By: Eduardo Cervantes, manager, Mobile Application Security Testing, WhiteHat Security
In an age where building applications is essential to business success, it’s more important than ever that application security is approached correctly. In fact, according to Statista, apps are expected to generate $581 billion in revenue by 2020.
Now it’s officially 2020, but companies’ views on how to secure web vs. mobile applications still aren’t crystal clear. Many customers are already using web application security tools and feel moving to mobile is an ocean of work, but that’s not the case.
While these two types of applications’ attack surfaces vary, similar tactics and tools can be used to scan and secure them both. Let’s start with exploring how they measure up against one another. The biggest differences between the two are the environment and how the data generated from interacting with the application is stored and transmitted.
The Make-up of Mobile Applications
In mobile applications, the client that communicates with that service is a full-blown operating system that stores data. Often, users can open the app, and it knows who they are. That means it is storing their sessions and identity. All of that information then lives on that device. If a digital adversary or hacker were to compromise a mobile application, they would have access to that same information session and personal information that allows it to remember and authenticate you.
How Web Applications Differ
Web applications have some caching, but for the most part, even on a dedicated machine, a browser doesn’t have a long-term memory. Thus, there isn’t a large amount of data stored like in the case of mobile apps. If a web app were infiltrated by a cybercriminal, rather than the instant gratification of data access, it would serve as an entry point or foothold for them to get into back-end databases and other areas of the company’s network. Leading to a potential breach.
Mobile Application Security Testing
Both of these application types can be protected with the correct form of application security testing. Mobile application security testing (MAST) looks at the relationship between the request and response and how they are being handled in the operating system itself.
An ideal MAST approach combines dynamic and static automated scanning as well as manual mobile application-layer penetration testing to provide complete coverage across the entire DevOps lifecycle. This addresses compliance requirements, reduces risk and produces safer mobile apps to stay secure from potential attacks.
Web Application Security Testing
Web application security testing tools help companies protect their web-based services and apps and, in contrast to MAST, which has a large client component, mostly look at the relationship between the request and response.
As the complexity and scale of websites have increased, companies need web application security testing tools to help contextualize the risk carried by the vast amounts of data collected as they try to spot anomalies and identify vulnerabilities.
There are two popular types of tools that fall under this category. Static application security testing (SAST), which scans applications at the pre-production level, and dynamic application security testing (DAST), which scans applications on an ongoing basis once they have been deployed. The best approach to bolstering web application security is combining SAST and DAST, so the applications are covered throughout the DevOps lifecycle and into production.
AppSec Across all Apps
Both MAST and web application security testing tools are widely available on the market today, and it’s incredibly important for both types of applications to be properly secured. The proof is in the research. A recent WhiteHat Security study revealed that organizations that scan applications in production have a reduced risk of being breached–and organizations that embed security in DevOps are able to reduce risk, reduce cost and improve time to market.
So don’t be intimidated or nervous to add mobile into your application security testing toolbox–it could save you and your customers from major data compromise and allow your business to focus on the benefits of providing applications, not the risks.