This week, we learned that a group of cybercriminals recently gained access to Equifax files in a massive data breach that could impact as many as 143 million customers. The stolen personal data included birth dates, credit card numbers, social security numbers, driver’s license numbers, and other PII (personally identifiable information).
Although most breaches involve compromised admin credentials, siphoned via email phishing and/or social engineering attacks, this breach resulted when “criminals exploited a U.S. website application vulnerability to gain access to certain files” the company said. Nathan Wenzler, chief security strategist at AsTech, said “this is something we in the security community continue to see rising, as organizations are getting better and better at defending servers, workstations and laptops, the cyber criminals simply move on to the next easiest target, which is most commonly the organization’s web applications.”
Software development practices have always been a weak link in the enterprise security ecosystem. Developers make mistakes, design cycles grow shorter, resources (and time) are scarce, and the need for line-of-business apps keeps booming. With the proliferation of web, and now mobile apps, the importance of application security is bigger than ever. It’s all too common to find vulnerabilities in enterprise developer code as well as in the 3rd party libraries and SDKs they leverage. It’s so common, in fact, that the need for Application Security Testing tools and services has created a whole industry. However, this breach is a reminder that enterprises are still not doing enough to test the apps they rely on to handle, transport, or protect their most critical systems and data.
This breach is a reminder that enterprises are still not doing enough to test the apps they rely on to handle, transport, or protect their most critical systems and data.
If that sounds scary, your day is about to get worse. Consider the fact that the vulnerable web application involved was developed by professional enterprise-grade developers. Now think about the mobile apps our employees use every day. Are those apps built by professional teams, with software development best practices, code/binary level security and vulnerability testing? You can bet the bank that that’s not the case. So, how can you trust these apps in your mobile environment, accessing your corporate networks, systems, and confidential data? Are you just sitting back and hoping for the best?
While Apple and Google do a decent job in preventing malware from entering the official app stores, they are simply not performing vulnerability and risk testing for all of the apps they offer. As Appthority has uncovered time and time again, the apps our employees use every day are exposing both personal and enterprise data to these types of massive breaches.
This is why a Mobile Threat Protection with a heavy emphasis on App Security should be a crucial component of your enterprise mobile security strategy. By leveraging an MTP solution which integrates into your EMM/UEM, you can monitor all apps, whether enterprise developed or 3rd party, for risk and automatically take action to keep your systems, data, and people secure. Don’t wait for the next massive breach to take action, be proactive and sign up for a free App Risk Analysis of the apps in your enterprise environment.