Gartner’s research into the role of mobile app security testing looks at how mobile security testing is going to develop alongside traditional
The Gartner Market Guide to Mobile App Security Testing looks at the growth of the market and technology for mobile and how enterprise companies are choosing to security test their mobile apps. The guide also looks at a range of vendors for mobile app security testing products.
Meeting the security testing needs of mobile
Gartner’s view of mobile security testing in the enterprise is that 90% of companies will be testing their mobile apps for security vulnerabilities by 2020. There’s room for high growth as we saw in the Ponemon Institute’s that just 29 percent of mobile apps had any form of security testing in 2016. Mobile app developers and security personnel will need to choose new tools and think of new ways to help aid their testing coverage and meet the demands of mobile.
As more companies introduce mobility programs there is more potential for exposure of corporate data, Intellectual Property, and data breaches of their customers. As more mobile apps are developed to meet demand there is more at risk – this is shown in the views of security teams from the Ponemon study on IoT and mobile apps with 60 percent reporting a data breach due to a vulnerable mobile app and 64 percent showing concern for the impact of vulnerable mobile apps in the enterprise.
More companies will need to be aware of the role of their own apps and consider testing third party apps as part of Mobile Application Management. In addition to the need to protect corporate data there are due considerations for PCI-DSS, HIPAA, and GDPR compliance, some of which come with high penalties, and something that Codified Security is referenced for in Gartner’s market guide.
Mobile app security testing analysis types
Gartner focuses on the following types of analysis to get maximum coverage for mobile app security:
SAST: Static application security testing to test the mobile app binary for vulnerabilities in the code at rest
DAST: Dynamic application security testing to test the mobile app at runtime to check the security and encryption of network communications for sending and receiving data.
Behavioural testing: Testing mobile app behaviours for their potential to expose sensitive data, the tests are run on a mobile device emulator, simulator, or a physical device.
Gartner’s market guide focuses on automated solutions and references Codified Security’s manual analysis process to help ensure high quality results, something that a lot of solutions miss, creating situations where developers waste time looking for non-existent vulnerabilities.
DevSecOps is the future
Gartner sees the need for mobile app security testing automation to meet the speed of mobile development and new development processes with fast and precise automated tooling to help meet this need. This part of a wider DevSecOps movement to bring mobile app security testing into the build, deployment, and release process, products such as Codified Security combined with CI tools such as Bitrise will help developers to:
- spot problems early
- eliminate the low hanging fruit for the security team
- stop security problems in production code
- document existing issues to stop regression
- educate developers in secure coding practices without the need to down tools
Gartner recommends that companies look for mobile app security testing tools that provide coverage for a range of testing types, automation, and low false positive rates.