“Gartner Listed - mobile application security guide”

February 10, 2017

How to bring mobile app security testing into DevSecOps

Companies releasing mobile apps often see their mobile app deployed with a lot of security issues due to the rush to release, creating problems when security teams are forced to align time consuming testing with high frequency release cycles; this is where DevSecOps comes in.

DevSecOps helps to bring mobile app security testing into the development cycle to:

  • align business objectives between developers, operations, and security personnel
  • increase the security of each mobile app release
  • protect the company’s assets, reputation, and data

How to put the Sec in DevSecOps

The origins of DevSecOps are part of the core of Agile development practices, and as continuous integration(CI) and continuous delivery(CD) come to mobile now is the time to bring security testing into the build process.

Before DevSecOps the approach to mobile app security testing was to wait until the development was complete before getting security team involved. This traditional approach is high cost and time consuming, expecting penetration testers to catch all issues, from minor permission concerns to complex cryptographic issues.

The mindset of DevSecOps is iterative, testing mobile apps frequently as part of development to help make each new build of the app more secure.

DevSecOps will help developers to use automated mobile app security testing to:

  • spot problems early
  • eliminate the low hanging fruit for the security team
  • stop security problems in production code
  • document existing issues to stop regression
  • educate developers in secure coding practices without the need to down tools

When looking for mobile app security testing solutions to try to avoid products that generate reports with a high false positive rate, you need to check that the product you choose is fast and precise, offering manual analysis to stop you chasing after false positives.

DevSecOps & Mobile CI

Introducing automated mobile app security testing into the Software Development Lifecycle and your technology stack needs to be an easy process to reduce friction and get program buy in from all parties.

The recent growth in mobile continuous integration is catering to the problems of do it yourself mobile app CI, such as constant updates to iOS and Android developer tooling that in turn require changes to build servers. There are a number of excellent hosted options such as BitriseCircleCI, and Buddy Build.

There’s also the option of on premise solutions such as Jenkins and Team City that may be suitable, however, these will require reconfiguring after each iOS and Android update.

Mobile CI supports the iterative approach of DevSecOps with continual improvements in app quality through repeated building and testing of the app code. When introducing DevSecOps the next step is to automatically run a suite of security checks against the mobile app, including vulnerability testing. The key thing here is to prevent costly security regressions over time.

Top 5 tips for mobile DevSecOps

  • Use mobile CI solutions
  • Move towards thinking about security as an iterative process
  • Don’t rely entirely on pre release security checklists – build them into the SLDC
  • Use automated security analysis tools
  • Track and quantify who is flagging security problems in the build cycle so specific developers can get tailored training and support, with a tool like Codebashing

Codified Security will help you bring mobile app security testing into DevSecOps with our integration options across our API & CLI binary.