This week Gartner released the 2017 Market Guide for Mobile Application Security Testing, which measures the impact of mobile app development and security testing at the enterprise. In addition, the guide provides enterprise and IT leaders with key criteria for comparing mobile app security testing vendors.
Key takeaway: The need to test mobile apps for security vulnerabilities at the enterprise is growing
Gartner states, “By 2020, up to 90% of enterprises will test mobile applications for security vulnerabilities, with more than half of them using the same vendor they use for web application security testing.” Ponemon Institute has reported that in 2016, only 29 percent of mobile apps underwent security assessments. To bridge the gap, security teams will need to add new tools to increase their testing capabilities and efficiency.
As mobile device use continues to grow at the enterprise, so does the volume of mobile app development and adoption — increasing the number of exposure points that could lead to a data breach resulting from a vulnerable mobile app. In fact, statistics from the same Ponemon study on IoT and mobile apps identified similar sentiment among IT security leaders:
- 60 percent of respondents reported a data breach resulting from an insecure mobile app
- 64 percent of respondents are concerned about a vulnerable mobile app in the workplace
To prevent the compromise of mobile apps and the exposure of corporate data, enterprises need to ensure they secure the mobile apps they develop internally and vet third-party mobile apps used throughout their mobile ecosystem.
Key takeaway: Mobile app security testing requires multiple types of analysis
In order to achieve a sufficient level of code coverage when assessing the security of mobile apps, Gartner recommends the following types of analysis:
SAST: Static application security testing (SAST) scans the mobile app binary to identify flaws in an app’s code.
DAST: Dynamic application security testing (DAST) provides more code coverage by examining a mobile app during runtime for security vulnerabilities. Dynamic analysis monitors network communications to determine whether they’re properly secured, checks for proper API implementations, and investigates whether sensitive data, like login credentials, is sent unencrypted.
Behavioral testing: Testing mobile app binaries during runtime allows for deeper code coverage to look for ways an attacker can exploit a mobile app. In comparison to DAST which typically tests for known mobile app vulnerabilities and security weaknesses, behavioral analysis identifies questionable behaviors within an app that could expose sensitive data. For example, behavioral testing would not only determine whether a mobile app accesses the device’s contact list, but also determine whether data from the contact list is insecurely transmitted to specific destinations. Behavioral analysis is vital for providing deeper assessment of the mobile app attack surface, especially as mobile developers use third-party code and open source libraries in their mobile apps.
IAST: Interactive application security testing enhances behavioral and dynamic testing by authenticating the mobile app or logging into the app with credentials to improve testing depth and accuracy. At the same time, true IAST observes the app from the inside when executing attacks.
In Gartner’s market guide, the authors specifically reference the integration of NowSecure-sponsored open source tools, Frida and Radare — which are baked into our solutions — as an example of IAST capabilities in practice. These tools combine static and dynamic analysis to accelerate the analysis process when testing mobile apps. Frida and Radare not only provide deeper code analysis, but provide the context needed to examine potential risky behaviors in a mobile app.
Key takeaway: Mobile DevOps drives the need for automation and speed for mobile app security vendors
Gartner states that 53 percent of enterprises already have deployed mobile apps in their enterprise with another 40 percent stating they have plans to deploy apps in the future. This means that the number of new apps developed and needing testing will only continue to grow. And with today’s rates of deployment frequency — measured in minutes, hours, or days — mobile app security assessments will need to keep up, or be ignored. According to RightScale, 81 percent of enterprises have adopted DevOps, requiring testing tools that can offer automation of key functions alongside speed of analysis to produce quick, in-depth results.
NowSecure Solution Engineer Jon Porter makes a clear case for mobile app security testing automation:
Automation, when done right, gives you the opportunity to parallelize security testing along with your other testing procedures. Cloud services empower you to run all of your testing simultaneously and at scale.
– How to make mobile app security testing a DevOps reality
At NowSecure, we believe integrating security assessment technology with build tools like CircleCI and Buddybuild, as well as, issue-tracking tools like JIRA and GitHub are imperative to accommodate this DevOps reality. NowSecure offers the ability to test code every time a build is pushed as well as publish results in issue trackers to more easily assign findings to your team.