The unprecedented spread of COVID-19 has the world scrambling to navigate a new normal. The World Health Organization (WHO) has underscored the importance of identifying COVID-19 cases and isolating them before they spread. Testing and tracing is vital to this effort, and all individuals in contact with an infected individual must be identified to mitigate further spread of the virus.
Mobile application technology offers a powerful solution to facilitate the collection of data about user movements and points of contact. To defeat COVID-19 there must be a robust and effective track and trace app that can reliably provide the data needed to stop the spread. But there are numerous complications of such an undertaking, and they all must be considered throughout the development process.
In a recent interactive Lunch and Learn COVID-19 webinar, two Synopsys top security consultants, Ian Ashworth and Bhavin Shah, discuss principal considerations and challenges associated with creating a track and trace app. To learn about the key takeaways, keep reading. For a more complete understanding of the topic, watch the webinar.
As a global leader in innovation, Synopsys understands the challenges and roadblocks associated with the development process, particularly the difficulties of AppSec. The importance of application security, especially given that users will need to share personal data in any track and trace app, can’t be overstated, but it seems to have largely taken a back seat in the preliminary wave of track and trace apps. Numerous reports have already emerged noting privacy failures, potential hacking events, and development U-turns.
Perhaps the most pressing challenge of a successful track and trace application is user adoption. Personal data concerns, motivations for use, and overall security doubts pose a challenge—and that’s before an application even enters the development phase. Synopsys senior security consultant Bhavin Shah notes that an application would need a minimum of 60% user adoption to be at all effective. Without adequately addressing security concerns and demonstrating robust security measures, application adoption is set to fail. Shah defines the key ingredients for a secure design:
To learn more about the key development and deployment stages, view the full webinar.
After researching current market offerings and addressing initial shortcomings, Shah and Ashworth provide their ultimate recipe for a successful track and trace application. Given their deep understanding of how security functions in the development space, the following can be seen as a launching point for your application development planning:
The Synopsys architectural risk assessment (ARA) solution provides expert inspection of the main components of the application design. An ARA examines 11 areas (e.g., cryptography, auditing, etc.) before the application moves to development—saving the additional time and expense of having to make changes later. With services ranging from security control analysis to in-depth assessments and mitigation support, our Architecture and Design practice helps you identify missing or weak security controls, understand secure design best practices, and mitigate security flaws that increase your risk of a breach.
Static application security testing (SAST) allows you to review your entire application, or just simple code changes, in minutes. The Synopsys SAST solution plugs seamlessly into your CI pipeline. Security testing often lacks depth or understanding, and it can slow software development. Using tooling cleverly now can reduce the amount of re-work and avoid expensive production issues later, accelerating your time to market in the long run.
Synopsys dynamic application security testing (DAST) and interactive application security testing (IAST) solutions help reduce software-related risks by identifying security vulnerabilities while web applications are being dynamically fuzz tested. The Seeker IAST solution monitors web app interactions in the background during normal testing and can quickly process hundreds of thousands of HTTP(S) requests, giving you results in seconds with near-zero false positives—no need to run manual security scans.
The complexity of building a track and trace app, getting it right the first time, and ensuring that it’s fully operational is a daunting task. Add the pressures of needing such an application yesterday, and it is not surprising that security considerations have taken a back seat in some of the initial iterations of COVID applications. But there are an enormous number of moving parts to a successful application, and that means a large attack surface. Security must be your utmost priority.
Synopsys believes all web development teams should be building security into their entire SDLC. Rather than thinking of security as a final testing gate at the end of production, security should be viewed as a methodology: applied early, from design all the way through implementation and deployment.
Security and risk should be carefully managed in this undertaking; failure, data breaches, and loss of trust/reputation can all quickly prevent progress. Synopsys offers the tools to help strengthen your security posture. Investing in automation tools from a trusted leader in the AppSec environment could make the difference between success and disaster.