Integrate security into the mobile app software development lifecycle
July 28, 2021
Train developers in security best practices. Organizations must shift all the way left, into the minds of developers. The further the organization goes, the better the results. Secure code begins with builders who understand risk and continuously make themselves knowledgeable of security. Most mobile developers come from the web, which has fundamentally different app architecture and security requirements. Mobile OS and dev environments update every year, driving a high rate of change. Mobile app security teams must leverage resources including the OWASP MASVS to help educate both dev and security teams on mobile appsec. They can use security checklists that offer a security framework everyone can reference and follow. Writing better quality code reduces the security bugs created, which eliminates repair time and sends releases out the door faster. Through training, organizations can rely more on empowered developers than security specialists.
Use secure-by-design coding techniques. Create secure mobile apps by writing them securely from the start so the dev team doesn’t have to come back and fix. Developers should build to a security architecture with requirements and knowledge up-front, well before they write a single line of code. Forming communities of practice among dev teams, with advice and support from security, enables knowledge sharing and consensus about what security standards to adopt, secure coding skills and how to address issues. Establishing security standards, architecture and requirements up front means fewer security bugs are created, saving repair time and ensuring faster releases.
Continuously test security of software supply chains, code repos and binaries. Today’s software isn’t crafted with a single source of code —-it’s built with a collection of disparate tools, internal code and third-party code. In the march to shift left, tune security testing to the dev pipeline. Test security of all third-party libraries and open source software (OSS) before they are used by developers with software composition analysis (SCA) and make sure they have a quality software bill of materials. Test the security of all internally written source code in the integrated developer environments (IDEs) or code repos with static source code analysis. Build the mobile apps, then security test the compiled app binaries with SAST/DAST/IAST for maximum coverage. This tests the app the way an attacker would. Luckily, dev teams can do binary testing automatically and continuously in parallel to functional, integration and user experience (UX) testing. Use a layered testing approach with modern automation tools integrated into the pipeline. This leads to fewer security bugs, with security issues prevented or found faster, and fixed faster, so organizations can release faster.
Perform full scope pen testing for high-risk apps. For the high-risk apps that might contain very sensitive intellectual property, complex IoT-connected mobile apps and very sensitive customer data, organizations add an additional layer of security with expert pen testing. Although well-trained developers and automated continuous security testing can find many issues, some scenarios require human ingenuity and expertise. Others have complex technology that automation cannot replace. Schedule the pen testing work at the appropriate time in the life cycle. If developers have integrated continuous testing into the pipeline, pen testers won't waste time on low hanging fruit and can instead focus on the hard stuff.