I am not much of a football fan, in fact over Thanksgiving holiday I didn't watch a down. One thing I do appreciate about the sport though is the acknowledged role of defense in success. Many of the most successful teams are defense oriented, and even the offense is built around protection schemes like protecting the quarterback. The worst place for protection to fail is on the Quarterback's blind side, then rushers can close in quickly without the QB being able to scramble out of the way. Catching the QB unaware makes a bad situation (broken protection) worse (QB unable to react = sack).
This same blindside dynamic plays out over and over in infosec. The most common is that infosec only hears about a project a short time before the project is due to go live. Even when there are obvious problems with clear and doable fixes its often too late to put them in. The result of this process is some sub optimal decisions - (attempt to) delay the project or let it go live with rudimentary fixes in place. Neither adds much value from a security standpoint, and it stresses everyone out on top of that.
Mobile takes the security blindside to a whole new level. Mobile projects are often sponsored outside of IT, say by marketing. They are often developed outside IT by new, mobile specialist teams unaware of standard dev practices. And compounding the problem, Mobile dev cycles are very short, a iOS or Android app can go from cocktail napkin to "done" in the time a traditional enterprise app spends writing requirements.
But, you say, there have not been that many mobile app security issues we need to be concerned about. And that is fair, but only to a point. Apps are not static. Not too many people had heard about SQL Injection in 2001 but the seeds of lots of problems were sown in Web code built during that time.
In addition, mobile apps are not islands. They connect to the enterprise back end. This mobile to enterprise wormhole creates an opportunity for attackers. They can find holes in identity schemes, new ways into backend data and functionality. Mobile clients do not get near enough focus from a security perspective, and yet they get way more than most mobile servers. And yet the mobile server side mainly represents far more downside risk than the client.
All is not lost though. Many companies are setting up mobile SWAT teams, or Centers of Excellence. To "do something" around mobile. These teams usually harvest a handful of people from dev, ops, security and other teams. They have the chance to write the playbook from scratch for mobile.
A decade ago, we lost a lot of time in web security with heads in the sand that the firewall would protect us, the industry mostly ignored vulnerabilities like SQL injection to the attacker's benefit. We do not need to see that movie again. The industry has learned a lot about building SDLs, deployed better tools, and so on. We have a chance now to get ahead of the software security problem for mobile instead of waiting and letting it fester. This means doubling down on Mobile SDL, Mobile App security tooling, and frameworks.
The best time to get involved is now, because waiting just replays the same movie and our future selves will wonder - hey why didn't they build a better mobile identity scheme or deal with mobile App security in 2013? Not just getting involved, but getting involved in a way that anticipates the Mobile blindside, having tools, frameworks and security processes built out that are ready to go to work quickly when the project you never heard of crops up with - hey we are going live in four weeks. The mobile blindside is probably unstoappable for most companies, but we can still prepare. I have built out a few services along these lines and will blog more on them, in the meantime email me if you want to get some more info.