Software and SaaS security company Cenzic is today launching a new security product for mobile application developers which will allow for the testing of mobile apps on any platform – iOS, Android, J2ME, and more. The product will be the first that can test products without requiring developers to submit the source code, as all the testing is done through the cloud, while the app is up-and-running.
The service will then be able to tell what sorts of security vulnerabilities an app has, what sensitive data it could leak, what other sorts of security threats it may be vulnerable to, and what to do about it.
The security risk inherent in using mobile applications was recently in the spotlight, when it was discovered that many of users’ favorite apps were uploading their address books to developers’ servers. But that kind of risk, while important, is not the sort of thing that Cenzic’s solution is interested in addressing.
Explains John Weinschenk, CEO of Cenzic, “there’s been a lot hype and a lot of focus on the device itself, but the device itself is not the risk. If I hack into your mobile device, I get your information. That’s not that interesting. But as a hacker, if I hack into the server itself, I can get millions of accounts, and millions of pieces of information,” he explains.
The problem Cenzic wants to help fix has to do with the fact that many companies’ backend systems were designed to be accessed by web applications, but are now being accessed by mobile apps.
With the new solution, the company looks at a mobile app’s backend and use of web services, and analyzes those for vulnerabilities. This is especially important for enterprise app makers, who need to ensure that their apps’ are protected against all the latest threats to protect sensitive customer data.
But how prevalent are these sorts of vulnerabilities? Weinschenk says that prior to today’s launch, the company tested over 30 applications for four (unnamed) beta customers, which included companies that have over a billion dollars in sales operating in the financial services space, in e-commerce and in manufacturing. During the testing period, Cenzic found that 60% of the vulnerabilities were input validation issues, while 40% were authentication issues. “What this means,” explains Weinschenk, “is that programmers writing mobile applications don’t really understand how to manage the authentication of that device communicating up to the server.”
In Cenzic’s solution, the platform will provide info on how to fix the vulnerability and how to make code changes, but, as it doesn’t have access to the source code itself, will not make the changes, only point to the affected part of the code. In addition, the library of vulnerabilities is updated every week, similar to anti-virus systems, so developers can continually test for new threats to their mobile apps’ backends.
The new mobile solution will also be wrapped into Cenzic’s other products, in the form of software, managed services and cloud offerings. Pricing starts at $7,000 per app per year.
The company today secures more than 500,000 online applications for Fortune 1000 companies, government agencies, universities, security companies, SMB’s and others. More information about the mobile product is now available on the Cenzic homepage here.