“Gartner Listed - mobile application security guide”

March 14, 2017

How to stop security vulnerabilities using DevOps

As the rush to release impacts businesses security risks are growing requiring collaboration between mobile app developers and operations teams to stop vulnerabilities with DevSecOps.

Research from BMC/Forbes shows that 60 percent of executives see a division between their security and development teams, operating in ignorance of each other. Their aims, releasing mobile apps on time and ensuring that those apps are secure often fail to align, with security viewed as a low priority. In order to change this behaviour and embrace DevSecOps there are a number of tips to bring cohesion between the two teams.

Adopt a DevOps Platform

To minimise risks from security issues, the starting point is to standardise on a DevOps platform. A DevOps platform will help your teams to align for DevSecOps and serve as a line of defence against a potential data breach whether your mobile app is developed in house or by a third party.

With a standardised DevOps platform it’s easier to practice good developer hygiene, ensuring that only those authorised to change source code are able to do so and protect company IP.

Involve managers and stakeholders in DevSecOps

Stakeholders and project managers need to take on additional responsibilities to bring security into the Software Development Lifecycle, ensure that all required modules are in place and local data encryption.

This role extends to auditing all tools and assets currently in use, define protocol settings, provide training to developers for practicing check-in, check-out and administrator practices, review code repository location and ensure that end-to-end process flow should be in place.

Standardise Authentication Methods

The traditional problem for mobile apps is compromising between ease of user experience and security. Mobile devices now offer strong authentication in addition to basic password setting features such as biometrics data, enabling users to maintain strong security without sacrificing user experience.

Develop pre-built Modules

Another best practice to ensure protection against security vulnerabilities is to use pre-built modules that are optimised and written following secure coding best practices. Instead of developing code from scratch, developers can make use of pre-built modules and developer their apps faster.

Implement Security in your Versioning Control

Security needs to be a part of your versioning control. The DevOps platform you choose platform ought to provide security controls and label security issues according to:

  • Severity 1
  • Severity 2
  • Severity 3
  • By SLA

Create an Enterprise App Store

Mobile Application Management (MAM), which is a part of Enterprise Mobility Management (EMM) allows you to push all updates in apps to corporate devices and BYOD devices registered on your company’s network. This also enables your DevOps platform to notify all users registered on the network about a severity 2 or 3 issue and download app updates in case of severity 1 issue.

As businesses enter the next digital era, developing and implementing a DevSecOps approach will become a necessity. Developing a framework will ease implementation and also organise security updates, fix vulnerabilities and provide collaboration across DevOps teams.

Codified Security will help you bring mobile app security testing into DevSecOps with our integration options across our API & CLI binary.