Enterprises must put security vetting in place for apps, says National Institute of Standards & Technology


Organisations need to be increasingly careful when it comes to the security of enterprise applications and should adopt a thorough vetting process, according to a report by the National Institute of Standards and Technology.

NIST says the rush by enterprises to mobilise their software is resulting in a “paradigm shift” that’s bringing new software vulnerabilities to the table. Many enterprise apps are not being put through proper security vetting, according to the report, and this needs addressing.

The report states: “Despite the benefits of mobile apps, however, the use of apps can potentially lead to serious security risks. This is so because, like traditional enterprise applications, apps may contain software vulnerabilities that are susceptible to attack. Such vulnerabilities may be exploited by an attacker to steal information or control a user’s device.”

“App developers are attracted by the opportunities to reach a market of millions of users very quickly. However such developers may have little experience building quality software that is secure and do not have the budgetary resources or motivation to conduct extensive testing.”

NIST’s conclusion could be seen as something of an opportunity for those cross-platform tools and MBaaS dedicated to enterprise development – many of whom already have security features in place and allow enterprises to create their own distribution channels. However, NIST also says that the need for app vetting presents opportunities for other independent services that could specialise in vetting apps for enterprises. In particular, NIST adds that firms should ensure “their app vetting does not rely solely on automated tests.”

“The app testing activity involves the testing of an app for software vulnerabilities by services, tools, and humans to derive vulnerability reports and risk assessments. The app approval/rejection activity involves the evaluation of these reports and risk assessments, along with additional criteria, to determine the app’s conformance with organizational security requirements and ultimately, the approval or rejection of the app for deployment.”

You can read NIST’s full report, which includes a list of recommendations for security vetting, right here.