This blog post is one of three about managing a successful mobile app security program from Katie Strzempka, director of mobile app security services for NowSecure. Part one introduces a framework for a mobile app security program, training and education, and how to create a high-efficiency team. Part two discusses mobile app security testing tools that drive consistency in process and reporting. Part three explains how to work with your development team to achieve the program’s objectives with mobile app security training and testing.
I talk to a lot of people — CISOs, security analysts, quality assurance engineers, and others — about mobile app security. I’m exposed to a variety of application security programs at varying levels of maturity at many different types of organizations. I also manage the mobile application security program at NowSecure. I oversee our mobile app security testing methodology and process, a high-performing team of mobile app penetration testers, report development and delivery, and customer briefings during and after a testing engagement. I’ve learned a lot about what makes a good mobile app security program, and I want to help enterprises build and manage their own program by sharing some of what I’ve learned.
This first article focuses on defining a mobile app security program, the importance of a repeatable process, and what makes a good team.
What is a mobile app security program?
A mobile app security program identifies, analyzes, and manages the risk associated with your portfolio of mobile apps on a continual basis. Ideally that covers the complete spectrum from inception through design, development, deployment, and finally end-of-life. A program is ongoing and incorporates metrics that allow you to quantify your progress in meeting the program’s objective. Creating a measurable program requires repeatable methods and processes that result in consistent outcomes. Key questions that help establish metrics include, but are not limited to, the following:
- How many mobile apps does your organization have?
- How critical is each mobile app to your business goals?
- How many mobile app security flaws are in production?
- How many security flaws are fixed before and/or after deployment?
- Are the number of identified flaws increasing or decreasing over time?
Mobile app security program challenges
Some enterprises have only just started developing their first native mobile apps and aren’t sure where to start with mobile app security testing. The mobile attack surface differs from that of web applications and so historical web application testing frameworks are not enough. Identifying mobile app security flaws requires performing tests that depend on the idiosyncrasies of the operating system platform (Android and iOS for the purposes of this article). Those tests require a wide range of techniques and also fields of expertise including analyzing cryptographic algorithms and their implementation and reverse-engineering proprietary protocols within the binary for example.
Many of the app security tools available in the market today were originally developed to assess web applications and can’t drill down to this level of detail. On top of that, many of these tools are doing static analysis only, and therefore require access to source code.
Another common problem for larger organizations is the sheer volume of mobile apps that need testing. Many enterprises have internal security teams that perform manual testing of apps but can’t keep up with the demands on their time. These teams also experience friction when delivering testing results to their development teams. It’s not uncommon for security analysts to receive a build for analysis with very little time before a scheduled release. Identifying vulnerabilities too late in the game results in a mad rush to remediate and oftentimes delays a release.
FREE guide – “Mobile App Security Program Management Handbook“- download now.
Getting started: Setting mobile app security standards
A mobile application security program addresses these and other obstacles faced by security and development teams alike. In order for the program to be successful, all of the players involved (security, development, product, engineering) must agree and adhere to a set of mobile app security standards.
Documenting requirements for mobile app security, information about how apps will be tested against those requirements, and deciding what security issues will delay or block a release is a key step. It will also go a long way in building goodwill with your development team, as developers will know what to expect.
Even better is teaching developers how to code securely, thereby meeting the requirements, and fixing security issues themselves. This saves time for both developers and security and quality assurance teams. Depending on the maturity of your program, providing developers with automated mobile app security testing tools can multiply the time savings. Technology exists that will automatically test mobile app builds as part of continuous integration (CI), continuous delivery (CD), or other DevOps processes and provide feedback directly to developers.
Mobile app security training and education
To ensure consistency and repeatability, it’s crucial to train both your security analysts as well as your developers on what makes the mobile app attack surface unique. While there is some overlap between the types of exploits and vulnerabilities found in web versus native apps, there are quite a few unique differences as well.
To ensure proper test coverage, make sure both your security and development teams are aware of these nuances. Resources such as the OWASP Mobile Security Project and the NowSecure Secure Mobile Development Best Practices are good starting points for training material.
Building a high-efficiency mobile app security testing team
Some readers may already have a team in place that focuses on mobile application security testing. If so, HIGH FIVE! For readers whose organization is only beginning to develop mobile apps or outsourced mobile app security testing in the past, a pillar of your program will be your core mobile team. Something very unique about mobile app security talent is the rarity of finding a single person that embodies all of the skills needed to cover the entire mobile attack surface.
A highly functional mobile application security testing team needs expertise covering the following aspects of the mobile app attack surface:
- Mobile forensics and data recovery: Knowing how to forensically examine data at rest to ensure apps do not store sensitive data insecurely on the device.
- Network security and web services/API testing: Evaluating whether apps properly encrypt the data sent to various endpoints. Vulnerabilities classified as high and critical severity according to the Common Vulnerability Scoring System (CVSS) result from failures to protect data in transit.
- Server-side penetration testing: Diagnosing the insecure storage of sensitive data on the backend.
- Reverse-engineering and code analysis: Identifying weaknesses in code that are vulnerable to exploit.
The size of your team will vary depending on the number of applications that need testing, as well as the type and complexity of the security tools you use (I’ll discuss tools more in-depth in the next post in this series). The ideal team will not only include a mixture of skill-sets as described above but will include people of varying experience. Count on entry-level security analysts to handle aspects of initial testing, and then provide their results to a more experienced senior analyst. Senior analysts can then focus their time and energy on the areas that require their expert knowledge.
Small mobile app security teams
A small team might consist of one or two mobile app security analysts responsible for testing one to ten applications each year (along with bug fixes, feature additions, minor releases or major updates for those apps). Analysts on smaller teams don’t typically test mobile apps full time. It’s usually only a subset of their overall job responsibilities.
Oftentimes, a compilation of open source tools might suffice for a small team provided that as a whole, the team has expertise in all of the areas mentioned above. Open-source tools can be problematic if the team already faces a backlog of app testing. Manually setting up different testing environments, troubleshooting, and compiling results from multiple tools into one hand-written report can all eat up precious hours of a security team’s time.
Large mobile app security teams
What I consider a large mobile app security team would include three or more mobile app security analysts that continually test numerous mobile apps (and app updates) on an annual basis. Typically, this team’s sole responsibility is app testing based on the volume of apps developed by the organization and release frequency.
A big challenge for larger teams is a hefty testing backlog and/or pressure from the business to perform testing and provide results more quickly. Automated mobile app security testing that provides a reasonable amount of coverage frees security analysts up to focus a majority of their time on areas that require more in-depth manual analysis.
Part two of this series explains how to choose mobile app security testing tools that drive consistency in your methodology, processes, and reporting. Part three of this series provides tips for establishing mobile app security program buy in with your development and DevOps teams.