When deploying a new technology, an organization should be aware of the potential security impact it may have on the organization’s IT resources, data, and users. While new technologies may offer the promise of productivity gains and new capabilities, they may also present new risks. Thus, it is important for an organization’s IT professionals and users to be fully aware of these risks and either develop plans to mitigate them or accept their consequences.
Recently, there has been a paradigm shift where organizations have begun to deploy new mobile technologies to facilitate their business processes. Such technologies have increased productivity by providing (1) an unprecedented level of connectivity between employees, vendors, and customers; (2) real-time information sharing; (3) unrestricted mobility; and (4) improved functionality. These mobile technologies comprise mobile devices (e.g., smartphones and tablets) and related mobile applications (or apps) that provide mission-specific capabilities needed by users to perform their duties within the organization (e.g., sales, distribution, and marketing). Despite the benefits of mobile apps, however, the use of apps can potentially lead to serious security risks. This is so because, like traditional enterprise applications, apps may contain software vulnerabilities that are susceptible to attack. Such vulnerabilities may be exploited by an attacker to steal information or control a user's device.
To help mitigate the risks associated with software vulnerabilities, organizations should employ software assurance processes. Software assurance refers to “the level of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at any time during its life cycle, and that the software functions in the intended manner” [1]. The software assurance process includes “the planned and systematic set of activities that ensures that software processes and products conform to requirements, standards, and procedures” [2]. A number of government and industry legacy software assurance standards exist that are primarily directed at the process for developing applications that require a high level of assurance (e.g., space flight, automotive systems, and critical defense systems).1 Although considerable progress has been made in the past decades in the area of software assurance, and research and development efforts have resulted in a growing market of software assurance tools and services, the state of practice for many today still includes manual activities that are time-consuming, costly, and difficult to quantify and make repeatable. The advent of mobile computing adds new challenges because it does not necessarily support traditional software assurance techniques.
