"Visibility into Runtime Threats against Mobile Apps and APIs Still Lacking"
A new Osterman Research report codifies businesses' increasing reliance on mobile apps, revealing the disparity between the strategic importance of apps and the level of focus and resources applied to protect organizational apps from runtime threats. Mobile apps are important channels for businesses to serve their customers, and their importance to businesses has tripled in the last two years. According to the report's findings, while enterprise app development and deployment are among an organization's top priorities, the app's runtime security, API secrets, and user data collection do not receive the same level of attention and funding. Michael Sampson, Senior Analyst at Osterman Research, says these findings raise serious concerns, given that many recent breaches have highlighted the risk of threat actors exploiting stolen keys and secrets. Osterman Research polled 302 security directors and mobile application development professionals in the US and the UK. Forty-eight percent of respondents are in companies of up to 500 employees, while 42 percent are in companies of 501 to 4,999 employees and 10 percent are in companies of over 5,000 employees. A successful attack on a mobile app would have serious consequences for three out of four organizations. An API attack that rendered a mobile app inoperable would have a significant impact on 45 percent of businesses and a major impact on another 30 percent. Seventy-eight percent of the respondents are not confident that their organizations have adequate security defenses and protections in place to protect against specific threats posed by mobile apps. Sixty percent of respondents lack visibility into credit fraud attempts, 59 percent are unaware of the creation of fake accounts, and 54 percent cannot detect the use of stolen API keys to mimic genuine requests. Furthermore, 53 percent lack visibility into credential stuffing attacks, 51 percent lack visibility into secrets exposed on mobile platforms, and 50 percent fail to detect access via cloned, fake, or tampered apps. This article continues to discuss key findings from the survey of security directors and mobile application development professionals.