Co

mp

ute

rwo

rld

.co

m

FROM IDG

T H E V O I C E O F B U S I N E S S T E C H N O L O G YI N S I D E R E X C L U S I V E

Enterprise demand for mobile apps

is far outstripping IT’s ability to

keep up. Here are several strategies

for coping.

MOBILE APP MADNESSHow to Manage

W I N T E R 2 0 1 8 | C O M P U T E R W O R L D 2

M O B I L E A P P D E V E L O P M E N TI N S I D E R E X C L U S I V E

A Silicon Valley CIO’s Conundrum: With Mobile Apps, Do You Build or Buy? 3

IT and ‘Citizen Developers’ Partner on Mobile Apps and More 7

How to Expose Flaws in Custom-Built Mobile Apps 11

Inside

THE NEED FOR ENTERPRISES to deploy mobile and web apps for consumers, business customers and employ-ees is skyrocketing. Indeed, research firm Gartner predicts that by 2022, 70% of software interactions in enterprises will occur on mobile devices. Such high demand has left organizations scrambling to keep up. According to Gartner, enterprise mobile app develop-ment requests will grow five times faster than IT’s capacity to deliver through 2021.

What’s an IT department to do? This PDF collects three Computerworld stories that highlight differ-ent ways organizations are tackling the problem.

The first story checks in with Santa Clara County CIO Ann Dunkin, who is overseeing an effort to deploy improved web and mobile apps for the county’s residents that offer a platform-agnostic, one-stop shopping experience for every-thing from requesting wedding licenses to paying property taxes. To get there, she must address a question many organizations face: Do you build custom apps or buy them off the shelf?

Custom-built apps can offer a better mobile expe-rience and help companies differentiate themselves from competitors, but they typically slow down development time and increase costs. For Dunkin, the answer is clear: Her IT shop custom-builds apps only when shelfware doesn’t meet or can’t be config-ured to meet the county’s needs.

Other organizations are taking a different ap-proach, turning to new drag-and-drop tools that enable employees with no coding experience, known as citizen developers, to create new apps or enhance existing ones. Bypassing the IT bottleneck can greatly speed up development, according to industry watchers, but IT should remain an active partner in the process, overseeing and policing app development from start to finish. Find out more in the second story in this collection.

For organizations that decide to custom-build apps, whether consumer- or employee-facing, secu-

rity flaws are a big concern. That’s because de-velopers typically don’t build mobile apps from scratch, but instead use chunks of open-source code from online libraries to assemble the apps

— and those components may contain vulnerabilities that put corporate or consumer data at risk.

How do you know if you’re using bad compo-nents? The third story in this collection rounds up a number of tools for scanning and detecting known vulnerabilities.

Whatever approach your organization takes to deploying mobile apps, one thing is certain: You’ll have no shortage of work in coming years. u

VALERIE POTTER, managing editor, features, Computerworld

Editor’s NOTE

W I N T E R 2 0 1 8 | C O M P U T E R W O R L D 3T H I N K S T O C K

ANN DUNKIN TOOK OVER as the CIO of Santa Clara County’s municipal govern-ment in February 2017, and

ever since she has been absorbed by reorganizing and restructuring the California county’s IT functions.

The county government, which serves more than 1.7 million residents, is working to revamp the online and mobile experi-ence, whether it’s for requesting a wedding license, paying property taxes, viewing restaurant inspection

ratings or making reservations at the two municipal airports.

One of Dunkin’s goals is to deploy mobile apps that offer a one-stop shopping experi-ence and are platform agnostic, meaning it won’t matter whether a resident uses an iOS, Android or Windows Mobile device or a desktop PC to access online services. The county includes the cities of San Jose, Santa Clara and Sunnyvale.

Santa Clara County faces a problem that is growing more

To comment on this story, visit Computerworld’s Facebook page.

Santa Clara County CIO Ann Dunkin wants to build a more mobile-friendly environment for local residents, offering a one-stop shopping experience on municipal websites that are mobile platform agnostic. The question: Do you build or buy those apps? BY LUCAS MEARIAN

A Silicon Valley CIO’s Conundrum: With Mobile Apps, Do You Build or Buy?

M O B I L E A P P D E V E L O P M E N TI N S I D E R E X C L U S I V E

W I N T E R 2 0 1 8 | C O M P U T E R W O R L D 4

M O B I L E A P P D E V E L O P M E N TI N S I D E R E X C L U S I V E

S A N TA C L A R A C O U N T Y

prevalent in the U.S. There’s a huge backlog of enterprise app develop-ment work that needs to be done — and a growing demand for apps. That crunch is forcing IT depart-ments to find new ways to decentral-ize and accelerate app development and delivery, according to Garter.

In a new report, “Predicts 2017: Mobile Apps and Their Develop-ment,” Gartner found mobile app needs are driving changes to back-end enterprise systems that require increased collaboration between mobile and traditional development and operations teams.

Mobile apps explosionThe report predicted that:

n By 2020, more than 50% of con-sumer mobile interactions will be in contextualized, “hyperpersonal” experiences based on past behavior and current, real-time behavior.

n By 2021, more than half of all enterprises will expand their use of mobile development tools from mobile apps to a wider range of software; 50% of apps will trigger events for users; and 80% of en-terprises that deliver mobile apps using mixed sourcing models will see benefits from having a dedicated DevOps team.

n And by 2022, 70% of software interactions in enterprises will occur on mobile devices.

Over the past three to five years, Santa Clara County has deployed dozens of mobile apps, according to Dunkin, and as the quality of mobile applications improves, many more are expected.

Ninety-five percent of the people who use Santa Clara County’s ser-vices are first timers or infrequent visitors. The other 5% return often to use its hospital and healthcare

system, and other services such as housing for homeless, the child welfare office, as well as the offices of the county sheriff, the district at-torney and the public defender.

For example, former prisoners can use the county’s site to see scheduled appointments with the court and parole officers. “We don’t want them to miss those,” said Dunkin, who previously was the CIO for the U.S. Environmental Protection Agency (EPA).

At the same time she is working to improve the online and mobile experience, Dunkin also hopes to use data analytics from across the various county departments to better under-stand residents’ needs. If a person repeatedly shows up at the county hospital after a visit from the sheriff’s office, for example, there’s a good chance domestic abuse may be the cause, and the county can proactively contact the person about alternative housing services or to offer assistance.

Smart, hyperpersonal apps, Gartner noted, will use a combina-tion of technologies that increase app intelligence based on historical understanding of the consumer, real-time behavior, and external factors such as location and weather. A hyperpersonal user experience will be enabled by advances in pervasive analytics, machine learning, cognitive services, bots and context brokering.

There’s also a pragmatic side to serving residents. Being proactive could save the county time and money. For example, offering abuse victims a way out of their circum-stances would cut down on respons-es from the sheriff’s office as well as emergency healthcare.

“We see a lot of the same people in ... those systems. We’re trying to understand those people so that we

Santa Clara County CIO Ann Dunkin

Over the past three to five years, Santa Clara County has deployed dozens of mobile apps, according to Dunkin, and as the quality of mobile applications improves, many more are expected.

W I N T E R 2 0 1 8 | C O M P U T E R W O R L D 5

M O B I L E A P P D E V E L O P M E N TI N S I D E R E X C L U S I V E

can get them out of those systems,” Dunkin said. “Unlike the parks — we’d like more people to use those — we don’t want more people using our criminal justice system or more people to use social services. We want less of that. We’d like to make their lives better.

“On one hand, we’d like to spend money on services that enrich peo-ple’s lives. Because we’re in Silicon Valley, we have a lot of resources here,” Dunkin continued. “On the other hand, we have a lot of people who don’t have many resources.”

To build apps or to buy?When Dunkin worked for the federal government at the EPA, she found the agency “notorious” for requir-ing custom applications that were always outsourced to third parties.

To be sure, there were some apps that needed to be built. For example, when the EPA needed to create a system to track hazardous waste, none of the available shelfware did exactly what was needed, Dunkin said. “But even in that case we were able to build pieces on top of what other people had done rather than building the whole system.”

Times have changed, however,

and there are more vendors who sell applications that meet govern-ment needs.

“We built our own applications, for example, for property tax pay-ments,” Dunkin said. “There are now vendors in that space that can handle payments from multiple systems. So, we’re looking at what time does it make sense to switch, and will that vendor give us that seamless experience where I can apply for a permit, and I can pay for it and pay my property taxes. We want to move to a one-stop shop.”

Santa Clara County’s IT shop has been placed on a strict build-only-when-you-must diet. A lot of what the various offices do online, Dunkin said, is already available. So, she tells her staff to first look at what they already have; if that doesn’t serve the purpose, then look to SaaS providers. And if that falls short, see if an existing app can be configured or extended to meet the need.

If not, then and only then should her staff look to custom app devel-opment.

The big question she tells her staff to ask themselves is: How close does pre-fab software match a need? “That’s always the question you have to wrestle with. Is it going to make more sense to take what I can buy and make adjustments around the edges without modifying the core product..., or should I build some-thing?” Dunkin said.

Her aversion to custom builds isn’t just because she found the U.S. gov-ernment’s outsourcing preferences distasteful. As she explained: “Every application you develop in house you have to support and maintain.

“And that’s expensive. It’s much less expensive in the long run for me to pay someone an annual license fee

That’s always the question you have to wrestle with. Is it going to make more sense to take what I can buy and make adjustments around the edges without modifying the core product..., or should I build something?”ANN DUNKIN, CIO, SANTA CLARA COUNTY

W I N T E R 2 0 1 8 | C O M P U T E R W O R L D 6

M O B I L E A P P D E V E L O P M E N TI N S I D E R E X C L U S I V E

or 20% maintenance than for me to constantly increase my resource of staff,” Dunkin said. “Because as soon as I build an app, someone’s got to maintain it, and that’s a percentage of someone’s time. So, every app I build builds up my technical debt... I have to maintain and manage and move off to the next platform when it becomes obsolete — and I have to worry about security defects and everything that goes end to end with that product.”

If Santa Clara County buys an app, it can get that app faster and cheaper, Dunkin argued. All she has to worry about is whether her budget will allow her to pay the next year’s licensing fee as opposed to keeping it functioning and upgrading it.

“It’s not entirely worry free..., but the amount of resources I have to apply to a piece of off-the-shelf software is far less than maintaining something I built myself,” she said.

Another consideration is secu-rity. Defects that could open doors to malware or unintentionally leak sensitive information about resi-dents are more likely with custom-built apps, she said.

“The biggest challenge around mobile security is educating users. It’s very easy for users to get spoofed — to open things they shouldn’t, to send messages they shouldn’t, to click on links they shouldn’t,” Dunkin said. “Some of the tools we have to help us understand what’s going on on our laptops and desk-tops aren’t mobilized.”

From a design standpoint, mobile app development is also different from desktop development, and it’s a skill that many in IT are still learn-ing, Dunkin said.

Android and iOS represent the lion’s share of the mobile operating system market, and while there’s

inherent risk with the use of any mobile device in the enterprise, Android presents a much bigger target for malware attacks and, in turn, corporate security issues.

With the massive growth of Android-powered devices in busi-nesses over the past couple of years, companies need a strategy to mini-mize any risk the platform might pose, according to research firm J. Gold Associates. Conversely, Apple’s iOS is much more restrictive about what developers can do, and Apple doesn’t release its source code.

Apart from platform differences, Dunkin also has concerns that

Google has fewer restrictions on what apps it allows in its Google Play store. From personal experience in developing applications, she said she found Apple to be far more strin-gent, not only in vetting the apps, but in vetting developers as well.

“Ecosystems like Apple are relatively safe, and ecosystems like Android are sort of the Wild Wild West,” she said. “So, having our developers learn how to create appli-cations that are secure and don’t lose or expose data is important.” u

Computerworld senior reporter LUCAS

MEARIAN covers enterprise mobile issues, including mobility management, security, hardware and apps, and enterprise collaboration technology.

From a design standpoint, mobile app development is also different from desktop development, and it’s a skill that many in IT are still learning.

W I N T E R 2 0 1 8 | C O M P U T E R W O R L D 7T H I N K S T O C K

WORKER APPETITE for new applications, par-ticularly mobile ones, is running high.

It’s so high, in fact, that it’s be-coming tougher for IT departments to keep up with demand, according to analysts, researchers and enter-prise executives.

Gartner predicts that demand within enterprises for mobile appli-cation development will grow some five times faster than IT’s capacity to deliver it through 2021. Gartner cites the continuing growth in smartphone sales as fueling demand for company apps that match the performance and usability seen in consumer apps.

To cope, organizations are turning to low-code/no-code platforms.

And they’re using them for both mobile and desktop app develop-ment. In the process they’re not only speeding up delivery, but they’re also enabling workers to build better products. Laura Reahard at Teach for America is a case in point.

Reahard started at the nonprofit organization five years ago as a fund-raiser, using its Salesforce customer relationship management platform for the myriad tasks she had to com-plete, from benchmarking progress toward goals to analyzing data for decision-making.

As her confidence using the plat-form grew, Reahard says, she found that by making small changes, she could maximize the platform.

Despite no training or experience in coding, Reahard found she had a knack for the task. Now a manager on the organiza-tion’s Salesforce admin-istration team, Reahard is using the Salesforce low-code/no-code tools to develop mobile and desktop features and functions to help her colleagues get their work done.

She recently used the tools to upgrade and streamline an existing mobile app, eliminating unnecessary data fields to make the app a more ef-ficient and user-friendly product for fundraisers to use as they connect with potential donors interested in its mission of recruiting teachers for low-income communities.

Reahard says using the Salesforce low-code tools saved the organization time and money, while allowing her — a former fundraiser who under-stood the job but had no real educa-tion in programming — to deliver the

With low-code and no-code tools, ordinary business users can quickly and easily spin up new apps or add features and functions, but IT oversight is crucial. BY MARY K. PRATT

To comment on this story, visit Computerworld’s Facebook page.

M O B I L E A P P D E V E L O P M E N TI N S I D E R E X C L U S I V E

IT and ‘Citizen Developers’ Partner on Mobile Apps and More

W I N T E R 2 0 1 8 | C O M P U T E R W O R L D 8

M O B I L E A P P D E V E L O P M E N TI N S I D E R E X C L U S I V E

right solution for their needs.“Because I was one of them and

we have a shared experienced, I can look at something and identify a gap or an improvement that they didn’t know was possible,” she says. “It led to a better user experience.”

Reahard represents a new breed of worker: someone capable of creat-ing applications yet not considered a software coder. These citizen developers are enabled by a growing number of low-code and no-code platforms, drag-and-drop tools that let workers develop software without the heavy lifting tradition-ally required.

“The simpler, or light, applications or micro-apps are taking off,” says analyst Eric Klein of VDC Research in Natick, Mass. “These are simple functionalities that anyone can spin up pretty easily. They’re very task-oriented, something very basic, but something that might make the person’s life or workflow easier.”

Proponents say low-code/no-code tools can help organizations better meet user demand for new soft-ware by allowing almost anyone to quickly and cheaply create request-ed features, functions and applica-tions. And IT and business leaders who use these platforms say citizen developers are valuable assets to their organizations.

But some enterprise executives

and IT analysts caution that IT and business leaders need to ensure that there’s adequate oversight and governance to all this development activity. Citizen developers, after all, don’t just lack coding skills; they don’t know anything about safe-guarding the security of the organi-zation’s data and IT stack.

Citizens on the march“The State of Application Devel-opment 2017 Research Report” from low-code platform maker OutSystems found that 43% of the 3,200 worldwide IT professionals it surveyed in December 2016 said

that their organizations are either already supporting citizen develop-ers or planning to do so.

However, not all organizations embrace this trend equally. The report states that some industries, namely education and corporate ser-vices, have relatively high numbers of citizen developers, while pharma-ceutical producers, biotech compa-nies, financial services firms and nonprofits are among those least likely to have citizen developers.

But numbers are expected to climb: Gartner, the technology research firm, predicts that at least 70% of large enterprises will have successful citizen development policies by 2020.

Vendors in this space include AgilePoint, Appian, Bizagi, Caspio,

K2, MatsSoft, Mendix, MicroPact, MIOsoft, Nintex, OutSystems, Quick Base, Salesforce and ServiceNow.

Business demand drives adoptionJoe Marchillo is in charge of IT and management solutions at Apex Imaging Solutions, a national brand-imaging contractor based in Pomona, Calif., that employs about 40 people.

Marchillo, who had worked as a project manager overseeing facility upgrades for hospitality venues, said he sought a tool that would enable existing staff to create software features and functions on their own, so the company wouldn’t have to rely on consultants (and have the corre-sponding bills) for every new request or upgrade. “We had to find some-thing easy enough that we could handle ourselves. We didn’t want to say, ‘We need to fix this,’ and then have to hire someone to code. And we don’t want to be at someone else’s mercy if we have an issue,” he says.

He opted to go with a low-code platform and selected Quick Base to create apps to handle tasks that workers had been trying to manage on spreadsheets.

Marchillo worked with a third-party Quick Base expert to learn how to use the tool — “Once you figure out how it all works, it’s very, very easy to use,” he says — then he went to work, launching an app that shows in real time the current loca-tion of all of the company’s project managers as well as where they’re scheduled to be next.

Taking matters into their own handsMany organizations are turning to low-code/no-code tools to help address the growing business

Gartner, the technology research firm, predicts that at least 70% of large enterprises will have successful citizen development policies by 2020.

W I N T E R 2 0 1 8 | C O M P U T E R W O R L D 9

M O B I L E A P P D E V E L O P M E N TI N S I D E R E X C L U S I V E

demand for new functions and fea-tures, VDC Research’s Klein says.

“End users are frustrated about how long it takes to get apps out,” he says.

That user frustration was a big driver for Sameer Jaleel, director of systems development at Ohio’s Kent State University. He says his depart-ment had a long history of doing native app development from the ground up, relying on the .Net and C# programming languages for coding.

He says he implemented the OutSystems low-code platform in 2015, both “to make a significant dent in our backlog” and to help speed the organization’s move to a DevOps

model. He says that by using the platform to create building blocks, he can maintain the security and control standards that IT needs while enabling non-developers to quickly deliver functions that users through-out the university are clamoring for.

But those non-developers are not exactly citizens, Jaleel says. They are student workers who can quickly learn OutSystems to supplement the work being done by the staff develop-ers, who still do 90% of development.

Additionally, Jaleel says his team is now embarking on bringing the low-code approach to mobile app development, as it rewrites its existing mobile app, KSUMobile, in OutSystems. Starting in June 2017,

workers began rewriting KSUMo-bile in OutSystems, keeping all exist-ing functionality while also adding a couple of new features. The goal is to finish in six months, which would shave a year off the time it took to develop KSUMobile using a tradi-tional development approach.

“We do have steady demand on the mobile side, and I am hoping OutSystems will solve that problem for us,” Jaleel adds.

The “2017 State of the Custom App Report” from Apple subsidiary File-Maker Inc., which polled 350 File-Maker customers in the fall of 2016, found that most citizen developers are driven by a desire for improved

conditions: 83% of the respondents said they learned to build custom apps to create a better way to work, 63% said they did so to be more pro-ductive, and 42% said they wanted to help others in the organization.

That same research suggests that speedy app delivery is not just hype. It found that 25% of the citizen developers had their first app up and running in one to three months, 31% took between one and four weeks, and 15% took less than a week.

The FileMaker report also found that 82% of the 350 citizen develop-ers polled saw a reduction in inef-ficient tasks, 71% saw an increase in team productivity, and 60% saw a reduction in data entry.

Implementing governanceThe ease of use designed into low-code/no-code tools shouldn’t push aside the need for oversight, Klein says. Companies need to establish procedures and policies that govern the use of these platforms to ensure that they’re being used efficiently and securely.

“IT needs to put in some protec-tions, and it needs to look at data that’s moving on and off these [plat-forms] to ensure that the data doesn’t move somewhere it shouldn’t be,” he says. “You have to have some polic-ing. It does need to be watched over.”

A February 2017 YouGov survey commissioned by Appian showed

the levels of concern. The survey of 500-plus IT decision-makers showed that 73% feel that citizen de-velopers pose risks for data integrity, 69% believe they pose security risks, and 58% are concerned about inte-gration. Still, the same poll found that 78% believe having at least one low-code platform is critical.

Klein and others also say the use of these platforms doesn’t eliminate the need for development processes such as requirements gathering. Nor does it guarantee user adop-tion. Marchillo, for one, still has to actively manage that aspect. As he says, “The only issue we’ve had [with low-code development] is getting some people on board; no

IT needs to put in some protections, and it needs to look at data that’s moving on and off these [platforms] to ensure that the data doesn’t move somewhere it shouldn’t be. You have to have some policing.ERIC KLEIN, ANALYST, VDC RESEARCH

W I N T E R 2 0 1 8 | C O M P U T E R W O R L D 10

M O B I L E A P P D E V E L O P M E N TI N S I D E R E X C L U S I V E

one likes change.”Moreover, analysts say IT must

serve as trusted advisers and part-ners with their citizen developers and their business units to ensure that there is neither an overpopula-tion of new apps nor insufficient interest in leveraging such tools.

Sidney Fernandes, CIO and system vice president for technology at the University of South Florida, says he considered those points when he brought in the Appian platform in 2015 to help speed development.

Fernandes first turned to the plat-form because the university’s health system needed to speed up develop-ment. Health system managers were requesting things such as digitized versions of paper-based workflows but the requests were taking a year-plus to get through traditional devel-opment. Fernandes says he was able to trim development cycles down to just months with Appian. Case in point: The development of an ap-plication to automate the College of Medicine lottery for student place-ments, which took just three months using Appian vs. the anticipated 12 to 15 months with a conventional development approach.

At first, Fernandes says, he had the IT development team learn to use the Appian platform. Some develop-ers excelled at the tool, he says, but others felt constrained by it. So in 2016 he created a new team populat-ed by those developers who did well with Appian and new hires selected specifically for the work. Fernandes says he tends to hire engineering stu-dents skilled at solving problems; he doesn’t look for trained developers.

Fernandes says IT still buys off-the-shelf software and will custom-build applications when the business requirements warrant it.

But the new team tackles applica-tions with lower-level requirements, delivering results more quickly and at a lower cost than would be pos-sible from the traditional develop-ment team.

As this new team works and gains experience, Fernandes says, he’s building a competency center that is establishing policies and procedures to govern low-code de-velopment. In the near future, when adequate governance is established, he hopes to empower citizen devel-opers out in the business units.

Easy does itWith a mission to fight human trafficking, the nonprofit organiza-tion Verité worked with one of its corporate clients to ensure that there were no child laborers within its supply chain.

The two Verité employees on the project needed to document which one of them did what and how much time it took. Given the mag-nitude of the task, they didn’t want to use spreadsheets, which had long been the tracking tool of choice at Amherst, Mass.-based Verité. Instead, they wanted software that could more efficiently track their work and generate reports to share with the client.

Faced with such a demand, Jenn Stachnik, who as accounting and

IT manager at Verité oversees the outsourced IT function, typi-cally would shell out thousands of dollars to a development firm to implement the needed software.

But several years ago, Stachnik invested in Quick Base, a low-code application development platform. Since then, she had built out apps for other Verité workers. So when the two program managers ap-proached her last November, Stach-nik says she knew she could tackle their request on her own.

Stachnik says she configures

the Quick Base platform so that only she and one other worker have access, “so we don’t wind up with people just throwing up apps because they think it doesn’t already exist, duplicating work and making more work for themselves, and creating more work [managing extra apps] down the road.”

As a small nonprofit (Verité has just 31 employees), “We don’t have a lot of money to spend on develop-ment every time we need something done, so being able to do something in-house is very important to us,” she says. “This has revolutionized what we think about how we do things.” u

MARY K. PRATT is a contributing writer for Computerworld. She is based in Massachusetts.

25% of citizen developers had their first app up and running in one to three months, 31% took between one and four weeks, and 15% took less than a week.“2017 STATE OF THE CUSTOM APP REPORT,” FROM APPLE SUBSIDIARY FILEMAKER INC . : 350 FILEMAKER CUSTOMERS POLLED, FALL OF 2016

W I N T E R 2 0 1 8 | C O M P U T E R W O R L D 11

M O B I L E A P P D E V E L O P M E N TI N S I D E R E X C L U S I V E

T H I N K S T O C K

AS ENTERPRISES DEVELOP more custom applications — many of them mobile apps as part of a mobile-

first strategy — in-house developers are increasingly at risk of unwit-

tingly using open-source code rife with vulnerabilities.

Developing custom apps allows a business to differentiate itself from competitors by offering customers, whether internal users or consum-

ers, a better mobile experience.Unlike traditional software de-

velopment, mobile applications add layers of complexity, particularly when companies create server-side web APIs or client-side native rich clients. That’s also true when integrat-ing software across other applications and systems.

Not only can under-lying weaknesses and vulnerabilities be carried over from the web ap-plication space, but there are new concerns about the secure storage of sensitive data at rest on a device.

“Subject matter expertise in mobile application design, development, and security is often more limited when

As companies move toward a mobile-first strategy, more and more are developing apps in-house — and unwittingly exposing themselves to cybersecurity flaws. Here’s how to avoid that problem. BY LUCAS MEARIAN

To comment on this story, visit Computerworld’s Facebook page.

How to Expose Flaws in Custom-Built Mobile Apps

W I N T E R 2 0 1 8 | C O M P U T E R W O R L D 12

M O B I L E A P P D E V E L O P M E N TI N S I D E R E X C L U S I V E

compared with traditional application design, and it splinters further based on mobile platforms,” said Michael Is-bitski, a research director at Gartner.

Applications today are rarely coded from scratch, particularly when the software is created outside a company’s development and op-erations units. Developers typically go to online libraries for open-source components — chunks of code that act as building blocks — to assemble custom mobile applications.

Vulnerabilities abound in free, open-source componentsThe problem is open-source code is not necessarily vetted and its use can expose corporations and their customers to vulnerabilities. That was the case with Heartbleed, a vulnerability discovered in the OpenSSL library in 2014.

Heartbleed had a widespread impact across not just apps but also operating systems (desktop and mobile), network equipment and embedded systems.

“It also still persists in some cases, which could be due to technical limitations on updating the relevant component or neglect on the part of admins,” Isbitski said.

Other more recently published vulnerabilities include those in Apache Struts, an open-source web development framework for Java web applications and Node.js, a popular JavaScript run-time envi-ronment. If exploited, Isbitski said, the Node.js vulnerability could result in a denial of service (DoS) condition for the affected application.

“The issue here is that people roll the dice with what they find online all the time — and when it happens in a business, the dicey software can find its way into supporting important

corporate systems very quickly,” said Sean Pike, program vice president of IDC’s Security Products Group.

While DDoS attacks can be dev-astating to a business, other attacks can be flat-out life threatening. As more hospital networks and medical devices such as pace makers and embedded insulin dispensers are wirelessly connected, the ability to uncover and protect against vulner-abilities takes on grave importance.

In June 2017, the U.S. government’s Health Care Industry Cybersecurity Task Force released a report on how to improve cybersecurity. The report recommended better transparency in both medical device manufactur-

ing and software development to mitigate security vulnerabilities.

The recommendation is especially timely given the recent reporting of 8,000 known security vulnerabilities across four pacemaker program-ming machines.

Whether commercial off-the-shelf software (COTS) or open-source components are less secure is still a point of contention among security experts.

Developers get open-source com-ponents from large online reposito-ries typically organized by coding language: Java, Python, Ruby, for in-stance. And open-source code may be better scrutinized and vetted because

of the fact it’s open, resulting in fewer issues for a completed application.

But development contributions can sometimes be limited due to open source’s “free” use or lack of financial investment, Isbitski pointed out. COTS is closed and proprietary by design, which buys a level of obfus-cation against attackers. But skilled attackers can find ways to reverse engineer commercial code to uncover weaknesses or vulnerabilities.

“A significant percentage of modern application development makes use of open-source components,” Isbitski said. “Open-source re-use can save development cycles in creation of new software or hardware. It can also

be a boon for secure coding, since developers can make use of standard-ized components where security and trusted functions are baked in.”

Last year, IDC predicted applica-tion security would be a top concern for IT managers; while the issue is gaining interest, it has not become as prominent as the research organiza-tion thought.

“It hasn’t materialized yet. Some of that, I think, is directly tied to IoT,” Pike said. “I think more IoT failures because of bad code will increase the awareness.”

Still, companies are clearly jumping on the mobile app develop-ment bandwagon as a way to improve

Unlike traditional software development, mobile applications add layers of complexity, particularly when companies create server-side web APIs or client-side native rich clients.

W I N T E R 2 0 1 8 | C O M P U T E R W O R L D 13

M O B I L E A P P D E V E L O P M E N TI N S I D E R E X C L U S I V E

business. The number of enterprises building custom mobile apps — many of them simple apps designed to handle business processes — rose significantly in 2016, according to Gartner’s annual study of mobile app development platforms.

Too few vulnerability checksIn 2015, about 60% of organizations were engaged in mobile app develop-ment. Last year, that number jumped to about 73%, according to the study. One of the largest repositories of popular Java open-source code com-ponents, the Maven Central Reposi-tory, found one in 15 downloads had a known vulnerability last year.

“There probably aren’t enough checks happening in software devel-opment today to understand what’s being used and does it have a known vulnerability in it,” said Derek Weeks, vice president and DevOps advocate for Sonatype, which manages the Maven Central Repository.

The repository stores two million unique open-source Java compo-nents and serves roughly 10 million developers worldwide. Last year, Sonatype served 52 billion download requests from the repository, up sharply from 31 billion download requests in 2015.

“So there’s a significant increase in consumption year over year of the component downloads,” Weeks said. “There are only about 10 million Java developers on the planet, so when you’re seeing billions upon billions of download requests, there’s signifi-cant consumption. And that extends into other languages as well. Python has billions of downloads per year.

“It’s not that consumption is bad; it’s only when consumption of bad things is happening that we need to be more aware,” Weeks added.

A software bill of materialsSo how do you know if you’re using bad components? One effort being pushed by software developers and other organizations is for the federal government to require a software bill of materials, similar to a list of ingredients in pre-packaged foods. Instead of food ingredients, a soft-ware bill of materials would list all software components.

The bill of materials typically includes a list any known vulner-abilities that come in the form of Common Vulnerabilities and Ex-posure identifications as well as the pertinent open-source licenses.

“If you create list of those [flaws], then you can assess those for known security vulnerabilities,” Weeks said. “There are tools on the market, both commercial and open-source, that allow you to analyze your appli-cations to identify the components in them and tell you if they have any known security vulnerabilities in them. If they do, then you have to

determine if you’re going to fix those before shipping them to customers, or make them aware of a known security vulnerability.”

Along with managing the Maven Central Repository, Sonatype offers an application health check service that allows organizations to see what components are in an open-source app and check for known vulnera-bilities. The free service is similar to the Open Web Application Security Project (OWASP).

A variety of software composi-tion analysis (SCA) tools are offered by Black Duck Software, Flexera Software, Synopsys, Veracode and WhiteSource Software. The SCA tools commonly use the federal government’s National Vulnerability Database as a data source for expos-ing the known vulnerabilities.

“SCA can be used as a form of supply-chain attestation, so a user or purchaser of software can verify what is contained within,” Isbitski said. “It also has use within early

The number of open-source component upload requests from the Maven Central Repository has grown annually since 2007. The repository stores two million unique open-source Java components and serves roughly 10 million developers worldwide.

S O N AT Y P E

W I N T E R 2 0 1 8 | C O M P U T E R W O R L D 14

M O B I L E A P P D E V E L O P M E N TI N S I D E R E X C L U S I V E

stages of a software development life cycle, helping to identify vulnerable components, as a developer might introduce a vulnerable open-source library into the codebase without realizing. Some SCA tools will recommend alternative components or upgraded versions where the vul-nerabilities have been corrected.”

Other free, open-source tools for scanning and detecting known vulnerabilities include the OWASP Dependency Check, retire.js, and the Node Security Platform Live. Retire.js and Node Security Platform Live are focused on JavaScript or Node.js component analysis.

How a bill of materials worksA traditional application has about 100 open-source components. Even if those 100 components are deemed safe today, vulnerabilities may be discovered in the future.

Among those pushing for a soft-ware bill of materials is the Health Care Industry Cybersecurity Task Force; it recommended that health-care organizations create a software inventory of open source and pro-prietary components used in apps to identify any security, licensing and quality problems.

“Having a bill of materials is key for organizations to manage their assets because they must first understand what they have on their

systems before determining whether these technologies are impacted by a given threat or vulnerability,” the Task Force report said.

More transparency enables healthcare providers to assess the risk of medical devices on their networks, confirm that components are assessed against the same cyber-security baseline requirements as the medical device, and implement mitigation strategies when patches are not available.

The report notes that while this practice is important, it has not yet been widely adopted.

“The pace of most open-source

software development is rapid, with features being updated, added or removed regularly,” Isbitski said. “There is already a large range of open-source software at a developer’s disposal, which gets compounded as components are branched or forked. This results in a huge spectrum of components and versions to keep tabs on. Without the aid of tooling, it can be extremely difficult to validate open-source components upfront and over time as issues are uncovered.” u

Computerworld senior reporter LUCAS

MEARIAN covers enterprise mobile issues, including mobility management, security, hardware and apps, and enter-prise collaboration technology.

Open-source re-use can save development cycles in creation of new software or hardware. It can also be a boon for secure coding, since developers can make use of standardized components where security and trusted functions are baked in.MICHAEL ISBITSKI, RESEARCH DIRECTOR, GARTNER