App stores have an implied level of trust associated with them, meaning we rarely read the fine print in the terms and conditions. It is easy to assume that because they are hosted by a well-known brand that the apps must be secure, robust and reputable.
While in many instances, this is true, some apps are either consciously or unconsciously malicious. Apps can harvest user information, integrate, and share data with other apps and providers, and they can contain vulnerabilities that allow them to be directly exploited.
Technology and cyber are complex, so it is unrealistic to expect most people to be up to date with the latest capabilities, processes and security concerns. When a parent is asked by their child, “Can I download this app to my phone?”, there needs to be a form of signalling to help them make an informed decision. All that anyone has today is information about how the app looks, the name of the app and reviews. This simply isn’t enough.
Innovation versus security
While security is paramount, it is important not to discourage innovation. It is fantastic that anybody can access a basic coding package to build an application. However, a way to build in increased trust and assurance is needed. There needs to be a minimum set of standards and requirements to ensure apps are fit for purpose and cyber secure. While this responsibility rests with the app developer, it also needs to be assessed, assured and signposted by other parties to ensure it has meaning to the consumer of the app.
The cyber security industry has been doing cyber security testing and assurance in the form of penetration testing and code review for many years. Most well-known apps have passed multiple rounds of assessment to check both functionality and cyber security. But although these applications are frequently assessed, there is no consistency. Some organisations rely on tools, some have a methodology, some undertake high level assessment, and some a thorough root and branch deep dive.
Phrases such as security review, application review, penetration test and technical assurance activity are thrown about, but these don’t have a consistent meaning. As a result, security assessments are hugely inconsistent and depend on factors such as the assessor, the tool, the methodology, the time applied and even the year performed.
Clearly, an assessment is better than no assessment, but the industry must pull together to build something that is consistent, repeatable, risk based and scalable. A vendor or tool from security company A should be able to undertake the same tests as company B, with a consistent methodology to reach the same conclusion. And not only do the results need to be consistent, they need to be presented in a coherent and scalable way.
We must make application security scalable. That means identifying a minimum set of standards and requirements to deliver against. We also need to create a complementary reporting framework that is hyper-calable and readable by application programming interfaces (APIs) and machines. This needs to clearly identify what has been assessed, what has been identified, and what the conclusions or outcomes are.
The application development and cyber security industries need to work together to achieve these goals. Only by focusing on standards and leveraging consistent reporting frameworks will we be able to build more consistent and pervasive cyber assurance outcomes.
The aim is not for the organisations providing application security to lose identities or their value add. Having the ability to present results in a range of different approaches, based upon the application, the audience and the scope will still be possible, for example. However, a minimum set of reporting controls and standards consistent across all testing platforms, processes and frameworks is essential.
This approach will drive both improvement and consistency across applications. However, the large digital marketplaces need to inform consumers when an application is secure. There are lots of different ways that this could be achieved. At the most basic, a thumbs up/thumbs down is useful. Alternatively, marketplaces could develop a more granular rating system.
The time for industry to act is now.
Across the world, governments and regulators are looking at digital marketplaces to identify ways to build better and more consistent security practices. Although regulation may not be on the horizon today, it is probable that there will be increased guidance and recommendations issued to digital marketplaces – with the intent of driving improvement.
In an interconnected and global supply chain, this could result in governments providing different requirements. This, in turn, could exacerbate inconsistency and deviations from the intended goals of standardisation. It is therefore within the gift of industry to come up with a solution to this problem itself. Through collaboration, engagement and dialogue, industry can collectively build standards, deliver consistent assessments, and provide consistent signposting to consumers on the efficacy of an application’s security posture.
Crest recently formed a relationship with the Open Web Application Security Project (OWASP) and launched its OWASP Verification Standard (OVS) for users embarking on this journey. More information is available here.
Rowland Johnson took over as president of Crest in 2021, having previously worked as the organisation’s international development director. He was previously founder and CEO of Nettitude, a provider of penetration testing, compliance and risk management services.