Many of my recent posts have provided insights regarding the Mobile Threat Defense (MTD) space; in this post I wanted to explore other mobile security segments as they relate to enterprises.
Mobile Threat Defense (MTD)
First, for background, here's how MTD is defined by Gartner:
Application Security Testing (AST)
As mentioned above, other mobile solutions exist besides those that fall into the MTD category. The most mature mobile security segment is part of the Application Security Testing (AST) market, which broadly applies to both web-based and mobile applications. Sometimes referred to as SAST (static application security testing) and DAST (dynamic application security testing), these solutions are applied against internally developed apps deployed for internal use for employees and contractors. There are often called private apps or custom apps. Veracode, HPE and IBM are leaders in this segment.
Application Shielding
Another mobile security market segment, and the focus of this post, is emerging as of early 2018 and doesn't have a consensus segment name. It's referred to by participating vendors as "Protecting Apps in Untrusted Environments," "Autonomous Application Protection," and "Self Protecting Software." Gartner refers to it as Application Shielding, and names over 20 vendors with relevant solutions. The underlying technology is called Runtime Application Self-Protection (RASP). What's this all about?
Enterprises often must deploy mobile apps in support of their core business. Think of public apps from banks, retailers, gaming companies, and any app-based business. These are generally B2C apps, or consumer mobile apps, and are deployed in environments outside of the developers' control. The app could be reversed engineered for intellectual property theft or to determine and exploit whatever vulnerabilities might exist. The app could be installed on rooted or jailbroken devices, which opens it up to a wide array of attacks. The app could be re-packaged with keyloggers, spyware or other forms of malware, which could result in brand damage. Other exploits and misuse of the app are possible. How can app developers protect their app when it's in the wild?
Runtime Application Self-Protection (RASP)
Enter RASP. Gartner defines RASP as a security technology that is built or linked into an application or application runtime environment, and is capable of controlling application execution and detecting and preventing real-time attacks. Secure app development practices (often based on OWASP) and security testing remains a best practice and is not replaced by RASP. In fact, RASP solutions are applied not to the source code but to the binary (executable) app. RASP can usually be integrated into the build process but does not require SDLC changes or app developers' participation.
RASP technology is not unique to application shielding, as is it utilized by some AST vendors. But it has experienced considerable growth of late because of the application shielding requirements of mobile apps. Furthermore, RASP usage is expected to mushroom as it gets applied to IoT-based apps.
What Mobile Security Solution Should An Enterprise Adopt?
So what does all this mean to an enterprise that is developing its mobile security strategy? In short, one size does not fit all. MTD is required to protect the enterprise from attacks against its employees and its data. SAST and DAST are required to secure mobile apps developed for internal use as productivity tools. RASP is required for consumer mobile apps. The rapid adoption of mobile in the workplace and as the primary means of reaching customers requires a broad mobile security strategy with multiple components.
Enterprises seek best of breed solutions for all of their security requirements. But enterprises are not always willing to be their own system integrators, where they must glue various platforms together from a management and operations perspective. It seems likely that at the end of the day enterprises will gravitate towards single-vendor solutions, to the extent they emerge. I believe that the window of opportunity for mobile security startups is still wide open to those with innovative solutions who can execute, but history suggests the ultimate winners will be the established, mega security vendors.
Mobile Threat Defense (MTD)
First, for background, here's how MTD is defined by Gartner:
The MTD solutions market is made up of products that protect organizations from threats on mobile platforms, including iOS, Android and Windows 10 Mobile. MTD solutions provide security at one or more of these four levels: Device behavioral anomalies, Vulnerability assessments, Network security, or App scans.MTD solutions are designed to protect enterprises from mobile threats. The primary threat landscape that MTD addresses is mobile malware, and data leakage of enterprise data. Skycure/Symantec, Lookout, Zimperium and Appthority are vendors in this space.
Application Security Testing (AST)
As mentioned above, other mobile solutions exist besides those that fall into the MTD category. The most mature mobile security segment is part of the Application Security Testing (AST) market, which broadly applies to both web-based and mobile applications. Sometimes referred to as SAST (static application security testing) and DAST (dynamic application security testing), these solutions are applied against internally developed apps deployed for internal use for employees and contractors. There are often called private apps or custom apps. Veracode, HPE and IBM are leaders in this segment.
Application Shielding
Another mobile security market segment, and the focus of this post, is emerging as of early 2018 and doesn't have a consensus segment name. It's referred to by participating vendors as "Protecting Apps in Untrusted Environments," "Autonomous Application Protection," and "Self Protecting Software." Gartner refers to it as Application Shielding, and names over 20 vendors with relevant solutions. The underlying technology is called Runtime Application Self-Protection (RASP). What's this all about?
Enterprises often must deploy mobile apps in support of their core business. Think of public apps from banks, retailers, gaming companies, and any app-based business. These are generally B2C apps, or consumer mobile apps, and are deployed in environments outside of the developers' control. The app could be reversed engineered for intellectual property theft or to determine and exploit whatever vulnerabilities might exist. The app could be installed on rooted or jailbroken devices, which opens it up to a wide array of attacks. The app could be re-packaged with keyloggers, spyware or other forms of malware, which could result in brand damage. Other exploits and misuse of the app are possible. How can app developers protect their app when it's in the wild?
Runtime Application Self-Protection (RASP)
Enter RASP. Gartner defines RASP as a security technology that is built or linked into an application or application runtime environment, and is capable of controlling application execution and detecting and preventing real-time attacks. Secure app development practices (often based on OWASP) and security testing remains a best practice and is not replaced by RASP. In fact, RASP solutions are applied not to the source code but to the binary (executable) app. RASP can usually be integrated into the build process but does not require SDLC changes or app developers' participation.
RASP technology is not unique to application shielding, as is it utilized by some AST vendors. But it has experienced considerable growth of late because of the application shielding requirements of mobile apps. Furthermore, RASP usage is expected to mushroom as it gets applied to IoT-based apps.
What Mobile Security Solution Should An Enterprise Adopt?
So what does all this mean to an enterprise that is developing its mobile security strategy? In short, one size does not fit all. MTD is required to protect the enterprise from attacks against its employees and its data. SAST and DAST are required to secure mobile apps developed for internal use as productivity tools. RASP is required for consumer mobile apps. The rapid adoption of mobile in the workplace and as the primary means of reaching customers requires a broad mobile security strategy with multiple components.
Enterprises seek best of breed solutions for all of their security requirements. But enterprises are not always willing to be their own system integrators, where they must glue various platforms together from a management and operations perspective. It seems likely that at the end of the day enterprises will gravitate towards single-vendor solutions, to the extent they emerge. I believe that the window of opportunity for mobile security startups is still wide open to those with innovative solutions who can execute, but history suggests the ultimate winners will be the established, mega security vendors.