For a long time, security was seen as a barrier to innovation.
Designers, developers, QA engineers, and product managers didn’t spend much time on security. In their mind following the advice of their security teams might have meant pushing back tight deadlines. And that in turn might have meant launching late and missing out on valuable market share.
But things are changing.
High-profile security breaches have led to a stark realization:
It’s better to launch later with a secure app than to launch early with one full of gaps for bad actors to exploit.
After all, a security breach doesn’t only lead to you losing things you can measure easily, like revenue. It can also result in a permanent erosion of trust among the very consumers you were aiming to attract in the first place.
That’s why forward-thinking companies now see security as a vital part of innovation rather than a barrier to it. They realize that retrofitting security as an afterthought just doesn’t work. It’s only by following security by design principles that you can create a great user experience and keep that user’s data safe at the same time.
Security by design
In a recent article we spoke about the rise of hybrid apps being, at least in part, down to the pressure to launch apps quickly.
Companies are often under huge strain to get an MVP to market fast. They know that consumers have their mobiles with them at all times. And as such they want their app to be there with them - in their pocket, ready to target them at just the right time.
This pressure helps to explain why lots of companies might have only considered the security of their app at the end of the development process.
“We’ve designed and developed our app."
"Now let’s add some security to it.”
But in practice, it isn’t as simple as that. Vulnerabilities often creep in during design and development. And these weaknesses are often in the code itself.
It’s not a case of flicking a switch and magically securing all of that code afterwards.
That’s why security by design is so effective.
One of its key principles is that the responsibility for security is shared across the company. In other words, it isn’t something the head of security alone is thinking about. Instead, the UX team, the product manager, and the developers are thinking about it, too.
And security by design means thinking about security at each stage of the app development process. It’s not something that’s considered a week before launch. It’s discussed at the very beginning of the design process. And then it’s a constant consideration throughout - even beyond the launch.
As the UK’s National Cyber Security Centre say in their guide to secure design principles, “the very worst outcomes can be avoided if services are designed and operated with security as a core consideration.”
The fact that we’re still seeing high-profile attacks tells us that this is a work in progress for many businesses. Indeed, EY reported earlier this year that two-thirds of companies only consider cybersecurity once it’s already too late.
Switching the security mindset from reactive to proactive takes time. It doesn’t happen overnight.
We’ll explore a little later why security by design is set to be so important in the coming years. But in the here and now, companies are beginning to understand why it makes sense. The impact of mobile logic moving to the client side and the huge hike in attacks during the covid-19 pandemic has shone a light on the need for better mobile security.
You only have to look at a snapshot of one month of attacks in the UK from earlier this year to see how pressing the need is.
How to shift from reactive to proactive security
The attacks listed in the IT Governance piece paint a brutal picture of the landscape.
And while it’s too simplistic to suggest following security by design principles would put an end to these breaches, they can give you better odds at countering attacks. They can help to make sure that common vulnerabilities are avoided.
For example, with security at the forefront of your thinking, you consider how best to securely store sensitive data. You put limits on the number of times a user can attempt to login using their pin or password.
These are fairly simple things. But they’re often overlooked when security is only an afterthought.
Shifting from reactive to proactive security often starts with threat modeling. A threat model is essentially you putting yourself in the hacker’s shoes.
What opportunities exist within your app for them to achieve their goals? And how skilled would they need to be to do so?
Think about security this way - before you even begin to develop your app - and soon you’ll be thinking of a lot more potential attack vectors than you imagined.
You’ll think twice about where and how you’d planned to secure your most sensitive code, data, and other key materials.
You’ll also start thinking about a whole host of other attack vectors that you might not have considered. After all, not all attacks are aimed at stealing sensitive data. Bad actors can also hijack sessions with a server and initiate a rogue transaction. They can send fake data to a server to compromise the client.
Attacks like these happen across industries. But in some sectors such as healthcare, these attacks can put lives at risk as well as livelihoods and reputations.
The examples of attacks above are a reminder that your threat model shouldn’t just focus on the app itself. A common error is to create a perfectly-secure app, but then forget about server-side security.
This is a bit like making sure you’ve locked the doors to your home but then leaving all of the windows open.
Equally, you need to consider that your app won’t always be used in a secure environment. People use weak wifi connections. They sometimes have another dangerous app or malware installed on their device. We call this the “zero trust approach”. It pays to assume that your apps will be used in unsafe environments. So, you’ll have to plan to use security that includes environment checks.
Security by design is about ongoing security, too. That means carrying out testing throughout the development process and beyond the launch date.
You also have to accept that security incidents will happen.
A system that doesn’t have security incidents is a system that isn’t working. Human error makes it an inevitability. But security by design means you’re prepared to deal with threats. It means you’re monitoring the landscape for risks and are ready to counter them.
A new way to think about app security
The modern consumer is more demanding than ever before. Social media and the smartphone have created an environment where she wants information in the moment. But she also demands that her data is secure.
This is the delicate dance that all companies are engaged in.
It’s a fine balance between speed and security. But as we’re fond of saying here at Licel, if you have to choose just one of the two, then security should win out every time.
Trust is vital to winning and keeping customers. And the most 21st century way of waving goodbye to your customer’s trust is by allowing hackers to get hold of their data.
Developing your app using security by design principles sends a clear message to your end users - that you care.
It shows them that you respect their custom enough that you’ll do everything in your power to keep their personal data safe.
This goes hand in hand with transparency, too. You can keep your users aware of security measures by explaining the ways in which you’ll contact them and the kind of information you’ll ask them for. This gives them an active role in their security as they’ll be better prepared to spot scam emails and texts.
In the coming years, 5G technology will usher in an army of connected devices to help us navigate the modern world. Sensors that will help speed up our daily routines. And the old way of thinking about security just won’t cut it anymore.
More connected devices mean more attack vectors for bad actors. If consumers are to trust these devices and the apps that control them - enough to invite them into their homes - then they’ll need to be reassured that security has been considered throughout the design and development process.
Imagine a highly-promising tech company has designed an app that can lock and unlock doors in the homes of the near future. Now imagine that instead of employing security by design principles, this company took a more short-term, last-minute approach to security. It’s not hard to imagine the catastrophic impact to that business’s reputation if their customers were to suffer burglaries due to a gap in the app’s security.
We’re not quite there yet, but there are signs that companies are getting on board with this new way to think about app security.
They realize that respecting their end users enough to think of their security from the outset will be rewarded in the long run.
At Licel we're on a mission to spread the word about the benefits of security by design principles. If you're at an early stage of your mobile app development process and are looking for security advice, get in touch.