Modern Mobility

The changing role of DevOps in enterprise mobility

Sergey Nivens - Fotolia

Problem solve Get help with specific problems with your technologies, process and projects.

Mobile app security and usability can coexist

It might not seem like it, but you can make security and usability play nice when it comes to mobile applications. Get security staff involved in app dev early on.

There is no bigger impediment to the release of an enterprise mobile app than the approval of the security department. It's not that employees in security are trying to slow the process -- and they definitely don't want to be the bad guys. But it's their responsibility to counterbalance the disregard for mobile app security that is often part of an app's development process.

Typically, developers only inform the security team about an app when the business unit is well on its way to releasing it. Developers need to partner with security much earlier in the process. Taking mobile app security into account before an app goes to users can help smooth out the constant seesawing between usability and security.

Your employees and your customers -- and to be fair, your employees are your customers, too -- just want to get their tasks done with an app that's easy to use. Google usability studies show that even a tenth of a second delay in an app's performance can negatively affect the user experience.

Members of the security team, on the other hand, are focused on protecting the company's assets. If it takes a few more seconds to keep that data safe, that's okay with them. They aren't worried about usability but rather whether the customers' credit card data is safe or the company's proprietary data isn't compromised.

Think like a designer

In reality, you aren't trying to balance security and usability but rather create usable processes with mobile app security measures that do not interfere.

When security embeds itself into the design and development teams, the 'Us versus Them' mentality quickly disappears.

The best way to achieve secure usability is by understanding that security isn't really part of IT but instead part of the business. The business can't succeed if it isn't secure. Members of the security team spend their time understanding risks and the best ways to mitigate them; to succeed, they need to become design thinkers, just like the developers creating the app. That means getting into the trenches as developers architect and build apps.

When security embeds itself into the design and development teams, the "Us versus Them" mentality quickly disappears. Developers learn how to code applications using secure frameworks, and security can test parts of the app before it even hits the alpha milestone.

Developers shouldn't be figuring out how to securely connect to the enterprise every time they build an app. When security steps in, they can help build a secure connection, VPN or otherwise, that developers can even reuse for other apps. In the same way, security should work with the identity and access management team to design a secure way for users to log into these apps -- another reusable component developers can bank on.

In the last issue of Modern Mobility, I talked about the focus on user needs (FUN) principle. But to provide a good user experience, you have to focus on the developer and security needs as well as FUN. Your consumers want the safety of a secure app and an experience that is easy and sheltered from the dangers that lurk.

Article 2 of 6

Next Steps

The FUN principle helps achieve user buy-in for mobile apps

Mobile app security threatsto look out for

How to protect mobile applications

Dig Deeper on Enterprise mobility strategy and policy

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Does your security team work closely with app development?
They probably should but unfortunately not always. Too often programming and testing are focused on meeting functional requirements, and system qualities like security and performance are left for the late phases.
In the past, they have not worked that closely with the development teams. This wasn’t too unexpected as the apps we developed were used in house. However, the current company focus on cybersecurity has raised our security posture, and we’ve been making more headway into hybrid-cloud solutions, so the two teams are starting to work more closely together.
Always. It makes no sense to have them working as separate entities. There are a very few instances where something may get by one or the other. It does get resolved quickly and there is no finger pointing. We move on.
Cannot provide security strategies without fully understanding the business. The is no point to fix gap of security before releasing products, it is a pain or a mission impossible.
I think the point of the article is not to fix the gaps in security, but rather to avoidintroducing security gaps by designing security into the solution. I like the idea of embedding security on the development team to work alongside as the application is being architected and developed. I think it addresses the problem of not understanding the business. I’ve seen it work with QA, Ops, and UX, and I think it helps facilitate the face-to-face communication that the Agile Manifesto promotes.