When he was the security manager for sports training company TRX,Adam Ely didn’t have the luxury of deciding whether or not to allow iPhones onto the network on a case-by-case basis. TRX was owned by Disney, and Steve Jobs held a seat on its board when the iPhone was introduced in 2007.
“At Disney, Steve Jobs was on the board and mandated that we all dump our Blackberries and take iPhones,” Ely, who co-founded startup Bluebox Security, said during an interview. “That just kind of opened the world up on what everybody was doing.”
Ely became director of security and compliance at TiVo in 2009, then the chief information security officer at Salesforce.com’s Heroku in 2012. Mobile devices were starting to attract attacks, he said, yet existing device management solutions still weren’t addressing the real enterprise mobile security pain point: the apps.
“These solutions for managing devices, they’re great for what they are — that configuration management to point app — but what I really cared about was the application,” he said. “That’s the new endpoint. That’s what contains the data, the new activity and identity, everything.”
Securing Mobile Apps
For nearly a decade, security experts have preached the importance of moving beyond the network to embed security at the application level. Security leaders such as Ely have certainly tried to convince developers to incorporate encryption, logging or other anti-tampering measures.
“When I ran security for these large brands, I tried to get the development teams to not only care, but understand, the security threat and prioritize security feature and development,” he said. “And I was running up against — as my peers do — the product road map of building features for the consumer or for the businesses.”
Meanwhile, mobile devices were starting to attract malware and attacks. Ely knew a mobile security storm was coming. He’d seen the same evolution with Web application security and desktop application security. He also knew his peers struggled to protect corporate data on smartphones. Enterprises needed a way to secure their mobile apps against attacks without burdening developers or disrupting the development cycle.
So when he and long-time security colleague and SPI Dynamics founder Caleb Sima discussed co-founding a new security company in 2012, Ely saw an opportunity to address a major enterprise security problem.
“I said, ‘You know what? I have to do something about this, because it’s such a pain point for myself and my peers,'” Ely said.
They formed Bluebox Security and began developing a new mobile application security platform. They wanted a solution that would address what Ely called the three pillars of security controls: attack and fraud detection, data encryption at rest and in-transit, and reporting capabilities to support back-end event analysis. It also had to work without latency issues, which meant they couldn’t rely on back-end API calls for defense capabilities.
Making Security Simple for Application Developers
From his enterprise security experience, Ely also knew their solution must secure apps without creating extra work for developers.
“Having seen all these developer education programs and testing and retesting of security of applications and knowing how long that takes and how frustrating it is, we said how can we take the security things that need to be done at the application level and almost give them kind of an easy ‘button’ if you will?” he said.
The result is a dynamic framework that embeds application security after the app is finished. It supports all development frameworks or third-party libraries, he said. Analytics comes with the platform, which means companies can not only learn more about attacks, but also about who uses the apps and when. The biggest appeal to customers is that Bluebox requires no extra work by developers, he added.
“Companies develop their app. They don’t think about Bluebox at all,” said Ely, who now serves as the company’s COO. “Once the app’s developed, it’s pushed through the Bluebox platform. The policies, the defenses, the controls; everything’s applied and they’re handed back a version of their application that has our dynamic framework injected in.”
So far, the response has been good, according to Ely, particularly when it comes to stopping mobile fraud. For instance, banks and other companies now deal with attackers who run mobile app emulators. You might get 500 copies from one IP address. Previously, companies had no way to determine whether a surge in traffic was coming from multiple individual apps or an emulator. Bluebox can tell if it’s coming from one IP address, allowing it to stop the attack in real time while collecting analytics about the attack.
Recent mobile security attacks such as the Android Stagefright exploit, iOS malware XcodeGhost and the iOS Masque attack have provided market validation for what he and Sima predicted back in 2012: The app is the new endpoint.
“We … are starting to see companies that are losing revenue because their mobile apps are being attacked. Consumers losing data and actual network breaches,” Ely said. “Everybody wants to be mobile and move around. When it hits critical mass, we know attackers are going that way, too.”
At first, Bluebox focused on enterprises that wanted to secure corporate apps and data from outside apps that might reside on an employee’s phone, but the company is now pushing into the consumer and B2E (business to employee) space. Bluebox plans to add new features that will allow development teams to tie into user workflow and identity. While they currently offer APIs for integration with third-party apps, they also plan to work with partners such as Apigee to provide better integration.