|

Building App Layer Security Into the Supply Chain

View comments: newest first | oldest first | threaded
Page 1 of 2   Next >   Last >>
tech4people
User Rank
Supply Network Guru
Re: Trends like these don't make you feel Comfortable
tech4people   3/3/2014 9:59:13 AM
NO RATINGS

Hailey,

Absolutely!

You can't simply trust that the App Store will Screen out all the Malicious Apps on its own.

If you run your own company's IT Network you have to screen the Apps which you permit on the Network.

If you don't do such Audits you are asking for Trouble Many Times over!

I remember an App which made Headlines last year(in Security world) for its Unique Ability to disguise itself in the iphone App store during Screening time and then reveal its nefarious Characteristics only later on[Iphone screens the Apps in the App Store only once at Time of Application;not repeatedly].

It was beyond fascinating & Scary[From a Security Practicioner Point of View].

If you use your Apps for Financial Services Access online you have to be Doubly Careful-Like this one from Bank of America today

http://www.itworld.com/business/407383/be-scared-bank-americas-iphone-app-be-very-very-scared

Not surprising that more research has to be done here before we allow many more apps in the Enterprise today.

HaileyMcK
User Rank
Blogger
Re: Trends like these don't make you feel Comfortable
HaileyMcK   2/28/2014 12:53:55 PM
NO RATINGS

Whitelisting is definitely a good approach...always better to let in known good than to keep out known bad.


Your points about Android are well taken--People assume that because an app is in the App Store of Apple that it is vetted...and that's not at all true. At least not in terms of security.

tech4people
User Rank
Supply Network Guru
Re: Re : Building App Layer Security Into the Supply Chain
tech4people   2/28/2014 9:40:20 AM
NO RATINGS

Hailey,

Its interesting that you brought up the fascinating case of the Target Data Breach.

It had more to do with the fact that they were using unpatched Versions of XP for their Card Terminals.

And these Terminals also had Internet Access!

That's asking for a lot of trouble.

Hence they got breached in a big-big way!

tech4people
User Rank
Supply Network Guru
Re: Trends like these don't make you feel Comfortable
tech4people   2/28/2014 9:38:01 AM
NO RATINGS

Hailey,

Those are very fair statements to make regarding Mobile OSes and Smartphones in General.

Just saying from past experience here,that while the Android OS is much more Secure than the iOS Platform[because vulnerabilities are patched much faster here at the OS Level];at the App Level Apple is definitely much more secure.

That has a lot to do with the fact that Android OS platform has seen more Widespread adoption than Apple's iOS and also the fact that Google has purposely left the Bar much lower when it comes to App Security than Apple(because they want to encourage as many Developers to develop for Android as possible).

I prefer the Whitelisting Approach where you can shortlist what kind of Apps you are comfortable permitting in your Enterprise(after a Full-scale Audit of those Apps by your Software Team);especially for Business Critical Functions.

Here's a Good MDM Audit List-Courtesy of Code42

http://docs.media.bitpipe.com/io_11x/io_110848/item_734110/ClientManagementChecklist.pdf

 

HaileyMcK
User Rank
Blogger
Re: Trends like these don't make you feel Comfortable
HaileyMcK   2/28/2014 1:01:32 AM
NO RATINGS

@Tech4People. Don't fool yourself... Apple, Android, etc. All mobile platforms and every OS has its risks. Building awareness helps. key things to remember:

1) Patch early, patch often

2) do regular scurity training with employees and supply chain patners

3) Focus on a combination of closing security holes and having clear mandates around how to handle the inevitable security issue.

HaileyMcK
User Rank
Blogger
Re: Re : Building App Layer Security Into the Supply Chain
HaileyMcK   2/28/2014 12:58:54 AM
NO RATINGS

@Tech4People, certainly no organization has tbe budget fo total security. First, it's not an acheivable goal, second it is a moving target, and third to try woudl be prohibiively expensive. However, the headlines are full of examples of hugely expsensive security breaches. THink about Target just recently.  Especially for a data breach, it can run to millions and billions of dollars. It's a hard line to toe--no organization has the money to really do it, but no organization can really afford not to do it. It finally comes down to identifying and mitigaging the biggest risks.

tech4people
User Rank
Supply Network Guru
Re: Need a major jump forward
tech4people   2/27/2014 3:35:13 PM
NO RATINGS

Hailey,

I have to agree.

That is the way these things are working today.

And there is a reason for that.

Most Major Threats today are just Blended Threats(either that or iterations of basic Threats which are very well chronicled in the OWASP list).

In a way its bad for Security Research Innovation(No cutting edge threats to talk about);but in  a way its Good for the Defenders to keep the bad guys out.

tech4people
User Rank
Supply Network Guru
Trends like these don't make you feel Comfortable
tech4people   2/27/2014 3:31:54 PM
NO RATINGS

 

Hailey,

When one reads articles like this one on CIO Magazine it really raises a major sense of Concern/Alarm.

 

http://www.cio.com/article/748604/6_Out_of_10_Android_Apps_a_Security_Concern

What is one supposed to do here?

Make your entire Supply Chain so that it is based on Apple Devices?

But then that would raise Costs Dramatically across your Entire Supply Chain(thus defeating the very purpose of the Supply Chain).

And even that approach is not 100% safe either.

http://www.itworld.com/security/406739/new-ios-flaw-allows-malicious-apps-record-touch-screen-presses

http://www.reuters.com/article/2014/02/22/us-apple-flaw-idUSBREA1L01Y20140222

 

The approach I prefer is to go for a White-listing Approach For Apps ,where only a few Control approved Apps are allowed onto Enterprise Devices.

And No BYOD won't cut it in this Enterprise.

 

tech4people
User Rank
Supply Network Guru
Re: Software Help
tech4people   2/27/2014 3:07:23 PM
NO RATINGS

Hailey,

Nation-State Actors are a serious-Serious Problem here.

Richard Clarke has some very interesting perspectives to share on this issue with all of us.

http://searchsecurity.techtarget.com/news/2240214986/Richard-Clarke-NSA-revelations-show-potential-for-police-state

We definitely do risk becoming a Stasi/Police State today.

 

tech4people
User Rank
Supply Network Guru
Re: Re : Building App Layer Security Into the Supply Chain
tech4people   2/27/2014 3:04:44 PM
NO RATINGS

Hailey,

While I agree with this Statement in Totality;I really wonder about who will be the Organization who foots the Bill for this Full Security Blanket so to speak.

At a time of Plunging CAPEX globally,Spending on Supply Chain(including App Layer Security) is going to see big Falls.

In such an enviroment;Companies will constantly be stuck trying to do more with Less and less.

Not the right recipe for action.

Page 1 of 2   Next >   Last >>


More Blogs from Hailey Lynne McKeefry
The supply chain profession boasts competitive salary levels and big benefits, including high job satisfaction.
Good ethical practices makes for good business. In this year's list of World's Most Ethical Companies, high-tech organizations distinguished themselves.
Components of many types remain in short supply. However, there are a few bright notes in the dark cloud.
Manufacturing industry experiences second-highest number of cyber attacks, but companies are not adequately prepared to prevent and protect against damages. Cyber insurance may be a good investment.
April 26 is World Intellectual Property Day. Let's celebrate.
Twitter Feed
EBN Online Twitter Feed
EBN Dialogue / LIVE CHAT
EBN Dialogue enables you to participate in live chats with notable leaders and luminaries. Open to the entire EBN community of electronics supply chain experts, these conversations see ideas shared, comments made, and questions asked and answered in real time. Listed below are upcoming and archived chats. Stay tuned and join in!
Archived Dialogues
Live Chat 01/15: CPOs Re-Shape Their Business Roles
Increasingly chief procurement officers (CPOs) are re-shaping their organizational role to focus on creating results far beyond cost controls. A new IBM survey explores how.
Live Chat 11/12: Examining the Cyberthreat to Supply Chains
The number of cyberattacks is on the rise and hackers are targeting the supply chain. Drew Smith, founder and CEO of InfoArmor, will be on hand to discuss the reality of today's threat landscape and what to do about it.