See How You Measure Up With MaaS360 Mobile Metrics
See How You Measure Up With MaaS360 Mobile MetricsSee How You Measure Up With MaaS360 Mobile Metrics
See How You Measure Up With MaaS360 Mobile Metrics
 
Valuing Data in the Age of Ransomware
Valuing Data in the Age of Ransomware Valuing Data in the Age of Ransomware
Valuing Data in the Age of Ransomware
 
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network InsightsNowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
 
Top 12 Cybersecurity Predictions for 2017
Top 12 Cybersecurity Predictions for 2017Top 12 Cybersecurity Predictions for 2017
Top 12 Cybersecurity Predictions for 2017
 
Safeguard Healthcare Identities and Data with Identity Governance and Intelli...
Safeguard Healthcare Identities and Data with Identity Governance and Intelli...Safeguard Healthcare Identities and Data with Identity Governance and Intelli...
Safeguard Healthcare Identities and Data with Identity Governance and Intelli...
 
Cybersecurity In The Cognitive Era: Priming Your Digital Immune System
Cybersecurity In The Cognitive Era: Priming Your Digital Immune SystemCybersecurity In The Cognitive Era: Priming Your Digital Immune System
Cybersecurity In The Cognitive Era: Priming Your Digital Immune System
 

Recently uploaded

Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 

Recently uploaded (20)

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 

Larry Ponemon of Ponemon Institute Explores Current State of Mobile Application (In)Security

  • 1. Sponsored by IBM Dr. Larry Ponemon The State of Mobile Application Insecurity
  • 2. Purpose of this study • To understand how companies are reducing the risk of unsecured mobile apps in the workplace. To find out how these organizations responded to data breaches they experienced in the past 24 months. • Ponemon Institute surveyed 640 individuals involved in the application development and security process in their organizations on the following topics: o Why mobile application security eludes many organizations. o The difficulty in controlling employees’ risky behaviors. o Are organizations taking the right steps to secure mobile apps? Ponemon Institute Presentation, sponsored by IBM Private and Confidential Copyright © 2015
  • 3. Why the state of mobile application is insecure • The “rush to release” results in mobile apps that can have vulnerabilities. • Mobile apps are often tested infrequently and too late. • Malware-infected mobile apps and devices will increase. • Not enough is spent on mobile app security. • There is a dearth of trained and expert security professionals. • Organizations lack policies that provide guidance on employees’ use of mobile apps. Ponemon Institute Presentation, sponsored by IBM Private and Confidential Copyright © 2015
  • 4. Level of difficulty in securing mobile apps 1 = not difficult to 10 = very difficult Ponemon Institute Presentation, sponsored by IBM Private and Confidential 7% 16% 77% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% Easy Moderate Hard Copyright © 2015
  • 5. Why mobile application security eludes many organizations Ponemon Institute Presentation, sponsored by IBM Private and Confidential Copyright © 2015
  • 6. Reasons why mobile application security is difficult to achieve Strongly agree and agree responses combined Ponemon Institute Presentation, sponsored by IBM Private and Confidential 58% 60% 61% 61% 65% 0% 10% 20% 30% 40% 50% 60% 70% My organization considers it very important to make applications tamper resistant My organization considers mobile app security a high priority The presence of malware-infected mobile apps/devices will increase over the next 12 months My organization believes the real risk to mobile apps is data leakage The security of mobile apps is sometimes put at risk because of customer demand or need Copyright © 2015
  • 7. Why mobile apps are at risk Strongly agree and agree responses combined Ponemon Institute Presentation, sponsored by IBM Private and Confidential 29% 30% 41% 54% 0% 10% 20% 30% 40% 50% 60% My organization has ample resources to prevent the use of vulnerable or malware-infected mobile apps My organization has ample resources to detect vulnerabilities in mobile apps My organization has sufficient mobile application security expertise Cross-site scripting through insecure mobile apps will increase over the next 12 months Copyright © 2015
  • 8. Table 1. Annual mobile app development & security budget Extrapolated Average Annual budget for mobile app development $33,812,500 Average percentage of annual budget spent on mobile app security 5.5% Estimated average spent on mobile app security $1,859,688 Ponemon Institute Presentation, sponsored by IBM Private and Confidential Copyright © 2015
  • 9. Allocation of spending for application security categories Ponemon Institute Presentation, sponsored by IBM Private and Confidential 36% 21% 15% 12% 11% 5% Proprietary software Open source software Cloud services Source code testing Pen testing Other Copyright © 2015
  • 10. The difficulty in controlling employees’ risky behaviors Ponemon Institute Presentation, sponsored by IBM Private and Confidential Copyright © 2015
  • 11. How has the use of mobile apps by employees affected your organization’s security posture? Ponemon Institute Presentation, sponsored by IBM Private and Confidential 50% 32% 12% 6% 0% 10% 20% 30% 40% 50% 60% Very significant increase in security risk Significant increase in security risk Nominal increase in security risk No increase in security risk Copyright © 2015
  • 12. Does your organization permit personal mobile apps on company assigned mobile devices and the use of business apps on personal devices? Ponemon Institute Presentation, sponsored by IBM Private and Confidential 39% 54% 7% 55% 23% 22% 0% 10% 20% 30% 40% 50% 60% Yes No NA (company does not assign mobile devices) Copyright © 2015  Are employees allowed to use personal mobile apps on company-assigned mobile devices?  Are employees allowed to use business apps on personally owned mobile devices?
  • 13. What security techniques are used to vet mobile apps in an organization’s app store for security? More than one response permitted Ponemon Institute Presentation, sponsored by IBM Private and Confidential 10% 40% 14% 15% 19% 48% 0% 10% 20% 30% 40% 50% 60% Other None of the above Routine pen testing Code review Application assessment Scan for security flaws Copyright © 2015
  • 14. Are organizations taking the right steps to secure mobile apps? Ponemon Institute Presentation, sponsored by IBM Private and Confidential Copyright © 2015
  • 15. Extrapolated average of mobile apps tested for vulnerabilities & percentage with vulnerabilities Ponemon Institute Presentation, sponsored by IBM Private and Confidential 46% 30% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% Tested for vulnerabilities Contain vulnerabilities Copyright © 2015
  • 16. At what stage are mobile apps tested? Ponemon Institute Presentation, sponsored by IBM Private and Confidential 8% 16% 21% 22% 33% 0% 5% 10% 15% 20% 25% 30% 35% All of the above Production Development Post development, but before deployment NA (we do not test mobile apps) Copyright © 2015
  • 17. How often are internally developed & outsourced or purchased apps tested? Ponemon Institute Presentation, sponsored by IBM Private and Confidential 33% 22% 10% 23% 8% 2% 1% 1% 0% 33% 23% 14% 11% 9% 4% 2% 1% 3% 0% 5% 10% 15% 20% 25% 30% 35% NA (we do not test mobile apps) Unsure Testing is not pre-scheduled Every time the code changes Every week Every month Every 3 months Twice a year Annually Internally developed apps Outsourced or purchased apps Copyright © 2015
  • 18. How does your organization scan code for vulnerabilities? Ponemon Institute Presentation, sponsored by IBM Private and Confidential 38% 10% 13% 14% 25% 0% 5% 10% 15% 20% 25% 30% 35% 40% NA (we do not scan for vulnerabilities) Pen testing Cloud services Open source software/tools Proprietary software/tools Copyright © 2015
  • 19. Why mobile apps contain vulnerable code Ponemon Institute Presentation, sponsored by IBM Private and Confidential 2% 6% 18% 19% 39% 64% 68% 73% 77% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% Other Incorrect permissions Application development tools have inherent bugs Malicious coding errors Accidental coding errors Lack of internal policies or rules that clarify security requirements Lack of quality assurance and testing procedures Lack of understanding/training on secure coding practices Rush to release pressures on application development team Copyright © 2015
  • 20. Mobile apps are difficult to secure and concern over malware is high. However, very few respondents say security is effective. Percentage of respondents selecting very high responses (7 to 10) only Ponemon Institute Presentation, sponsored by IBM Private and Confidential 14% 75% 77% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% The organization’s effectiveness in securing mobile apps Level of concern about the threat of malware to mobile apps Level of difficulty in securing mobile apps Copyright © 2015
  • 21. End-user convenience is most important Very important and important responses combined Ponemon Institute Presentation, sponsored by IBM Private and Confidential 47% 50% 66% 0% 10% 20% 30% 40% 50% 60% 70% End-user privacy when building and/or deploying mobile apps in the workplace End-user security when building and/or deploying mobile apps in the workplace End-user convenience when building and/or deploying mobile apps in the workplace Copyright © 2015
  • 22. How difficult is it to minimize the OWASP top 10 mobile app security risks? Difficult and very difficult responses combined Ponemon Institute Presentation, sponsored by IBM Private and Confidential 39% 40% 43% 45% 55% 55% 56% 67% 75% 80% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% Security Decisions Via Untrusted Inputs Lack of Binary Protection Improper Session Handling Weak Server Side Controls Insufficient Transport Layer Protection Client Side Injection Insecure Data Storage Poor Authorization and Authentication Unintended Data Leakage Broken Cryptography Copyright © 2015
  • 23. The 10 most frequently used practices to secure mobile apps More than one response permitted Ponemon Institute Presentation, sponsored by IBM Private and Confidential 42% 42% 44% 47% 49% 52% 53% 53% 53% 55% 0% 10% 20% 30% 40% 50% 60% Sensitive information is stored in an encrypted data section or in encrypted storage in the internal app data directory Application runs in a safe environment Adheres to the software development process as defined Updates internal training & education for development teams to follow application security policies & best practices Monitors the run time behavior of the app to determine if tampering has or is occurring Security acceptance requirements are in place for outsourced applications A defined software development process exists for requirements, design, implementation & testing Automated scanning tools test applications during development Automated scanning tools test applications for vulnerabilities after they have been released Prevents unauthorized users from accessing data security measures in order to stop data leakage Copyright © 2015
  • 24. The 10 least used practices for securing mobile apps More than one response permitted Ponemon Institute Presentation, sponsored by IBM Private and Confidential 20% 23% 25% 27% 28% 29% 29% 29% 29% 33% 0% 5% 10% 15% 20% 25% 30% 35% Applications are subject to a manual penetration testing effort by internal teams or third party Mobile app testing methods include tests of open source merged with proprietary applications Measures development teams for compliance with regulatory requirements or security best practices Ensures the “rush to release” does not impact coding practices Reviews code for adherence to secure coding standards Measures development teams for compliance with secure architecture standards Measures development teams for compliance with secure coding standards Uses the results of audits and assessments to improve application security policies and processes Uses the results of audits and assessments to improve architecture and coding standards Reviews application architecture against the secure architecture standards Copyright © 2015
  • 25. Conclusions Ponemon Institute Presentation, sponsored by IBM Private and Confidential Copyright © 2015
  • 26. Conclusions • Testing of mobile apps should be conducted frequently. The findings reveal many organizations are not testing apps. They are rarely tested in production. • Ensure the “rush to release” does not impact coding practices. • Conduct internal training and education programs for development teams to follow application security policies and best practices. • Increase the budget for mobile application security. The average budget is insufficient to have the technologies and expertise necessary to secure mobile apps. • Create policies and procedures to control employees’ risky behaviors. Most employees in the companies represented in this study are “heavy users of apps” but very often there are no policies that define the acceptable use of mobile apps in the workplace. Ponemon Institute Presentation, sponsored by IBM Private and Confidential Copyright © 2015
  • 27. Demographics Ponemon Institute Presentation, sponsored by IBM Private and Confidential Copyright © 2015
  • 28. About this research Ponemon Institute Presentation, sponsored by IBM Private and Confidential Sample Response Freq % Total sampling frame 19,890 100.0% Total returns 707 3.6% Screened or rejected surveys 67 0.3% Final sample 640 3.2% Copyright © 2015
  • 29. Current position or organizational level Ponemon Institute Presentation, sponsored by IBM Private and Confidential 2% 16% 20% 15% 39% 5% 3% Vice President Director Manager Supervisor Technician Staff Contractor Copyright © 2015
  • 30. Primary role in the organization Ponemon Institute Presentation, sponsored by IBM Private and Confidential 24% 22% 15% 14% 11% 5% 5% 3%1% Application development IT security IT management Application security Security architecture Quality assurance Risk management Compliance/audit Network engineering Copyright © 2015
  • 31. Primary industry focus Ponemon Institute Presentation, sponsored by IBM Private and Confidential 18% 11% 11% 10%9% 8% 6% 5% 5% 5% 3% 3% 2%2%2% Financial services Health & pharmaceutical Public sector Retail Industrial Services Technology & Software Consumer products Energy & utilities Hospitality Communications Entertainment & media Education & research Transportation Other Copyright © 2015
  • 32. Worldwide headcount of the organization Extrapolated value = 12,516 Ponemon Institute Presentation, sponsored by IBM Private and Confidential 16% 18% 21% 18% 11% 9% 7% Less than 100 100 to 500 501 to 1,000 1,001 to 5,000 5,001 to 25,000 25,001 to 75,000 More than 75,000 Copyright © 2015
  • 33. Caveats There are inherent limitations to survey research that need to be carefully considered before drawing inferences from findings. The following items are specific limitations that are germane to most web-based surveys. •Non-response bias: The current findings are based on a sample of survey returns. We sent surveys to a representative sample of individuals, resulting in a large number of usable returned responses. Despite non-response tests, it is always possible that individuals who did not participate are substantially different in terms of underlying beliefs from those who completed the instrument. •Sampling-frame bias: The accuracy is based on contact information and the degree to which the list is representative of individuals who are IT or IT security practitioners located in the United States. We also acknowledge that the results may be biased by external events such as media coverage. We also acknowledge bias caused by compensating subjects to complete this research within a holdout period. •Self-reported results: The quality of survey research is based on the integrity of confidential responses received from subjects. While certain checks and balances can be incorporated into the survey process, there is always the possibility that a subject did not provide a truthful response. Ponemon Institute Presentation, sponsored by IBM Private and Confidential Copyright © 2015
  • 34. Ponemon Institute Presentation, sponsored by IBM Private and Confidential Link to Complete Ponemon Institute Study: State of Mobile Application Insecurity SecurityIntelligence.com Blog: Ponemon Institute Study Reveals Alarming State of Mobile Security for Apps Press Release: March 19th Press Release YouTube Overview of IBM AppScan Mobile Analyzer: Identify & Remediate Application Security Vulnerabilities Effectively Learn More about IBM MobileFirst Protect: IBM MobileFirst Protect Improving Mobile Security at Your Organization Copyright © 2015
  • 35. Questions? Ponemon Institute Toll Free: 800.887.3118 Michigan HQ: 2308 US 31 N. Traverse City, MI 49686 USA research@ponemon.org Ponemon Institute Presentation, sponsored by IBM Private and Confidential Copyright © 2015
  • 36. Ponemon Institute Presentation, sponsored by IBM Private and Confidential Notices and Disclaimers Copyright © 2015 by International Business Machines Corporation (IBM). No part of this document may be reproduced or transmitted in any form without written permission from IBM. U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM. Information in these presentations (including information relating to products that have not yet been announced by IBM) has been reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM shall have no responsibility to update this information. THIS DOCUMENT IS DISTRIBUTED "AS IS" WITHOUT ANY WARRANTY, EITHER EXPRESS OR IMPLIED. IN NO EVENT SHALL IBM BE LIABLE FOR ANY DAMAGE ARISING FROM THE USE OF THIS INFORMATION, INCLUDING BUT NOT LIMITED TO, LOSS OF DATA, BUSINESS INTERRUPTION, LOSS OF PROFIT OR LOSS OF OPPORTUNITY. IBM products and services are warranted according to the terms and conditions of the agreements under which they are provided. Any statements regarding IBM's future direction, intent or product plans are subject to change or withdrawal without notice. Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary. References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business. Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation. It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law.
  • 37. Ponemon Institute Presentation, sponsored by IBM Private and Confidential Notices and Disclaimers (con’t) Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other intellectual property right. IBM, the IBM logo, ibm.com, Bluemix, Blueworks Live, CICS, Clearcase, DOORS®, Enterprise Document Management System™, Global Business Services ®, Global Technology Services ®, Information on Demand, ILOG, Maximo®, MQIntegrator®, MQSeries®, Netcool®, OMEGAMON, OpenPower, PureAnalytics™, PureApplication®, pureCluster™, PureCoverage®, PureData®, PureExperience®, PureFlex®, pureQuery®, pureScale®, PureSystems®, QRadar®, Rational®, Rhapsody®, SoDA, SPSS, StoredIQ, Tivoli®, Trusteer®, urban{code}®, Watson, WebSphere®, Worklight®, X-Force® and System z® Z/OS, are trademarks of International Business Machines Corporation, registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at: www.ibm.com/legal/copytrade.shtml. Copyright © 2015