Overcoming security barriers in application development

This is a guest post for the Computer Weekly Developer Network by Jaime Ryan, director of product management & strategy at CA Technologies.

Enforced trending

a Dav.jpg

Overwhelming market demands for mobile apps have forced software developers to streamline the development process while focusing on “trendy” features and functionality.

It’s no secret that functionality and user experience sell apps and rising pressure to get them to market quickly has left security on the back burner. Because security can be so esoteric, building it into each app takes time and resources; both of which are at a premium for many teams.

So what do you do?

By integrating developer-centric security tools from start to finish, companies are able to streamline the overall process and securely push apps, preventing future headaches.

This is true regardless of whether the software is mobile, cloud or web-based, as early consistent approaches to security and identity across the enterprise help developers and larger organizations avoid flawed systems with vulnerabilities.

Ed: As erudite and informed as CA’s view here is, one can’t help feeling that Ryan is a describing a ‘perfect world of best practice development’ and that real world scenarios often make this a big ask.

While organisations would still like to define and manage security policies from the inside, key pieces of identity security — especially in a mobile environment — require effective client-side development techniques.

OAuth tokens for authenticating & authorising

As an example, organisations need to rely on OAuth tokens when authenticating and authorising a user. Instrumenting this kind of software token interaction relies on developer expertise. Those who are not well versed in authentication practices will often do so incorrectly, exposing their application down the line.

TECHNICAL NOTE: OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.

Given that developers regularly focus their attention solely on functionality, the key to consistent security uptake starts with easy-to-use tools that eliminate guesswork, as flimsy solutions or one-off fixes work against consistency.

For example, gathering login credentials using a webkit or external browser can be risky, as browser compromises will often result in insecurity. This can be mitigated through an SDK that generates native credential prompts, eliminating the dependence on an insecure browser.

API connectivity & interaction


Another area where app development requires consistency to prevent security vulnerabilities is in API connectivity and interaction, which should remain uniform from app to app.

Accessing APIs through a solid security SDK can eliminate PKI challenges by provisioning certificates to the device and creating a secure tunnel (using mutually-authenticated SSL) that’s tied directly into the native device keychain. When done correctly, this can also provide Single Sign-On across multiple apps using the tokens stored within the keychain.

Zero additional effort is required for this implementation when utilising the SDK to make API calls as one normally would.

PRACTICAL ADVICE: Through the use of SDKs that include important standards such as OAuth and OpenID Connect, developers can rely on lightweight and standards-based security which can be plugged directly into the application’s code. Easily consumed solutions like this can also eliminate time spent and increase the likelihood of security measures being coded correctly and consistently.

Leveraging security standards and developer-centric tools allows enterprises to get apps to market more efficiently while minimising backend risks. An enterprise can ultimately manage its security posture from within the organisation while including SDKs at the development level to allow for deeper and more consistent security practices, which lowers risk and prevents headaches in the long run.