Mobile devices have overtaken desktop devices
as the leading means to access applications and the internet. The growing
demand for mobile apps creates a need for developers to improve their processes
and release new features at an unprecedented rate to stay ahead of the
competition. Consequently, the development community embraces newer processes
such as Agile and the culture of DevOps to produce their mobile applications
much more quickly.Modern software development cycles, which
include a lot of automation and use of third-party code with backend API
services, have broken the legacy security model for development, when there was
plenty of time to look for and fix security issues manually before a product
release. As a result, the risk of data security vulnerabilities in mobile apps
and the potential for a breach of regulatory requirements are higher than ever.
This is creating an imperative need to innovate the process for application
security for mobile applications.Top security questions for mobile app securitySteadfast mobile app security for business
applications is especially critical in order to ensure customer trust and to
maintain a good business reputation. To provide a well-rounded security
evaluation of any mobile app, the security team must ask and answer a number of
important questions:
Does the app have any Priority 1
vulnerabilities?This is obviously a very serious concern. No
application should ever be released to the public if it contains a known
vulnerability that a remote attacker can exploit and use to extract data.
Will the app get
rejected by Google or Apple?An app that fails to
adhere to appropriate guidelines for securing personal or sensitive information
could be rejected by the top mobile app stores.
Are third-party
software development kits or open source software leaving
security holes? Most mobile apps
today invoke third-party tools or services to save time and money. SDKs
and open source software are not immune from having their own security
vulnerabilities, which affect any apps that use them.
Does the app have an
issue that is widely known? Some security flaws are so egregious that they gain widespread attention, such as when Forbes magazine wrote
about the ZipperDown vulnerability affecting nearly 16,000 mobile apps. A Chinese research group
exposed the applications that contained this flaw, essentially bringing
unwelcome public shame to those app owners.
Is the app in full
compliance with the government and/or industry regulations we must adhere to? Most companies have an obligation to meet
data security and privacy requirements outlined in one or more regulations such
as HIPAA, PCI DSS, FERPA and GDPR. Security directors must work closely with
their application development counterparts to ensure that all compliance
requirements are met and maintained throughout an application’s life.
Are there any
data-in-transit exposures?An insufficient transport layer can allow a hacker to gain access
to customer data and steal or modify it at will. Mobile apps have a distinct advantage over web-browser apps in their
ability to protect data-in-transit, but it requires developers to add
anti-eavesdropping protection with SSL/TLS certificate pinning.
Is the app connecting
to any malicious endpoints? Third-party
code might prompt the application to reach out to malicious endpoints, such as
a command-and-control server. This, of course, cannot be permitted in any
mobile app.
Does the app expose
customer data to third-party applications? Some third-party apps might surreptitiously harvest data
from an application and take it back for their own unauthorized use.
Are there any data-at-rest exposures? Unintended data leakage can occur if critical app data is
stored on an insecure location of the mobile device, making it accessible by
other apps or even by the user.
Security experts might have additional
questions, but the issues above are table stakes for assuring data security and
privacy in any mobile app.How mobile AppSec is verified todayThe typical way that development teams
validate their application’s security posture is through penetration testing,
which can take weeks or longer. It’s a very labor-intensive, manual process
that must be repeated for every new build of the application. One failed pen
test can hold up the application release until a fix is made and a retest finds
no additional vulnerabilities. This causes stress with the DevOps team that is
anxious to meet the business objective of getting the release out the door.There’s another obvious problem with relying
on testing procedures performed by people: They don’t scale well.Companies with a portfolio of applications
soon discover they can never build a security team big enough – and with the
quality of people they need – to move as fast as their software
development team. Moreover, consistency can be an issue, as one person might
overlook something important that another person would find. Security issues
change quickly, and a person’s knowledge and expertise can easily fall behind
the times.Security teams often use static code analysis
tools to evaluate their apps. However, many of the tools in this category are
notorious for finding theoretical vulnerabilities that can never be exercised
in runtime but instead are code hygiene concerns. What’s more, the
effectiveness of the tools is frequently measured on the number of issues that
are found, which creates a poor signal-to-noise ratio for both security and
development. The true measure of effectiveness is the number of real-world
issues that are found and fixed before the production release. The static and
dynamic analysis tools need to focus on not just finding security issues, but
also on a path to fixing the issues quickly. This latter approach provides a
much higher value to the DevOps and Security teams.Given that the manual penetration testing
process requires a significant and costly security staff, resources and tools,
it’s a very inefficient way to repeatedly validate security and compliance as
part of the modern application continuous integration/continuous delivery
(CI/CD) cycle. What’s more, manual pen testing is point-in-time and outside the
software development life cycle (SDLC), so it tends to burden and slow the
DevOps process.A better approach is to automate the security
and compliance validation checks continuously throughout the application
development cycle, effectively automating what the penetration testers do
manually and accelerate security within the entire DevOps stack.Automate security for mobile app SDLCToday, when software development is delivered by
DevOps teams, developers publish their code into a continuous and rapidly
available cycle. The developers review and test the code, put it through a
build, and then compile the code. Lastly, it is published for general release. All of that can be done with automation in
order to maintain Agile velocity and the speed synonymous with the DevOps world.Now it’s time to add security early into that
flow without needing any kind of manual intervention. Thus, when the software
is being compiled and going through its normal testing, it's also going through
an automated security test to make sure that it adheres to all the necessary
security checks, as well as compliance requirements.When the test results are fed back into the
DevOps workflow, this prevents the development process from being held up
because security is now an integral part of the normal DevOps CI/CD cycle.
Security validation is done continuously and at the scale and speed needed to
keep up with development today. This model follows the DevSecOps practice
because development and security are all in one workflow.Automate “the gauntlet” of security checks and
processesThe goal is to have a truly comprehensive mobile
app security program that is part of the development lifecycle. Whether the
program is primarily manual or fully automated, the process must go through a
gauntlet of measures, including the following:
Conduct static and dynamic code analysis
Discover dynamic runtime security flaws
Alert on newly discovered Priority 1 issues and app store blockers
Provide secure code samples and recommendations
to fix the issues found
Identify vulnerabilities in third-party SDKs
Inspect open source libraries for insecure code
Report on compliance for PCI, HIPAA, GDPR, FTC
regulations, etc.
Protect against SSL/TLS man-in-the-middle attacks
Protect against third-party keystroke loggers
Encrypt data storage for the app
Help remove spyware and malware
Realistically, no human-focused security program
can perform all those activities in a reasonable amount of time—let alone
perform them continuously in a fast-paced SDLC framework. Automation is the
only way to get to a true DevSecOps model. Many of the world’s largest and most
innovative companies – Netflix, Facebook, Goldman Sachs, JPMorgan Chase,
PayPal, Airbnb, Bank of America, and more – use security automation as an
integral part of their mobile app development lifecycle.For teams looking to follow this DevSecOps
practice, innovative tools are available today that fully automate the measures
above. Agile and DevOps development models are moving too quickly to still
allow for manual security assurance and compliance validation.By Himanshu Dwivedi, Founder and CEO, Data Theorem
There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]
It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]
