Securing ASEAN’s Digital Growth: Why Application Security Must Evolve Beyond Static Controls

Across ASEAN, enterprises are expanding their digital services at a pace that would have seemed ambitious even five years ago. Mobile identity verification, digital payments, super-app ecosystems, and citizen-facing platforms are now central to daily life. This momentum creates opportunity, but it also exposes a shortcoming that many organisations recognise only when something breaks: traditional application security models are falling behind the way attackers actually operate.

The underlying tension is familiar to every technology leader. Customers expect effortless onboarding and rapid digital journeys. Yet attackers increasingly exploit the runtime behaviour of apps, the moment when identity checks, payment validation, and data flows occur. Static security controls, once considered sufficient, struggle to defend the live environment where most modern fraud attempts now happen.

As Ivan, Cofounder and CEO of Licel, noted during a recent AIBP discussion in Bangkok, “Security is not prioritised at all. Nobody cares about it until something happens.” That mindset carries growing cost in a region where digital channels are becoming economic infrastructure.

In a 2024 AIBP Survey on Application Security, respondents highlighted detection, broader security testing, and faster incident response as their top focus areas for the next 12 months. These priorities point to where existing programmes fall short: enterprises are trying to strengthen the parts of security that activate after an application is deployed. This aligns with a pattern we hear repeatedly across ASEAN: threat activity is shifting into the runtime layer, where static controls offer limited protection.

Why the Risk is Sharper in ASEAN

The region’s digital landscape amplifies the impact of runtime attacks in three ways.

First, centralisation heightens systemic exposure.

Government and enterprise platforms increasingly consolidate identity, payments, and citizen services. Thailand’s push toward integrated digital public services illustrates this risk. The Digital Government Agency’s work on the “Thang Rath” super-app expands accessibility, but also concentrates data flows into a single high-value environment, making robust runtime protection essential from the outset.

Second, digital onboarding is accelerating faster than security maturity.
Markets such as Indonesia, Vietnam, and the Philippines have seen rapid adoption of digital KYC. This growth has corresponded with a rise in bypass attempts. Ben Thompson, Senior Product Specialist at Licel, highlighted growing activity targeting “eKYC and verification bypasses”, reflecting the financial incentive for attackers.

Third, trust is economically decisive in ASEAN.
For consumer-facing brands (S&P Syndicate, Pandora), protecting customer data is as critical as product quality. Pandora’s "Digital Product Passport" concept, used to enhance supply chain traceability, is a clear example of how sensitive, valuable data is increasingly linked to mobile apps, underscoring the need for robust protection.

What Needs to Change: Security as Part of the Architecture

Discussions from the session converged on a single point: modern application security is less a toolkit and more an architectural decision.

Integrating security post-build
Controls embedded in the compiled application are significantly harder to remove without breaking the app. This approach protects the parts of the application attackers most often target during runtime.

Establishing a cryptographic chain of trust
Identity, onboarding, and payment processes increasingly require binding between the app, the security controls, and backend validation. This ensures that data requests originate from an untampered environment, reducing the viability of runtime bypass techniques.

These approaches need not introduce friction. Several ASEAN enterprises are demonstrating that resilience and low-friction digital journeys can coexist when security and product teams work jointly rather than reactively.

The Structural Cost of Standing Still

Enterprises that continue relying on static controls while expanding mobile channels face compounding risks:

• rising fraud linked to eKYC or payment flow manipulation

• reputational volatility when customer-facing apps are compromised

• growing regulatory scrutiny as digital identity standards mature

• concentrated exposure in super-app and public-service ecosystems

These risks are increasingly influencing boardroom conversations across the region.

ASEAN’s digital economy is entering a phase in which security architecture will determine competitive advantage. The threat model has already shifted to runtime. The question is whether enterprise design and investment catch up at the same pace.

In AIBP’s newly published 2025/26 Enterprise Innovation Market Overview, over 900 business and IT leaders across Southeast Asia shared their priorities and 37% mentioned that cybersecurity is one of the leading areas for investment. You may uncover additional insights on cybersecurity here.

If you’d like to join us in upcoming sessions in Thailand or in other ASEAN countries, feel free to reach out to us at aibp@industry-platform.com.