In this interview, Alan Crouch, a senior software security specialist with Coveros, discusses the importance of security testing applications on mobile devices, as well as the challenges that come along with working on the many different mobile means available.
Josiah Renaudin: Today I'm joined by Alan Crouch, a senior software security specialist with Coveros and a speaker at the upcoming Mobile Dev + Test conference. Alan, thank you very much for joining us.
Alan Crouch: Thanks for having me.
Josiah Renaudin: No problem at all. First, could you tell us a bit about your experience in the industry?
Alan Crouch: I graduated from James Madison University with a master's in secure software engineering in 2008. Since then, I've worked consulting for both the federal government and commercial business in information security services. Within the past four years specifically, I worked with several companies working in testing mobile applications. That includes anywhere from just standard application testing to security testing as well.
Josiah Renaudin: You just mentioned mobile, so I kind of want to know a bit … This question relates to your discussion at Mobile Dev + Test. What makes mobile data storage different than, say, what we've seen on PCs in the past?
Alan Crouch: Mobile operating systems handle data storage and privilege escalation slightly differently than your PC. It uses something called the sandbox model to separate data from one application and another application so that ideally, one application's data or changes don't affect another application. While there's some shared spaces between the apps, the intention is to provide as much data privacy and protection to apps as possible.
Josiah Renaudin: A unique challenge that comes along with mobile security is everyone's carrying their phones around all the time. Some people have codes attached to them, some people don't. Can you name a few of the factors that make mobile security so interesting, so unique, and so challenging?
Alan Crouch: Probably the biggest one is that the mobile devices that we have and carry around, there are so many different types, different hardware, and most of those come with varying degrees of operating systems and vulnerabilities associated with each of those. For example, Android phones have the longest or the largest amount of varying operating systems installed across all the Android phones from all the different carriers. So AT&T may be using four different versions of the Android L app or Verizon might be using four entirely different versions. Being able to test for all those different platforms and all those different operating systems is quite a challenge for any mobile security tester.
Josiah Renaudin: When and where should security testing be done for these mobile apps?
Alan Crouch: Security testing starts as early as building out the requirement—that's where the activities that most people forget to do happen, such as direct modeling. Security testing continues throughout the mobile SDLC when we do our coding and our testing. Ideally a lot of it takes place up front, but there's going to be security testing you do throughout the entire lifecycle.
Josiah Renaudin: Since mobile is still relatively new, do you think enough developers understand how to create a secure mobile application? People have been working with PCs and different devices like that for quite some time, but mobile's still relatively new. Is it going to be a learning process or is this something we need to know right now?
Alan Crouch: I believe the types of developers that trade mobile applications are more knowledgeable about security than their earlier PC development predecessors. However, the mobile security space is really new and the tools to provide security testing are not that mature. They have a long way to go. It becomes difficult to determine if the application is relatively secure in a way that it is easier for a developer. The major problem with mobile development and doing it securely is that we typically, unlike our PC apps, we have this desire for mobile to be highly usable and that often comes in contrast to security and so trying to balance those two concepts in a world that's so driven by usability is often very difficult.
Josiah Renaudin: We still have a long way to go before we see a lot of different universal apps with high level security, but do you know of any good examples of well-tested, secure apps that you use on a regular basis? Can you kind of point us to a few that you would say, "This is how you should be doing it. These are developers and testers going in the right direction"?
Alan Crouch: It's really hard to say for me because you'll find one app that's very good in an iPhone but not so good on an Android, or vice versa. I believe DRACLOCK has done a really good job of securing their app over time. They had some major issues early on the first several versions, so I prefer to take that as a model to look as a way to improve your app over time and make it more secure as you produce further releases.
Josiah Renaudin: More than anything, what message do you really want to leave with your audience as they walk away from this tutorial?
Alan Crouch: The basic lesson that I'd like the audience to get is security is something that you have to take in, and you're not going to be able to catch everything from one round of security testing and be secure forever. It's an ongoing process that requires time and energy, but reaps lots and lots of rewards. No one wants to be that app that's caught with their pants down. That typically will mean that that's when your application ends and sometimes your business. You need to be able to take it and do security testing in small manageable chunks that have you trend in the right direction is really what you should be doing to be successful.
Josiah Renaudin: Alan, I appreciate your time. Thank you very much for stopping and speaking with us, and I'm excited to hear more about mobile apps security testing during your tutorial in San Diego.
Alan Crouch: Thank you, appreciate it. Hope to see you there.
Alan Crouch is a senior software security specialist with Coveros Inc., a Virginia-based firm focusing on agile, software quality, and application security. Alan has worked closely with federal agencies and private companies to advise, audit, and support IT security and governance teams. In addition to his cyber security experience, he has a strong background in highly structured software engineering, test analysis, test automation, agile software development, and security testing. With a passion for software and security, Alan’s career has focused on building secure software and developing better software security practices.