Improving Caribbean Software / Mobile App Security
The Caribbean has seen recent growth in mobile app development which is being driven by various stakeholders as a means of increasing ICT innovation and entrepreneurship. Evidence of this trend can be found in various news clippings from the region:
- The Caribbean Industrial Research Institute (CARIRI) and CANTO signed a memorandum of understanding in 2014 “to work together to strengthen the region’s ability to develop, promote and commercialise mobile applications”
- In 2013 and 2014, BrightPath hosted several AppMaster Mobile App Development workshops in various Caribbean territories
- Jamaica’s Digital Jams 3.0 Grand Prize winner (2014) was a mobile app called CrimeBot as highlighted in World Bank featured story entitled “Caribbean youths look to create the next top mobile app”
Indeed, this growth also exists on the demand side with various Caribbean commercial and non-commercial entities having developed mobile apps as a new means to connect, provide services and interact with their clientele. The range of businesses engaging in such activity also includes banks and businesses facilitating payments.
Insecure Code Abounds
However, a recent WSJ blog article based on an academic paper entitled “Mo(bile) Money, Mo(bile) Problems: Analysis of Branchless Banking Applications in the Developing World”, has cast some doubt on security of some mobile banking apps. According to the paper by Reaves, Bradley, et al., “28 significant vulnerabilities across seven applications” were found and categorized under the following headers:
- SSL/TLS & Certificate Verification
- Non-standard Cryptography
- Access Control
- Information Leakage
What does this mean for us in the Caribbean? None of the apps tested were from the Caribbean, however the absence of testing doesn’t necessarily translate to security.
If you are a Caribbean based mobile app developer, software developer or an organisation which outsources software development you need to be asking yourself…how secure is my software development lifecycle?
- What category do I fall within the Open Web Application Security Project Foundation (OWASP) software development capability maturity model?
Figure 1: Capability Maturity Model, image credit OWASP
- Do I integrate security into my software development lifecycle or do I only test at the end?
Figure 2: Security process in reality, image credit Nazar Tymoshyk, SoftServe
- What static analysis tools are available to test my code?
Should you require assistance in answering the last question, click on the video link below to get a 1 minute introduction on Kiuwan and please do get in contact for further information and/or free web-demo.
See also details and register for FREE upcoming webinar, “Take your code and quality to the next level” on Sept 10th at 10am (AST)
- Webinar – Reviewing OWASP top 10 vulnerabilities – Detect your insecure Java code! Most of OWASP vulnerabilities can be prevented by writing source code which is secure and protected against potential threats.
- White Paper – Software Development Outsourcing – This paper presents and assesses the different techniques for the code quality and security evaluation that a “receptor” (recipient organization) of externally developed software can apply to determine the intrinsic (technical) quality and security of the delivered software