Developing a COVID-19 track and trace app — through the lens of Black Duck

The unprecedented spread of COVID-19 has the world scrambling to navigate a new normal. The World Health Organization (WHO) has underscored the importance of identifying COVID-19 cases and isolating them before they spread. Testing and tracing is vital to this effort, and all individuals in contact with an infected individual must be identified to mitigate further spread of the virus.

Mobile application technology offers a powerful solution to facilitate the collection of data about user movements and points of contact. To defeat COVID-19 there must be a robust and effective track and trace app that can reliably provide the data needed to stop the spread. But there are numerous complications of such an undertaking, and they all must be considered throughout the development process.

In a recent interactive Lunch and Learn COVID-19 webinar, two Black Duck top security consultants, Ian Ashworth and Bhavin Shah, discuss principal considerations and challenges associated with creating a track and trace app. To learn about the key takeaways, keep reading. For a more complete understanding of the topic, watch the webinar.

Top takeaway: Application security is vital

As a global leader in innovation, Black Duck understands the challenges and roadblocks associated with the development process, particularly the difficulties of AppSec. The importance of application security, especially given that users will need to share personal data in any track and trace app, can’t be overstated, but it seems to have largely taken a back seat in the preliminary wave of track and trace apps. Numerous reports have already emerged noting privacy failures, potential hacking events, and development U-turns.

Challenge considerations: User adoption

Perhaps the most pressing challenge of a successful track and trace application is user adoption. Personal data concerns, motivations for use, and overall security doubts pose a challenge—and that’s before an application even enters the development phase. Black Duck senior security consultant Bhavin Shah notes that an application would need a minimum of 60% user adoption to be at all effective. Without adequately addressing security concerns and demonstrating robust security measures, application adoption is set to fail. Shah defines the key ingredients for a secure design:

• Hardware: The app must run on hardware dedicated to the cause or utilize the plethora of already available mobile devices.
• Identity: The user and those around the user must be represented anonymously and securely. Failure to secure identity will negatively impact adoption.
• Proximity: The app must be able to identify encounters with other phone users. Again, security concerns must be addressed with this functionality.
• Communication: Data must be shared and processed securely.
• Motivations: Users need to trust the app to use it. Without user confidence, the motivation to download it will be slim.

To learn more about the key development and deployment stages, view the full webinar.

Keys to a successful and secure application

After researching current market offerings and addressing initial shortcomings, Shah and Ashworth provide their ultimate recipe for a successful track and trace application. Given their deep understanding of how security functions in the development space, the following can be seen as a launching point for your application development planning:

• Good design removes 50% of your security worries. Incorporate security activities into your design phase to prevent costly vulnerabilities later in the SDLC.
• Document and be totally transparent—user trust is paramount. Openness will go a long way in encouraging application adoption.
• Carefully select your open source components. Use adequate security and testing measures when selecting open source code to avoid vulnerabilities and legal complications. Knowing what risks might be hidden in your code is imperative.
• Automate security testing during implementation. Using automated testing solutions and services, like those Black Duck offers, protects you without slowing you down.
• Perform a final pen test on the deployed solution. Pen testing services from Black Duck help identify vulnerabilities that more traditional testing solutions may miss.
• Review your deployment and patch your app. Final checks for security with a robust suite of AppSec tools helps guarantee application security.

Black Duck solutions that can help

Black Duck ARA

The Black Duck architectural risk assessment (ARA) solution provides expert inspection of the main components of the application design. An ARA examines 11 areas (e.g., cryptography, auditing, etc.) before the application moves to development—saving the additional time and expense of having to make changes later. With services ranging from security control analysis to in-depth assessments and mitigation support, our Architecture and Design practice helps you identify missing or weak security controls, understand secure design best practices, and mitigate security flaws that increase your risk of a breach.
 

SAST

Static application security testing (SAST) allows you to review your entire application, or just simple code changes, in minutes. The Black Duck SAST solution plugs seamlessly into your CI pipeline. Security testing often lacks depth or understanding, and it can slow software development. Using tooling cleverly now can reduce the amount of re-work and avoid expensive production issues later, accelerating your time to market in the long run.
 

DAST/IAST

Black Duck dynamic application security testing (DAST) and interactive application security testing (IAST) solutions help reduce software-related risks by identifying security vulnerabilities while web applications are being dynamically fuzz tested. The Seeker IAST solution monitors web app interactions in the background during normal testing and can quickly process hundreds of thousands of HTTP(S) requests, giving you results in seconds with near-zero false positives—no need to run manual security scans.