AppLovin January 2023

Managing risk and growing the global app ecosystem

Managing risk and growing the global app ecosystem

Apple’s 2009 advert – which coined the phrase ‘There’s An App For That’ – was just the beginning. Over the last 13 years, there has been a global explosion of app downloads ranging from mobile games to productivity tools. And, with figures from Statista suggesting there were 230bn global mobile app downloads in 2021, there are no signs of a slowdown.

For AppLovin, a leading growth platform with an ultimate mission to grow the global app ecosystem, the goal is to help developers expand their audience and their revenue while helping the industry continue to thrive.

Since launching in 2012, AppLovin has been instrumental in defining many of the world’s most popular apps and game studios. The company’s leading mobile marketing and monetisation platform provides app developers with a powerful, full-stack solution to solve their missioncritical functions like user acquisition, monetisation, and measurement.

“Really, at the end of the day, the goal is to grow that whole app ecosystem,” explains Jeremiah Kung, AppLovin’s Global Head of Information Security and Compliance.

“Growing up, we didn't have cell phones, we barely had the internet,” he laughs, “and now it's different.”

“Everything's on the phone, and apps are growing,” he adds. “We want to grow that ecosystem so that everyone is successful –

AppLovin is on a mission to provide app developers with the tools they need to thrive – balancing speed and comprehensive information security is vital

Prevent AppSec Data Breaches

Data Theorem’s solutions are powered by its award-winning Analyzer Engine, which leverages a new type of dynamic and runtime analysis that is fully integrated into the SDLC, and enables organizations to conduct continuous, automated security inspection and remediation.

Real-time Active Protection for AppSec

Organizations today need tools that are purpose built for securing modern application stacks to prevent data breaches. Past-generations of runtime AppSec tools (WAFs, RASPs, EDRs) are unable to address critical areas of modern application stacks such as cloud-native applications.

As an example, serverless applications with APIs, such as AWS Lambda, cannot be secured using traditional web application firewalls (WAFs), runtime application self-protection (RASPs), or endpoint detection and response (EDR) agents. This is because there are no accessible operating systems for agent installation nor traditional network perimeters with ingress/egress points. Data Theorem now uniquely delivers runtime defenses and observability across its entire product suite, addressing security gaps in modern application exposures commonly found with cloud-native stacks.

Data Theorem Active Protection is a runtime defense and observability

offering. It works across Data Theorem’s product portfolio to help customers enable application-layer security defenses across their application stacks from the client layer web and mobile apps to the API data transport layer and lastly cloud infrastructure. The runtime defenses include attack prevention, OWASP Top 10 rules, known malicious sources, policy violations of encryption levels, authentication types, authorization rules, and a variety of custom rule checks including preventing Broken Object Level Authorization (BOLA) attacks. Further, organizations also need increased observability (logging, tracing, trending) before enforcing security policies because of the dynamic nature of their modern application stacks. Customers can enable Data Theorem’s Active Protection through the use of their SDKs (software development kits), application extensions (Lambda layers), and AppSec proxy (L7 sidecar proxying).

Managing risk and growing the global app ecosystem

from the developers and the applications to the businesses and the advertisements behind that – so that it's a win-win for everybody.”

A risk-off approach to cybersecurity Trust and transparency continue to be incredibly important for both organisations and individuals, with concerns around data protection increasing in recent years. As Kung explains, from an information security perspective, by not storing personal information from devices, AppLovin takes a ‘risk-off’ approach.

“From a security point of view,” he says, “our technology never knows who owns the device and only captures what ad types that device interacts with. For example, it's more like: ‘That device likes Wordscapes games, so let’s send them more ads for Wordscapes-type games’ as they will be more likely to download. We never know who the owner of the device is,” Kung adds.

“We removed the significant risk from the equation, which ensures significant risk reduction from an InfoSec perspective.”

The app market may have been on a meteoric rise in recent years, but as with all industries, there is a negative side, with bad actors posing daily threats. For Kung, who joined the business in May 2022, transparency is particularly important when it comes to cybersecurity.

“I try to stay as plugged in as I can to the business so I can understand the threat and risk,” he comments. “I've added tools and processes, but I think what really counts from the cybersecurity piece at this point is transparency.”

“This is a highly technical company with a lot of smart people. My first priority for information security was to conduct assessments; I did my poking and prodding, and penetration testing.”

“They have made some really smart choices and done some really clever things,” Kung adds. “We’re now focused on adding enhancements and improvements over time. The one improvement we added for the cyber side was transparency.”

Cyber success is down to people

For Kung, a cybersecurity professional with more than 20 years of experience in the industry, the key factor to driving a successful cybersecurity programme is down to the people.

As he explains, when joining AppLovin, the first thing he did was create an advisory programme to sit and talk to developers, establishing conversations and processes around when to introduce InfoSec checks.

“We’d have a conversation around what the developers are working on to determine the best point in time for my team to conduct penetration tests,” Kung says. “And we’ll have regularly scheduled conversations to check in.”

In a fast-paced environment such as the technology industry, it’s also highly important not to sacrifice the speed of development. Having joined AppLovin following several cybersecurity roles at financial institutions, Kung is particularly aware of the differences between the east and west coast working in cybersecurity.

JEREMIAH KUNG

TITLE: GLOBAL HEAD OF INFORMATION SECURITY AND COMPLIANCE

INDUSTRY: COMPUTER SOFTWARE LOCATION: CALIFORNIA, US

Jeremiah Kung is AppLovin’s Global Head of Information Security and Compliance. AppLovin enables developers to grow their business with a powerful set of industry-leading solutions. Jeremiah is a risk-based CyberSecurity and Technology executive with strong beliefs in innovation and partnership. He has led multiple digital transformations and has found that the constant drive to improve along with the business is the key factor to leading a successful security program in any company. Jeremiah is a results-oriented hands-on cybersecurity professional with 20 years of successful history of leading cybersecurity, data privacy and risk management programs

“Coming from a banking organisation or FinTech, you’re so highly regulated,” Kung comments. “You have to find everything and fix everything before it goes to production. The CISO must sign off on everything, and it doesn’t go to production until they’ve done all their tests and they’re happy that everything’s fixed.”

“But here,” he adds, “our business success depends on the velocity of our releases. So, it’s all about how you find that perfect momentum of putting the security controls in place but not slowing the process down.”

“That’s what’s really fascinating – finding that balanced mix. And at the end of the day, it comes down to people.”

“We have extremely talented developers who are willing to work with us. We have tools that give us visibility, and we are also willing to work with the team. I’m not going to hand them scan reports and say, ‘Here are

“Our business success depends on the velocity of our releases. It’s all about finding that perfect momentum of putting the security controls in without slowing the process down”

some findings, go fix them’. I commonly say, ‘These are the findings, let me look at them, and perhaps we find things which might be an issue’. This allows us to track if it’s a quick fix – and if not, we’ll ensure it’s prioritised in the next release.”

Managing third-party risk

With a rising number of security breaches arising from third-party relationships,

managing third-party risk is a particularly relevant issue in cybersecurity – especially in light of the SolarWinds attack, which opened many eyes to the dangers of insufficient onboarding and monitoring of third-party vendors.

“I aim to look at all threats and ensure they’ve been looked at,” Kung explains. “Third-party risk is a great one. For vendors we’re doing business with, we ask questions to ensure that they are properly secured, and will protect our data.”

“You don't want to say, 'Here are 1,000 questions, please answer them', to every company you work with. That could potentially slow things down,” he says. “Instead, we'll do our own assessment, then we’ll come regularly to reassess and ask questions.”

Particularly in the cybersecurity world, a strong network of partnerships is vital –

“Especially in a SaaS world, you can't be on your own and just have your own developers build everything”

and AppLovin is no different. In addition to a partnership with Google, Kung explains that working with smaller companies, such as Data Theorem and MAKINSIGHTS, has significant advantages.

“I have liked working with the smaller, hungrier companies because they're willing to work with you,” he muses. “Especially in a SaaS world, you can't be on your own and just have your own developers build everything. As smart and as efficient as they are, we do need to partner with some vendors out there.”

“With Data Theorem, I met with their CEO quarterly, when I was back at EastWest Bank,” Kung says. “At the time, we were building mobile apps to do business banking in China as well as the United States, so the security needed to be top-notch.”

When looking for a tool to protect from Magecart attacks, a discussion with Data Theorem’s CEO led to the development of a ‘hack toolkit’, which could detect a multitude of vulnerabilities with a push of a button.

“It’s been interesting to watch them grow their business from just scanning the mobiles to the web to then creating a piece for cloud security, and followed this up by creating a piece for API security,” Kung says. “These were all the things I was worried

about, and now I had just the tool I needed in order to find this solution.

“MAKINSIGHTS is another great example of a nimble company: they came on board and provided excellent service by supplying us with skilled former 'Big Four' consultants, many based out of LATAM,” he adds. “Working with MAKINSIGHTS brings the latest in cyber processes, policy, governance advice, risk assessment, pen testing –essentially the full gambit of Information Security from an outside perspective.”

AppLovin has also been partnering with Google, utilising cutting-edge tools in both the cyber and the cloud space.

“A lot of times, solutions are being built on-premise and tend to be legacy, and slower,” Kung explains. “Google is doing some pretty innovative work now in the cloud, engineering-wise. By partnering

“When we’re evaluating a vendor we’re starting to do business with, we do deeper dive assessments to see if they are properly secured and whether they are going to protect our data”

HEAD

with Google there are a lot of interesting options we're considering including looking at information security from a different point of view than the typical push-button compliance checklist.”

How organisations manage InfoSec is changing

In an increasingly cloud-based environment, Kung predicts there will be shifts in the way organisations manage their information security.

“At the end of the day, security never really has an end state,” he says. “Threats are always changing and the business is always evolving. Eventually, more and more systems are going to move to the cloud. Larger institutions will be tougher, but smaller companies and high technology companies are mostly going to be in the cloud. And, if they’re not already there, they’re going to start moving to Kubernetes and to serverless functions, which is really going to shift the way we do information security.”

With different threat factors and different attack surfaces to look at, organisations need to be constantly assessing security threats while thinking outside the box.

“Passwords are pointless,” Kung states. “You really should be doing multi-factor authentication (MFA) – those are ways of thinking outside the box of technology.”

“I've seen some really cool ideas from Transmit Security, who had an awesome tool that would get to know who you are,” he says. “We would know a user held the phone in a particular way, so we can authenticate it – a robot, for example, wouldn’t be holding it at all. I don’t know if that's the ultimate solution, but out-of-the-box thinking like that is where we need to go.”

And, with AppLovin’s goal to continue growing the app ecosystem, InfoSec will similarly continue to hold a vital role.

“I'm definitely looking at every new product we're coming out with, making sure it's secure and focusing on helping grow the business without slowing it down,” Kung comments.

“For AppLovin, the goal is to continue to grow the business and the app ecosystem, even at a time of economic uncertainty,” concludes Kung. “We're focused on growing that ecosystem, helping it thrive, and moving it forward.”

“When you do cyber insurance forms or client security inquiries, the question asked is ‘how long is your password?’

That's not the right question”

1100 Page Mill Road Palo Alto CA 94304 www.applovin.com

POWERED BY:

POWERED BY: