Increased application and software usage heighten security concerns amongst consumers The past few months have placed digital transformation into overdrive, with consumers gravitating toward distance-enabling technology and applications more than ever before. While the benefits of these tools are clear in maintaining a sense of normalcy and continuity in our personal and professional lives, malicious actors have shifted their sights to capitalize accordingly. From video conferencing application hacks to the proliferation of coronavirus-related phishing scams, organizations, software developers, and end users alike are on high alert. In light of these events, in early May 2020, Checkmarx commissioned a survey of U.S. consumers to better understand their perceptions around the security of the software and applications they’re using in their everyday lives. This gave us a timely view into trends in consumer web and mobile app use since COVID-19 became a widespread pandemic, as well as their thoughts and expectations about software security and privacy and the adoption of contact tracing apps. Here’s what we found, along with recommendations that all organizations and software developers should keep in mind moving forward when it comes to AppSec and software security.
With Increased App Usage Comes Heightened Security ConcernsAs a result of the widespread stay-at-home orders implemented, 44% of respondents are using mobile and web applications more than they did before the pandemic, with another 43% saying they’re doing so at least the same amount. Additionally, 28% are spending over six hours per day using apps, and over half (56%) are spending at least three. These numbers rise amongst younger demographics, with 43% of 18-24 year-olds using apps for over six hours per day, 50% of which say is more frequent than before. Consumers are also branching out with their use of new applications. When asked which of the following apps they have used for the first time during the COVID-19 pandemic, 44% said video conferencing (e.g. Zoom, Microsoft Teams), while 25% said food delivery (e.g. Uber Eats and Insta Cart), 23% said e-Commerce (e.g. Amazon, Target), 19% said virtual learning (e.g. Google Classroom), and 16% said finance/banking (e.g. Venmo, Zelle). Among individuals surveyed with children aged K-12, when asked which of the following apps their children have used for the first time during the COVID-19 pandemic, one-in-five said video conferencing apps. Additionally, 15% said remote learning apps (e.g. Dreambox, Khan Academy), 9% said music apps (e.g. Spotify, MusicTheory.net), 8% said online gaming apps (e.g. Chess.com, Xbox live), and another 8% said eBook / audiobook apps (e.g. Audible, Kindle). Due to the rapid technological shift brought on by COVID-19 and consumers increasing their use of new technology, software, and applications, the majority of respondents expressed corresponding security concerns. According to the findings, 61% of consumers are extremely, moderately, or somewhat concerned with the security of applications and software, with another 16% saying they’re slightly concerned. Just 23% said they are not concerned at all.
Nearly Half of Americans Refusing or ‘Unlikely’ to Opt-In to COVID-19 Contact Tracing AppsAs a result of, and falling in-line with respondents’ general security and privacy concerns with the applications they’re using and new ones they’re adopting, nearly half (48%) say they’re either unlikely or will flat out refuse to opt-in to COVID-19 contact tracing apps. Additionally, another 23% said they’re on the fence about doing so. Meanwhile, just 15% said they are extremely likely to opt-in. This brings about questions of contact tracing effectiveness and accuracy if minimal adoption is seen. When asked which of the following concerns they had when it comes to COVID-19 contact tracing applications, consumers indicated:
- How their data will be used, stored, or shared (45%)
- Granting third-party access to the apps (29%)
- General application hacking concerns (28%)
- Risk of health records being exposed (27%)
- Risk of location data being exposed (25%)
Recommendations for ConsumersAs individuals and organizations look to leverage new digital tools and applications in our current environment and beyond, Checkmarx suggests including the following on your security checklist for staying technologically safe:
- Don’t be fooled into updating software applications from counterfeit websites. When it doubt, open up the applications themselves and update using the instructions within;
- Use your corporate VPN, in addition to a private VPN, to give yourself a layered security approach;
- Suspect any domain that does not use .com, .edu, .gov, .org, etc. If it doesn’t appear to be legitimate, it’s almost guaranteed not to be; and
- Try to separate daily online “fun” activities from critical ones. Don’t log into your bank account, retirement account, etc., while surfing questionable sites within the same browser.
Recommendations for Organizations Developing SoftwareWhile they appear to primarily be behind the scenes, software developers are front-and-center of enabling today’s current sprint to digital transformation. From designing and developing contact tracing applications, remote working solutions, e-Commerce software, etc. to patching critical software vulnerabilities, developers have never been more essential. Consumers recognize developers’ role in preserving application security and privacy, with nearly half (49%) feeling as though they’re most responsible for this effort. As users continue to adopt new technologies (whether by choice or necessity), security must be a priority for all organizations that develop software and the developers within. Checkmarx recommends the following application and software security best practices:
- Static application security testing (SAST) scans of source code during the code, check-in, and build stages;
- Software composition analysis (SCA) to identify open source components and vulnerabilities that may have been introduced;
- Leverage interactive application security testing (IAST) in test and quality assurance environments to eliminate delays in finding vulnerabilities during functional testing;
- Use a combination of external and internal penetration tests to assess the security posture of applications against real-world cyberattacks;
- Prioritize transparency when it comes to data collection, usage, and storage by ensuring end-user license agreements (EULA) are clear and concise;
- Triple check APIs to ensure third-party access is granted securely; the OWASP API Security Top 10 list is a good place to start; and
- Ensure relevant compliance including with GDPR, HIPAA, CCPA, etc.