Tips for Improving Your App Security

Google “app security” and you’ll find article after article explaining what it is and why it’s so important for app developers and users. Keeping applications safe from cyberattacks (e.g., denial-of-service (DoS), phishing, ransomware, password, trojan horses, and so much more) has become an almost full-time job for every business—and an expensive one. According to Statista, app security spending may exceed 7.5 billion USD this year alone.

As the CTO and Co-Founder of Uncat—with an app that syncs with QuickBooks and helps accountants and bookkeepers clean up uncategorized transactions and complete one-off or recurring tasks with their clients—I have a vested interest in protecting my company and my clients from increasingly sophisticated criminals who are intent on causing harm and profiting off our loss. Thankfully, I’m well-versed in app security.

In offering my expertise to other app developers in the Intuit developer community, I bring a full understanding of the security risks they face and how to address them. I have a PhD in computer science (my dissertation specifically focused on Internet routing security) and I’m a Distinguished Engineer in the threat research group at SecurityScorecard, a leading security vendor in cyber risk management according to Gartner. I teach pen testing to graduate students at NYU’s Global Cyber Fellows program. I’m also writing an O’Reilly book on secure coding in JavaScript and have given over 30 talks on security around the world since 2015.

First Things First: What is App Security?

Application security can mean a lot of things. TechTarget defines app security as the “practice of using security software, hardware, techniques, best practices and procedures to protect computer applications from external security threats.”

And here is Gartner’s take on security:

Security is the combination of people, policies, processes, and technologies employed by an enterprise to protect its cyber and physical assets. Security is optimized to levels that business leaders define, balancing the resources required with usability/manageability and the amount of risk offset.

Security in the digital world comes down to combating cyberattacks using the best tools and resources available to protect people and organizations from malicious actors. And at the end of the day, it’s difficult to deliver value to your customers when your app is offline due to a breach,  or there’s a breach in another service you use in your app that compromises or causes a loss of customer data.

Application security is primarily about writing secure code that protects the value you’re delivering to the customers you have or intend to have. App security encompasses everything from using HTTPS to sanitizing the insecure input data your users put into your app.

Ensuring you have a secure application is a requirement given the increasing prevalence of cyberattacks. According to one Norton article, hackers are attacking every 44 seconds. Per Statista, the global indicator ‘Estimated Cost of Cybercrime’ was forecast to continuously increase between 2023 and 2028 and reach a total cost of more than 13 trillion USD in 2028.

Common Cyber Weaknesses and Threats

There are many weaknesses and threats out there, but some are more common than others. One of the most common security issues I’ve dealt with results from failures in securing authorization and authentication.

Frameworks like OAuth exist, but they’re hard to implement flawlessly, especially in custom software. Recently, Microsoft leaked a key that let nation-state threat actors, or large hacking groups funded by a country’s government, masquerade as an employee of a company using enterprise MS Exchange servers. This continued undetected for years and was used to exploit key government assets in the US and abroad. This was eventually linked to an avoidable weakness in the key signing process.

Hackers are constantly seeking out security weaknesses within exposed networks and systems. Because it’s relatively easy for hackers to automate this process, there’s a widespread influx of low-sophistication surveying for software vulnerabilities of any kind. Once vulnerabilities are found, more sophisticated hackers can take advantage of them, making it very easy for them to do harm.

For example, ransomware gangs rely on “Initial Access Brokers” who are, in effect, malicious pen testers (a pen tester is an individual hired to probe the weaknesses in an application or network). This means they effectively outsource the hardest part of getting access to a victim network to then ransom a target company’s data.

Hacking has become a global business much like other multi-national, organized criminal enterprises, and it’s alarming. So, what can you do about it? Plenty.

Commonsense Tips for Strengthening Your App Security

Understanding the importance of app security and the types of threats out there should lead you and your team to the conclusion that addressing these issues before they occur is the best first step. It’s also important that you continuously measure your security posture. When you invest in app security before you’re breached, you won’t lose your most sensitive data, your top customers, or your sanity.

Below is a list of practical tips to help protect your apps against attacks. These are based on my experience in seeing millions of automated attacks against the global attack surface at SecurityScorecard:

  • Prioritize appropriately: There are some apps that require more time and money to secure than others. For instance, if you have a banking app, you want to ensure financial apps that control the flow of money are prioritized over an app that merely reports on the flow of money. This is known as “Threat Modeling” in the security community, and it’s a great place to start as a developer or business that is new to security.
  • Pentest, pentest, pentest: Get a pen test done by any number of providers, including SecurityScorecard, Synopsys (who does ours at Uncat), and Cobalt (that will do them at scale, automatically). You must monitor for malicious activity extensively and continually. New government regulations from entities like the SEC require these types of evaluations in order to operate as a private or public company that serves a minimum number of end users.
  • Designate a security lead: Assign a member of your development team as the principal person in charge of security. Everyone needs to contribute and hold each other accountable, but someone needs to have the ultimate responsibility for reviewing every line of code for bugs that could be fatal security flaws. At larger companies, the CISO (Chief Information Security Officer) is usually the person responsible for security. At yours, it could be your head of IT, a developer, or the CTO.
  • Pay attention: Review the latest OWASP Top 10, the definitive list of the most current vulnerabilities you should be aware of today. This comprehensive guide helps organizations recognize and address security threats and covers all the intricate vulnerabilities we haven’t discussed here.

App Security is Necessary—and Possible

It may seem overwhelming, but there are ways to ensure you and your clients are protected. At Uncat, we practice what we preach. We have implemented smart security measures that include doing pen tests every year with Intuit (a company that provides outstanding business-growth initiatives, such as the Developer Growth Program), leveraging AWS GuardDuty to alert us to any odd or malicious activity in our cloud provider, and backing up all of our infrastructure and data to multiple sources. We rely on companies like Cloudflare to protect us from DDoS and bots, and we monitor everything with Datadog, SAST/DAST for code security, and automated dependency management in our CI/CD pipeline. We also factor security into every line of code we write, just as we do with performance and usability.

Not investing in app security is like not taking care of your tires when they’re going flat. Instead of spending $5 at the gas station to fill them up with air, you’ll pay exponentially more to fix the damage to your rims or axles by not taking care of the initial problem in the first place.

App security should be a top priority for your organization. It will save you and your business time, money, and anxiety, and help ensure long-term success.

Jared is the co-founder and CTO of Uncat, an accounting tech startup in Knoxville, TN, Distinguished Engineer, R&D Strategy at SecurityScorecard in the Cyber Threat Research and Intelligence Group, and an Adjunct Professor in Computer Science at New York University and the University of Tennessee. He was formerly a lead scientist and principal investigator at the U.S. DOE’s Oak Ridge National Laboratory and a software security engineer at Cisco Systems. Jared has a PhD in Computer Science where he focused on Internet Routing Security, he has 7 patents in the cybersecurity space and is currently writing an O’Reilly book on secure coding in JavaScript.