Ponemon Institute Reviews Key Findings from “2017 State of Mobile & IoT Application Security...

Sponsored by IBM and Arxan Technologies Dr. Larry Ponemon, Ponemon Institute

Neil K. Jones, IBM SecurityMandeep Khera, Arxan Technologies

2017 Study on Mobile and Internet of Things Application Security

Agenda

Overview of “2017 State of Mobile and IoT Application Security” study Key findings

Risk of mobile and IoT applications Are organizations mobilized to reduce security risk? Current security practices in place Survey methodology

Q&A session

Presenters

Neil K. Jones, Application Security Market Segment Manager, IBM Security

Dr. Larry Ponemon, Chairman and Founder, Ponemon Institute

Mandeep Khera, Chief Marketing Officer, Arxan Technologies

Purpose of the study

The purpose of this research is to understand how companies are reducing the risk of mobile apps and Internet of Things (IoT) in the workplace. The risks created by mobile apps have been well researched and documented. This study reveals how companies are unprepared for risks created by vulnerabilities in IoT apps.

January 18, 2017 Ponemon Institute Presentation Private and Confidential 4

Sample response Frequency Percentage

Sampling frame 16,450 100.0%

Total returns 651 4.0%

Rejected or screened surveys 58 0.4%

Final sample 593 3.6%


A summary of key findings in this research

• Many organizations are worried about an attack against mobile and IoT apps that are used in the workplace.

• Organizations have no confidence or are not confident they know all mobile and IoT apps in the workplace.

• The use of mobile and IoT apps are threats to a strong security posture.

• Mobile and IoT risks exist because end-user convenience is considered more important than security.

• The functions most responsible for mobile and IoT security reside outside the security function.

• Hacking incidents and regulations drive growth in budgets. • Despite the risk, there is a lack of urgency to address mobile and

IoT security threats.• Malware is believed to pose a greater threat to mobile than IoT

apps.


The risk of mobile and IoT apps

Ponemon Institute Presentation Private and Confidential

How difficult is it to secure mobile and IoT apps?1 = easy to 10 = very difficult, 7+ responses reported


Level of difficulty in securing IoT apps Level of difficulty in securing mobile apps0%

10%

20%

30%

40%

50%

60%

70%

80%

90%84%

69%

How concerned is your organization about getting hacked through a mobile or an IoT app? Very concerned and Concerned responses combined


Hacked through an IoT app Hacked through a mobile app0%

10%

20%

30%

40%

50%

60%

70%

58%

53%

How concerned is your organization about the threat of malware to mobile and IoT apps? 1 = no concern to 10 = very concerned, 7+ responses reported


Threat of malware to mobile apps Threat of malware to IoT apps0%

10%

20%

30%

40%

50%

60%

70%

80%

90%84%

66%

How significantly does employees’ mobile and IoT apps use affect your organization’s security risk posture?Very significant and Significant increase responses are combined


Use of mobile apps Use of IoT apps0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

79%75%

How confident are you that your organization knows all of the mobile and IoT apps in the workplace? Not confident or No confidence responses are combined


0%10%20%30%40%50%60%70%80% 75%

63%

How important is end-user convenience when building and/or deploying mobile and IoT apps? 1 = not important to 10 = very important, 7+ responses reported


0%10%20%30%40%50%60%70%80%

68%62%

Who is primarily responsible for the security of mobile and IoT apps?


No one person is responsible

Head, quality assurance

User of mobile apps

Head, application development

CISO/CSO

Lines of business (LOB)

CIO/CTO

0% 5% 10% 15% 20% 25% 30% 35%

11%

2%

16%

31%

5%

21%

14%

11%

3%

8%

11%

15%

20%

32%

Responsible for the security of mobile apps Responsible for the security of IoT apps

Would any of the following factors influence your organization to increase the budget? Two responses permitted


None of the above

Concern over potential loss of customers due to a security incident

Government incentives such as tax credits

Concern over potential loss of revenues due to a security incident

Concern over relationship with business partners and other third parties

Media coverage of a serious hacking incident affecting another company

New regulations

A serious hacking incident affecting your organization

0% 10% 20% 30% 40% 50% 60%

15%

10%

12%

15%

23%

25%

46%

54%

Are organizations mobilized to reduce the risk?


How concerned are you about the use of insecure mobile and IoT apps in the workplace? 1 = not concerned to 10 = very concerned, 7+ responses reported


Insecure IoT apps Insecure mobile applications0%

10%

20%

30%

40%

50%

60%

70%

80%

70%

64%

Please rate your organization’s urgency in securing mobile and IoT apps. 1 = low urgency to 10 = high urgency, 7+ responses reported


Urgency in securing IoT apps Urgency in securing mobile apps0%

5%

10%

15%

20%

25%

30%

35%

40%

45%42%

32%

Has your organization experienced a data breach or cyber attack because of an insecure mobile or IoT app?


Yes, known with certainty Yes, most likely Yes, likely No, not likely0%

10%

20%

30%

40%

50%

60%

11%15%

34%

40%

4%

11%

31%

54%

Data breach or cyber attack caused by an insecure mobile appData breach or cyber attack caused by an insecure IoT app

Current security practices in place


How often does your organization test mobile and IoT apps?


We do not test

Testing is not pre-scheduled

Every time the code changes

Unsure

Annually

Monthly

0% 10% 20% 30% 40% 50% 60%

48%

26%

14%

7%

5%

0%

26%

35%

18%

8%

10%

3%

Mobile apps IoT apps

Where are mobile and IoT apps tested?


Primarily in production Primarily in development Both in production and development0%

10%

20%

30%

40%

50%

60%

70%

39%

32%29%

58%

26%

16%

Mobile apps IoT apps

Top five means of securing mobile and IoT appsMore than one response permitted


Security testing throughout the SDLC

Dynamic application security testing

Static application security testing

Educate developers on safe coding

Penetration testing

0% 10% 20% 30% 40% 50% 60%

15%

26%

26%

30%

39%

30%

51%

53%

55%

57%

Primary means of securing mobile apps Primary means of securing IoT apps

The most difficult OWASP mobile app security risks to mitigateVery difficult and Difficult responses combined


Lack of Binary Protection

Improper Session Handling

Security Decisions Via Untrusted Inputs

Insecure Data Storage

Insufficient Transport Layer Protection

Poor Authorization and Authentication

Client Side Injection

Weak Server Side Controls

Unintended Data Leakage

Broken Cryptography

0% 10% 20% 30% 40% 50% 60% 70% 80%

35%

38%

41%

43%

47%

50%

60%

62%

65%

70%

The main reasons why mobile and IoT apps contain vulnerable code More than one response permitted


Other

Application development tools have inherent bugs

Lack of understanding/training on secure coding practices

Incorrect permissions

Lack of quality assurance and testing procedures

Malicious coding errors

Lack of internal policies or rules that clarify security requirements

Accidental coding errors

Rush to release pressures on application development team

0% 10% 20% 30% 40% 50% 60% 70% 80%

4%

21%

33%

36%

40%

48%

51%

65%

69%

3%

18%

30%

36%

55%

44%

49%

65%

75%

Reason why IoT apps contain vulnerable code Reason why mobile apps contain vulnerable code

Methods


Current position level within the organization


2% 3%

16%

22%

15%

40%

2%

Senior Executive

Vice President

Director

Manager

Supervisor

Technician/Staff

Contractor

The primary person reported to within the organization


54%

18%

9%

6%

4%2%2%2%3%

Chief Information Officer

Chief Information Security Officer

Chief Technology Officer

Chief Risk Officer

Chief Security Officer

Chief Operating Officer

Compliance Officer

Data center management

Other

Primary industry classification


18%

11%

10%

10%9%

9%

8%

5%

5%

3%3%

2%2%2%3%

Financial services

Health & pharmaceuticals

Public sector

Services

Industrial & manufacturing

Retail

Technology & software

Consumer products

Energy & utilities

Entertainment & media

Hospitality

Communications

Education & research

Transportation

Other

Worldwide headcount of the organization


8%

13%

21%

25%

17%

9%

7%

Less than 100

100 to 500

501 to 1,000

1,001 to 5,000

5,001 to 25,000

25,001 to 75,000

More than 75,000

Arxan and IBM End-to-End Mobile and IoT Security Solution

Enterprise Applicationsand Cloud Services

Identity, Fraud,and Data Protection

Device Security Content Security Application Security Identity & AccessProvision, manage and secure Corporate and BYOD devices

Secure enterprise content sharing and segregate enterprise and personal data

Develop secure, vulnerability free, hardened and risk aware applications

Secure access and transactions for customers, partners and employees

Security IntelligenceA unified architecture for integrating mobile security information and event management (SIEM), log management, anomaly detection, and configuration and vulnerability management

IBM QRadar Security Intelligence Platform

IBM MobileFirstProtect (MaaS360)

IBM Security AppScan, Arxan Application Protection, IBM Trusteer Mobile SDK

IBM Security Access Manager for Mobile, IBM Trusteer Pinpoint

Security Intelligence

Content SecurityApplication Security

Identity & Access

Device Security

DATA

Personal and Consumer Enterprise

© Copyright IBM Corporation 2016. All rights reserved.

• Link to study: 2017 State of Mobile & IoT Application Security• Related blog: Is IoT Security a Ticking Time Bomb?• Learn more about the IBM Security & Arxan Technologies partnership

32

Resources to learn more

https://www-01.ibm.com/marketing/iwm/dre/signup?source=mrs-form-12155&S_PKG=ov56535




https://securityintelligence.com/is-iot-security-a-ticking-bomb/



http://www-03.ibm.com/software/products/en/arxan-application-protection



Q&A

Ponemon InstituteToll Free: 800.887.3118

Michigan HQ: 2308 US 31 N.Traverse City, MI 49686 USA

[email protected]

Neil K. [email protected]

Mandeep [email protected]


mailto:[email protected]



Caveats

There are inherent limitations to survey research that need to be carefully considered before drawing inferences from findings. The following items are specific limitations that are germane to most web-based surveys.

• Non-response bias: The current findings are based on a sample of survey returns. We sent surveys to a representative sample of individuals, resulting in a large number of usable returned responses. Despite non-response tests, it is always possible that individuals who did not participate are substantially different in terms of underlying beliefs from those who completed the instrument.

• Sampling-frame bias: The accuracy is based on contact information and the degree to which the list is representative of individuals who are involved in the security of mobile and IoT application security in their organizations. We also acknowledge that the results may be biased by external events such as media coverage. We also acknowledge that the results may be biased by external events such as media coverage. Finally, because we used a Web-based collection method, it is possible that non-Web responses by mailed survey or telephone call would result in a different pattern of findings.

• Self-reported results: The quality of survey research is based on the integrity of confidential responses received from subjects. While certain checks and balances can be incorporated into the survey process, there is always the possibility that a subject did not provide a truthful response.


Ponemon Institute Reviews Key Findings from “2017 State of Mobile & IoT Application Security...

Technology

Transcript of Ponemon Institute Reviews Key Findings from “2017 State of Mobile & IoT Application Security...