"There are multiple ways to secure an application. Now, a lot of folks would say, 'Well I have a secure device, so therefore my applications are secure.' Well, mobile device security only takes you to a certain level," Voshell says. "There are encryption methods for locking the data down on the devices. But that's not really protecting everything that happens in an application."
On the mobile-application security front, Suder sees a potential model in the FedRAMP program the government developed for cloud computing technologies.
To win FedRAMP certification, a cloud product must meet a set of baseline security standards that are common to all agencies and departments -- the idea being that a single certification would enable more rapid adoption by sparing each federal entity from having to conduct its own security evaluation.
The Department of Homeland Security 'Car Wash' Program
Suder points to the "car wash" program that the Department of Homeland Security is developing to evaluate mobile applications, so far limited to those developed in-house.
DHS envisions car wash as a one-stop testing environment for developers to screen their apps for security problems, such as coding flaws or the potential to access sensitive information without appropriate safeguards.
"Car wash is meant for government, [in this case] government-developed apps," Suder says. "They were talking about using it while you're developing your app, so you don't go down the road that's too far down your mobile development, and then next you know you gotta totally rewrite the code. So I think they're meaning it to be more of a collaborative type of thing and it's just a tool that you run your code through so you don't get stuck at the end and have to redo all your code. So I think car wash isn't meant to fix it. Car wash is meant to identify where the issues are and what you've got to fix."
As DHS polishes the program, car wash could become available to other agencies later this year, the department has signaled. That repeatable security test environment, which could grant a seal of approval recognized across the government, could emulate the FedRAMP cloud-computing framework for mobile applications.
Sign up for CIO Asia eNewsletters.