Putting Security First In Mobile App Development

By: Chad Butler Anyone who has printed out travel itineraries, collected paper receipts or submitted a spreadsheet based expense report form has certainly wondered if there isn’t another way. Here at Concur, we have created a better way to manage business travel and expenses through our web-based solution and our mobile app.

As the Security and Risk Manager at Concur, my role is to help lead a team of application security gurus, who are continually testing our applications for security weaknesses. Our team’s mission is to help ensure that Concur’s customers are protected from security threats.

Last week, I had the pleasure of speaking at IBM’s Pulse — a conference dedicated to exploring the latest developments in cloud, security and asset management that help drive bold innovations, reach new markets and improve profitability.


Here’s a clip from my keynote talk on cloud security:    


Teamwork makes mobile apps more secure from the start 

At Concur, developers work in partnership with security team members. Working together, the teams design a set of criteria that will help ensure that every development task goes through a security evaluation. While developers work, they implement code-level tests to ensure that security is being enforced. Developers, quality assurance engineers, and security testers also routinely put on the “hacker hat” to test the applications in order to verify that security protections are working as designed. All of these steps help ensure that security is a consideration in every phase of the software development lifecycle.  


Think about security throughout the development process


Businesses today need to be able to quickly adapt to new requirements, challenges and opportunities. In order to best serve our diverse customers, Concur also has to be able to adapt quickly.   To reduce the possibility of security issues that can be introduced during development, Concur maintains the following practices:

  • Company dedication: All Concur employees are required to receive training on security threats and best practices on an annual basis. This helps Concur employees recognize potential security threats.
  • Development process: Concur developers have created “secure by default” development templates and practices to ensure that security best practices are easy to implement.
  • Test and test again: Concur developers, quality assurance engineers, and security team members routinely test Concur applications for security vulnerabilities.


Mobile apps can run in a hostile environment

Keep them secure

Because Concur does not have control over the devices that run our applications, we have to be very careful about the security of our apps. Some of Concur’s customers employ sophisticated security mechanisms to help secure the mobile devices their employees use. But for many of our customers this is not yet a reality. Concur assumes that our applications may be running in a hostile environment. An example of a hostile environment is a mobile device that has been lost or stolen.  

To address the fact that our apps might be running in a hostile environment, Concur is very careful about how it handles our customers’ sensitive information. For example, a customer’s credit card information, which is stored in their web profile and used to process travel and expense transactions, is never sent to the mobile application. Since the credit card number is not sent to or stored on the mobile device, it cannot be retrieved from the device by a thief or hacker. The customer’s information that is stored on the mobile device is encrypted using AES, the same encryption standard used in highly secure military and financial applications.  

In today’s work environment you are always on the go. Shouldn’t your travel info, expense reports, and credit card data be secure no matter where you are? We think so. Take a free test drive of Concur to experience a better way to manage your travel and expense reporting.      

Loading next article