Kickin' app (security) with (ISC)2

Phone with apps

There's good news for anybody who's missing the good old days of the dot-com boom: It appears we're right in the middle of another tech bubble. This time, though, the gold mine is mobile apps.


Take the story of Dong Nguyen, the creator of the viral free mobile game Flappy Bird. Flappy Bird was first released on May 24 last year. By February 2014, it had become the highest-ranked free app in 53 countries, including the United States, and Nguyen was making an estimated $50,000 daily from ad revenue. Constantly hounded about his success (and dogged by insinuations of plagiarism and illicit app deployment practices), Nguyen finally removed the app on Feb. 9, but his story (and others like it) continues to inspire freelance app developers everywhere. After all, their next project might be the incredibly lucrative second coming of Flappy Bird.


Just as the dream of large bags of money attracts new app developers, however, the dream of large bags of security vulnerabilities attracts hackers. Only a few short months ago, hackers leaked personal celebrity pictures reportedly got stolen from a hacked mobile phone, making national news. An unfortunately large number of mobile apps are developed with security as an afterthought, and considering the number of people and businesses who trust banking and payment apps to guard personal information, this is a glaring oversight.


It's for exactly these reasons that (ISC)2 has recently created a new credential, the Certified Secure Software Lifecycle Professional (CSSLP). Self-described as "the largest not-for-profit membership body of certified information and software security professionals worldwide," (ISC)2 has also formed the Application Security Advisory Council as well as a membership with a respected application security organization, OWASP.


The goal of all this activity is to "solve the increased threats posed by application vulnerabilities," according to a recent  (ISC)2 press release. The new developments seem to be motivated, in part, by two security workforce studies (in 2011 and 2013 respectively), produced by (ISC)2 itself, in which respondents listed application vulnerabilities as their top concern. "Security professionals recognize that applications represent [an entity's] largest attack surface," the release stated, and concluded that "the call to action is clear."


The CSSLP appears to be a sort of top-down measure, hoping to provide better security for mobile apps by first training and educating IT leadership. According to the official page for the credential, it certifies your proficiency in "developing an application security program in your organization; reducing production costs, application vulnerabilities and delivery delay; enhancing the credibility of your organization and its development team; [and] reducing loss of revenue and reputation due to a breach resulting from insecure software."


(The CSSLP's most notable certification competitor, perhaps, is the Mobility+ certification from CompTIA, which was launched last year.)


The goal, then, is to encourage app developers and development team leads to ready themselves to plug inevitable holes in the app security dam. The grateful will include any mobile phone user who allows apps access to sensitive information. And considering mobile usage is expected to overtake traditional online computer usage within the next three years, that's bound to be a lot.

Would you like more insight into the history of hacking? Check out Calvin's other articles about historical hackery:
About the Author
David Telford

David Telford is a short-attention-span renaissance man and university student. His current project is the card game MatchTags, which you can find on Facebook and Kickstarter.