Improving Caribbean Software / Mobile App Security

code qa

 

The Caribbean has seen recent growth in mobile app development which is being driven by various stakeholders as a means of increasing ICT innovation and entrepreneurship.   Evidence of this trend can be found in various news clippings from the region:

 

Indeed, this growth also exists on the demand side with various Caribbean commercial and non-commercial entities having developed mobile apps as a new means to connect, provide services and interact with their clientele. The range of businesses engaging in such activity also includes banks and businesses facilitating payments.

 

Insecure Code Abounds

However, a recent WSJ blog article based on an academic paper entitled “Mo(bile) Money, Mo(bile) Problems: Analysis of Branchless Banking Applications in the Developing World”, has cast some doubt on security of some mobile banking apps.  According to the paper by Reaves, Bradley, et al., “28 significant vulnerabilities across seven applications” were found and categorized under the following headers:

  • SSL/TLS & Certificate Verification
  • Non-standard Cryptography
  • Access Control
  • Information Leakage

 

 

What does this mean for us in the Caribbean?  None of the apps tested were from the Caribbean, however the absence of testing doesn’t necessarily translate to security.

 

Questions?

If you are a Caribbean based mobile app developer, software developer or an organisation which outsources software development you need to be asking yourself…how secure is my software development lifecycle?

 

  • What category do I fall within the Open Web Application Security Project Foundation (OWASP) software development capability maturity model?

 

security CMM

Figure 1: Capability Maturity Model, image credit OWASP

security SDLC

Figure 2: Security process in reality, image credit Nazar Tymoshyk, SoftServe

 

 

  • What static analysis tools are available to test my code?

 

Should you require assistance in answering the last question, click on the video link below to get a 1 minute introduction on Kiuwan and please do get in contact for further information and/or free web-demo.

 

See also details and register for FREE upcoming webinar, “Take your code and quality to the next level” on Sept 10th at 10am (AST)

 

Additional Resources

  • White Paper – Software Development Outsourcing – This paper presents and assesses the different techniques for the code quality and security evaluation that a “receptor” (recipient organization) of externally developed software can apply to determine the intrinsic (technical) quality and security of the delivered software

Leave a Reply

Your email address will not be published. Required fields are marked *