John Dickson, a principal at the application security consultancy Denim Group, has a "lightweight, easy" tip to save enterprise developers of mobile apps a lot of "heartache and resources" down the line: Diagram a threat model on a whiteboard.
Dickson defines a threat model as a broad, high-level architecture diagram of what the app does and where the data resides and moves.
"Many of the real, disastrous mistakes are made on the conception side, and if you understand that concept and that diagram, you save yourself a lot of problems," Dickson says in an interview with Information Security Media Group. "Lightweight, easy, whiteboard, five minutes - that's all that's suggested."
In the interview, conducted at the recent Gartner Security and Risk Management Summit in National Harbor, Md., Dickson:
- Explains why the culture in enterprises needs to change to encourage the development of secure mobile apps. "Demand for features, functionality and releases is phenomenal. In that context, when you don't have somebody at the top actively injecting [security] requirements, they simply don't make it onto the table."
- Addresses how the pressure mobile app developers face in producing apps quickly deters them from creating secure software. "Most developers are not going to get fired for creating insecure code. They will get fired if they don't put up their code in the dev server on time."
- Discusses how homegrown apps have different security challenges than those sold in app stores.
Dickson has two decades of hands-on experience in intrusion detection, network security and application security in the commercial, public and military sectors. As principal at Denim Group, he helps executives and CISOs in business and government launch and expand their critical application security initiatives.