As mobile app development teams seek to speed the pipeline to deliver high-quality apps faster, providing everyone with a clear roadmap can make the journey more efficient. To simplify work prioritization and better partner with security teams, consider adopting a practical, effective set of principles to achieve your goals: “Secure by Design” and “Trust but Verify.” This pair of best practices enhances collaboration and eases remediation to speed delivery.
A Secure by Design development approach ensures security is built in by specifying architecture, requirements and knowledge well before a single line of code is written. Forming communities of practice with security enables knowledge sharing and consensus about what security standards to adopt, secure coding skills and how to address issues.
Standards enable devs to code faster and avoid security scope creep by knowing exactly what will be tested and what security bugs need to be fixed.
The maxim ‘Trust but Verify’ refers to the way mobile app security teams operate in partnership with devs and QA. While they have confidence that developers will do the right thing and write secure code, security teams need to perform mobile appsec testing to validate that apps meet the agreed security bar and are free of security and privacy issues. Developers benefit from this security testing because it ensures the quality of releases and reduces the defect escape rate. Identifying security bugs early in the software development lifecycle with fast feedback loops also helps you shrink dwell time and mean time to remediation.
Security testing at the end of development leads to surprises that slow or even block releases. Avoid those problems by plugging automated continuous security testing into the dev pipeline and integrating it with your CI/CD and ticketing systems. Automated mobile binary security tests can run in parallel with your UX/functional/Integration testing and feed security bug and resolution data into existing tools. With no new tools to learn, you can work in your native environment and maintain velocity. (See these examples of CircleCI, Jenkins and Microsoft Azure and integration workflows.)
When you write new code and tap new third-party libraries daily, you may inadvertently be introducing security bugs. Incrementally testing security every day helps you catch and fix security bugs early in the cycle, increasing overall app quality.
If you write 500 lines of code a day and wait three months to test, that leaves 30,000 lines of code to test. But testing 500 lines of code each day finds bugs earlier so you can fix them faster. Modern automated testing uncovers security, privacy, compliance and appstore blockers across the mobile app and APIs, returning highly accurate results in 30 minutes or less. (Learn more about continuous testing in this recorded webinar.)
Fast feedback loops enable devs to address issues faster, but manually reviewing security bugs slows the process down. Ensure automated testing software is highly accurate and look for a tool that feeds security bugs directly into ticketing systems so you don’t waste time. Prioritized findings help you focus on fixing the most severe bugs that have the greatest impact, ultimately reducing the escape defect rate and mean time to remediation.
Finding security bugs is important, but what matters more is fixing them quickly in the priority required. To speed developer resolution, be sure tests offer embedded dev remediation assistance that includes priority, evidence, fix instructions, code samples and links to native iOS docs and Android docs. Well-formed tickets with embedded dev assistance can turn a two-day bug hunt to find and fix an issue into a few minutes to resolve, easing the burden for everyone.
While continuous security testing automation covers many use cases and risk scenarios to speed delivery of secure mobile apps, threat modeling identifies some mobile apps as high risk due to the types of sensitive information they contain. Many mobile appsec programs rely on automated continuous security testing to cover the majority of issues then add periodic full-scope mobile app pen tests to focus on aspects that require a human. Such pen tests can help validate the quality of your work. (Consult our checklist for choosing an external pen test provider.)
Adopting the ‘Secure by Design’ and ‘Trust but Verify’ principles outlined above benefit development and security teams alike. Wouldn’t you like to achieve the following goals?
NowSecure offers a comprehensive suite of automated mobile app security and privacy testing solutions, penetration testing and training services to speed the delivery of secure mobile apps. Get a free mobile app security test today to uncover security, privacy and compliance issues along with dev remediation and code examples to help you fix them.