'Rush to release' apps endangers end users

Dan Kobialka
Editor's Corner

Releasing a safe, high-quality app remains essential for mobile developers, but recent data indicated that the "rush to release" apps is putting many end users at risk.

A new survey of 605 IT and IT security practitioners conducted by application delivery networking (ADN) technology provider F5 Networks and independent research firm Ponemon Institute indicated 67 percent of respondents said the "rush to release" causes app developers in their organization to "neglect secure coding procedures and processes."

Image: F5 Networks/Ponemon Research
Also, the survey revealed that the two primary reasons why apps contain vulnerable code are that developers do not understand secure coding practices or they have coded apps poorly.

So how can developers avoid the temptation to "rush to release" apps? It may be as simple as incorporating development and operations (DevOps) practices into the app development cycle.

The F5 and Ponemon survey showed 71 percent of security professionals who have integrated DevOps practices into their app development lifecycles noted that they have "improved security and that it enabled them to respond quickly to vulnerabilities."

Furthermore, F5 Chief Information Security Officer Mike Covertino pointed out DevOps practices could be incorporated into the everyday practices of mobile developers to ensure these developers minimize end user risks.  

"I believe that DevOps practices can be highly beneficial to application security as long as security testing is embedded into the automated testing we already do in DevOps alongside all the functional tests to ensure that the apps we develop are both functionally robust and secure from the ground up," he wrote in a blog post.

Although mobile developers want to release apps as quickly as possible, doing so at the expense of app security simply is unacceptable. Conversely, mobile developers must consider security throughout the app development cycle, or may put end users in danger.

Fortunately, consistent app testing and quality assurance (QA) protocols can make a world of difference for mobile developers, particularly when it comes to improving app security.

"The State of Mobile Application Insecurity" survey of 640 app development and security professionals conducted by IBM and Ponemon further illustrated the impact of effective app testing.

Survey researchers found 55 percent of respondents said they do not test apps, and many mobile apps are rarely tested during the production cycle. Meanwhile, even though an average of $34 million is spent annually on mobile app development, only about $2 million – or 5.5 percent – of this total is dedicated to mobile app security.

Clearly, many mobile developers fail to devote the necessary time and resources to minimize security vulnerabilities before an app reaches end users. In order for a mobile developer to succeed, app security likely will need to move to the forefront of the app development cycle in the foreseeable future.

Without app security measures in place, end users could suffer, and a mobile developer risks alienating these end users altogether. But if mobile developers incorporate app testing and QA protocols into the app development process now, they may be able to eliminate security risks, streamline the app development cycle and be better equipped to provide end users with best-in-class apps for years to come. - Dan@FierceDeveloper