This is the last post in a three-part blog series about building a mobile app security program. Part one defines a mobile app security program and summarizes how to create a high-efficiency team. Part two explains how to choose the right mobile app security testing tools to drive consistency in your processes and reporting. Part three gives pointers for working with your development and DevOps teams to establish mobile app security program buy in and achieve your objectives.
When you launch your mobile app security testing program, begin by reminding your developers, your DevOps team, and yourself that you’re all on the same team in pursuit of the same business goals. The apps the team develops generate revenue, increase the organization’s productivity, and contribute to business objectives in any number of ways. You want to protect these valuable assets and eliminate mobile app security risks that can cost the business millions.
Developer and DevOps buy-in and engagement
Ideally, you’ll establish buy-in with your development and DevOps team through the following:
- Educating them on how mobile app security flaws put the business at risk
- Explaining how identifying and eliminating security flaws earlier in the software development lifecycle (SDLC) saves them time and reduces stress
- Documenting the security issues against which you’ll assess mobile apps
- Training them on secure coding practices that prevent those mobile app security issues
- Demonstrating how you will test apps for those issues
- Integrating automated mobile app security testing into their existing technology stack so they can perform basic assessments of their apps without hassle
Many developers have bad memories of delayed releases and panicked, eleventh-hour scrambles to fix security issues. I’ve seen even the most stubborn developers come around once they understood the possibility and the benefits of baking security testing directly into their continuous integration (CI) and/or continuous delivery (CD) processes.
Automating a portion of security testing up front reveals defects earlier so that developers can fix them before passing the app along for a final assessment. Remediating vulnerabilities earlier in the SDLC reduces the likelihood of the security team finding major flaws that could delay a release.
In addition, by giving developers feedback about security defects with every submitted build, they receive real-world training on how to build secure apps. Continuous security testing also reduces the passing back-and-forth of findings and results between security and development teams, which, again, reduces the risk of missing release deadlines.
But, you’ll also need to make sure the tool you select provides accurate results that provide value to developers. As discussed earlier in this blog series, static-only testing that spits out pages of false positives will quickly erode any goodwill you’ve established with developers or your DevOps team.
Mobile app security tools for developers and DevOps
If you plan to introduce mobile app security testing into your development team’s technology stack, you need to make it as seamless and easy as possible. In general, development and DevOps teams worry that mobile app security testing will complicate their processes and slow them down. By now, most of them are familiar with the automation of functional testing. Now, mobile app security testing technology has advanced to the point that it can also be automated and integrated with continuous integration and continuous delivery practices (read more about why you need to automate mobile app security testing).
Whatever tool you choose should make tying automated testing into your build cycle easy, simple to set-up, and set-it-and-forget-it. Output from the continuous security testing tool should also automatically log findings in the development team’s favorite issue-tracking system.
Keep the following in mind as you explore automated mobile app security testing solutions:
- Collaborate with the development team in identifying options, evaluating technology, and choosing the right solution
- Make sure selection criteria include static and dynamic analysis capabilities and a low false positive rate
- Look for a solution that includes detailed remediation instructions that include code examples for any identified defects
The volume of mobile apps developed and needing testing will only increase for the foreseeable future. Make sure any tools you choose to incorporate into your testing environment can scale with your development production.
As you launch and manage your mobile app security program, remember that the entire enterprise needs to work together to make mobile apps more secure. Reducing friction by integrating the program with existing development and DevOps tools and workflows makes it that much easier for these stakeholders to get on board.
Read part one of this series about mobile app security program management and building a team. In part two, learn how to choose the right mobile app security testing tools for your program to maintain consistency.