App Misconfiguration, Mobile Apps With Poor Encryption Pose Risks, HP

Jacob West, CTO of Hewlett-Packard's Enterprise Security Products, explains why application misconfiguration is an issue and offers advice on how to limit the risks.

Download the authoritative guide: The Ultimate Guide to IT Security Vendors

security risks

Many applications are misconfigured and most mobile apps don't use encryption properly, according to Hewlett-Packard's 2013 Cyber Risk report released Feb. 3.

HP's research shows that 46 percent of mobile apps don't use encryption properly, Jacob West, CTO of Enterprise Security Products at HP, said. "That's a really shocking number because there is such attention being paid today on keeping mobile data safe," West told eWEEK.

Digging deeper into the problem makes the issue even more concerning. Mobile developers now have the benefit of being able to learn from the security experience that the Internet industry has gained over the last decade in terms of best practices. Going a step further, many of the toolsets and frameworks that mobile developers use today typically have encryption capabilities built-in.

"We don't see mobile developers having to roll their own encryption in an ad hoc way," West said. "That's an area where developers in the past always made mistakes."

There are still problems with encryption because, typically, developers aren't also security experts, West said. Developers face constant pressure to rapidly develop and deploy apps that also might be having an impact on security, he added.

Looking beyond just mobile apps, HP found that 80 percent of applications, in general, are misconfigured, which leads to insecure deployments.

"Even if developers build their code perfectly, and even if the initial configuration that comes out of development is secure, then there is still the opportunity for an operations person to alter the configuration and introduce insecurity that wasn't present during the development and testing period," West said.

West sees the application misconfiguration issue as a significant concern. More communication between developers and operations people is needed to mitigate the risk, he said. The operations people need to be more aware of the way applications are built and need to be properly configured, and developers need to make sure that operations people don't get the opportunity to introduce risks that aren't necessary, he advised.

Microsoft IE Is the Top Target

One of the many activities undertaken by HP's security division is the Zero Day Initiative (ZDI), which buys vulnerabilities from researchers. ZDI then uses the information to build protection and also responsibly discloses the information to the affected vendors.

In 2013, ZDI had more vulnerabilities submitted against Microsoft's Internet Explorer Web browser than any other single product, including Oracle's Java. In January, Cisco's 2013 security report pointed the finger at Java as being the culprit for more than 90 percent of compromises in 2013.

Internet Explorer's dominance—as the technology with the most submissions to ZDI—is curious, West said, particularly since IE's share of the browser marketplace has eroded in recent years as Google's Chrome, Mozilla Firefox and mobile browsers have increasingly become popular.

So why is IE such a popular target? The profile of IE users could be a factor in its vulnerability, West said. "These are the users that adversaries are going after; they tend to more likely be in business environments," West said. "IE is the most prevalent browser on the systems that attackers want to compromise."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.