FEATURE: MOBILE SDLC
NICOLAI SOLLING
Director of Technology Services
at Help AG
security challenges requires the SDLC to
be revisited.
such that proper security measures
are employed and only authorised
applications have access.
Cutting corners
Developing an app from the ground up
can be laborious, so when so much free
code exists, why wouldn’t developers
take advantage of this? Frameworks
and libraries are commonly used to
dramatically shorten the amount of
code that must be written. While most
of these are indeed developed without
malicious intent, there is always
the possibility that they will contain
vulnerabilities that can be discovered
and exploited.
With iOS and Android both
commanding significant shares of
www.intelligentcio.com
the region’s smartphone market,
government organisations must ensure
that their apps are at least available
on these two platforms, if not more.
Porting is another commonly used
technique to shorten development
time. However, the use of software to
automatically transfer an application
from one mobile OS to another can not
only cause a drop in performance and
usability, but also in its security.
IT teams cannot be expected to develop
applications in-house but the onus
is upon them to ensure that they set
security procedures and standards that
are implemented at every phase of the
SDLC. This means that sufficient time
must be dedicated to drafting clear
terms relating to security in mService
RFPs. Today, organizations such as
Help AG, work closely with public and
private sector enterprises specifically on
drafting these tenders so that when the
development is outsourced, the provider
is legally obligated to following a set of
best-practices and standards. Investing
in services such as application code
review and vulnerability/penetration
testing prior to deployment can help
ensure that sensitive data isn’t stored
on the device and that data, both at
rest and in flight, is encrypted; access is
granted only to genuine and authorised
requests; and logical exploitation is
made impossible. All this can go a long
way in ensuring that the final product is
thoroughly hardened before it is made
available to the public.
Fixing the SDLC for security
The SDLC model has essentially been
the same for decades and organisations
were happy to let specialised
technologies such as firewalls handle
the security of their networks and
applications. This is no longer acceptable
and addressing the aforementioned
At the end of the day smart services
need to be a long term strategy rather
than a passing trend. Delivering easyto-use apps won’t win any points if they
place the data and security of citizens at
risk. The smartphone revolution is here
to stay, so make sure that your mServices
are as well.
INTELLIGENTCIO
41