Those of you who’ve been around the penetration testing or DevOps worlds for a long time might think this headline is crazy. But when it comes to modern mobile appsec testing, this notion is no longer an oxymoron — the capability is very real and in production today.
In speaking with security analysts and researchers at the recent OWASP AppSec USA conference, several people who saw NowSecure technology in action remarked that we’ve “actually automated a mobile pen test.” With that in mind and because we have many customers using our products and services to continuously security test and certify their apps, let’s examine how they accomplish this.
Inside Penetration Testing
Penetration testing traditionally has been a mix of art and science. Whether insourced or outsourced, security analysts and experts take a human-driven approach with a homegrown toolkit to pen test a mobile app. Testing the security posture of mobile apps is particularly hard — typically taking two weeks to complete — and presents difficult challenges specifically around dynamic testing for functionality, data at rest and data in motion. What’s more, pen testing requires hard-to-find highly trained security staff or costly outsourcing. Ultimately, pen testing is tremendously valuable to mobile app teams and has been all about coverage, not speed.
DevOps is all about speed, frequency and repeatability where an automated, integrated dev toolchain lets the systems do the work for the team. DevOps seeks to achieve a fast cycle of commit to build to test to release in hours. Whether an organization runs agile on two-week release sprints or DevOps for daily builds and releases, the two-week manual pen testing cycle just doesn’t fit.
Shifting developers and security teams to DevSecOps mode requires a fully automated and integrated CI/CD toolchain in which functional, UX and security testing can be completed in minutes rather than weeks.
From Collision Course to Nirvana
While you’d expect penetration testing and DevOps to collide, they don’t have to. At NowSecure, we’ve been doing forensic analysis and pen testing for nearly a decade — completing thousands of pen tests and certifications — and have figured out how to bring them together.
Five years ago, we set out to build an automated test engine that could deliver the speed, consistency and repeatability needed for agile and now DevOps teams. We knew there was a shortage of skilled pen testers and reliable toolkits to support their work, so we created NowSecure Workstation to empower security analysts by collapsing security pen testing times from two weeks to just one to two hours.
With customers moving to agile then DevOps, new demands led us to create a centralized cloud or on-premises software platform. NowSecure AUTO runs a fully automated, dynamic test in less than 15 minutes — ideal for the SDLC toolchain. NowSecure software delivers complete dynamic and behavioral testing on real iOS and Android devices with full testing coverage of functionality, data at rest (DAR) and data in motion (DIM). This is not shortcut testing, either. NowSecure even tests cert pinning automatically in four different ways and scans for sensitive data leakage in hundreds of ways.
NowSecure AUTO integrates with leading CI/CD tools like Jenkins and Jira to enable organizations to fully automate inline testing by securely testing every build, every day, then feeding issues into ticketing systems and vulnerability dashboards. Organizations seeking to embed security testing into every phase of the dev lifecycle may choose to use static analysis security testing (SAST) tools in the IDE or commit phase pre-build, then leverage NowSecure for automated dynamic testing in the post-build phase. Now dev and security teams can let software perform the grunt work while they tackle more complex and interesting problems.
You might say “wait, you can’t automate everything,” and that is true. Scenarios such as two-factor authentication, complex Internet of Things (IOT) and so forth can only be partially automated and still require human intervention, which is why we offer analyst tools and expert services to help. But when automation from NowSecure AUTO can cover 90% of all app testing scenarios, then this is a huge gain for all.
And the economics of software automation are tremendous. For less than half the cost of an outsourced manual pen test, you can have continuous automated security testing via software with NowSecure AUTO 356 days a year. Read more about economics of appsec testing here.
The Parallel Path Approach
Organizations seeking the highest security protection and certifications can run a parallel path model leveraging both automated pen testing software and outsourced expert pen testing services. This approach decouples the human-driven certification aspects from the high-speed throughput processes.
Path 1: DevSecOps path
Use NowSecure AUTO to test every build, every day to set the security baseline and attain the testing speed and volume needed for mobile apps.
Path 2: Certification path
Use NowSecure PEN Testing Services annually or semi-annually to augment daily testing and provide an extra layer of certification for mobile apps.
This parallel path with NowSecure provides the best of both worlds: speed, volume and consistency plus depth of human certification coverage for maximum confidence in your mobile app security program.