Today's columnist, Brian C. Reed of NowSecure, says companies need to leverage OWASP to train developers to build security in before any code leaves the shop. https://www.flickr.com/photos/[email protected];https://creativecommons.org/licenses/by-nc-nd/2.0/legalcode

Developers work to deliver high-quality mobile apps fast. Still, while they want to build cool apps with innovative features, quality assurance must make sure that the apps work correctly and security must ensure data gets protected. In the end, developers can see other teams as speed bumps, release blockers or departments of “no.” Still there are proven tactics that bring these teams together to deliver quality code. 

And it starts with a fundamental question for all the stakeholders: How do we meet our feature and delivery requirements in a high-quality, secure way along a targeted time frame?
 

Instead of aiming for perfect security mandates, or worse unpredictable and irregular testing programs, teams should introduce security testing incrementally and often. An approach and commitment to incrementalism means that teams build security practices, knowledge, tools, and process into the development flow at many different inflection points over time. The result: security standards mature into core elements of all software development operations.

So how do dev leaders incorporate security into code architecture from the beginning? And, what gains in speed and productivity can they expect to achieve by applying security early? To help both devs and security professionals come together, here are some best practices for building in security from the start:

  • Train developers in security best practices. Organizations must shift all the way left, into the minds of developers. The further the organization goes, the better the results. Secure code begins with builders who understand risk and continuously make themselves knowledgeable of security. Most mobile developers come from the web, which has fundamentally different app architecture and security requirements. Mobile OS and dev environments update every year, driving a high rate of change. Mobile app security teams must leverage resources including the OWASP MASVS to help educate both dev and security teams on mobile appsec. They can use security checklists that offer a security framework everyone can reference and follow. Writing better quality code reduces the security bugs created, which eliminates repair time and sends releases out the door faster. Through training, organizations can rely more on empowered developers than security specialists.
  • Use secure-by-design coding techniques. Create secure mobile apps by writing them securely from the start so the dev team doesn’t have to come back and fix. Developers should build to a security architecture with requirements and knowledge up-front, well before they write a single line of code. Forming communities of practice among dev teams, with advice and support from security, enables knowledge sharing and consensus about what security standards to adopt, secure coding skills and how to address issues. Establishing security standards, architecture and requirements up front means fewer security bugs are created, saving repair time and ensuring faster releases.
  • Continuously test security of software supply chains, code repos and binaries. Today’s software isn’t crafted with a single source of code —-it’s built with a collection of disparate tools, internal code and third-party code. In the march to shift left, tune security testing to the dev pipeline. Test security of all third-party libraries and open source software (OSS) before they are used by developers with software composition analysis (SCA) and make sure they have a quality software bill of materials. Test the security of all internally written source code in the integrated developer environments (IDEs) or code repos with static source code analysis. Build the mobile apps, then security test the compiled app binaries with SAST/DAST/IAST for maximum coverage. This tests the app the way an attacker would.  Luckily, dev teams can do binary testing automatically and continuously in parallel to functional, integration and user experience (UX) testing. Use a layered testing approach with modern automation tools integrated into the pipeline. This leads to fewer security bugs, with security issues prevented or found faster, and fixed faster, so organizations can release faster. 
  • Perform full scope pen testing for high-risk apps. For the high-risk apps that might contain very sensitive intellectual property, complex IoT-connected mobile apps and very sensitive customer data, organizations add an additional layer of security with expert pen testing.  Although well-trained developers and automated continuous security testing can find many issues, some scenarios require human ingenuity and expertise. Others have complex technology that automation cannot replace. Schedule the pen testing work at the appropriate time in the life cycle. If developers have integrated continuous testing into the pipeline, pen testers won't waste time on low hanging fruit and can instead focus on the hard stuff. 

These best practices of incrementalism: training, secure-by-design, continuous security testing and optional pen testing, can help developer and security teams better understand one another. They align interests on the road to quickly deploying high-quality software that meets the needs of the business. Whether for web or mobile applications, teams responsible for building secure code must quickly and steadily integrate security into the entire software development lifecycle.

Brian C. Reed, chief mobility officer, NowSecure