A decade after the inception of the DevOps movement, the practice has transformed many organizations and is beginning to take hold in others. Here at NowSecure, we too have embarked on a DevOps journey with our mobile appsec testing solutions.
Successful initiatives to secure DevOps start by gaining a better understanding of other’s roles and responsibilities outside of your own team. Once those bridges are built, communication and transformation happen much more quickly.
We recently sat down with our own Senior Vice President of Development and Engineering, Jeff Fairman, to learn more about a mobile DevOps engineer’s perspective on a broad range of topics, including a typical schedule to DevOps toolchains and metrics. Follow the discussion here.
Your highlights for the week are as follows:
- Marriott discloses massive database breach dating back to 2014
- Dozens of Android apps implicated in multi-million ad fraud scheme
- NowSecure releases CircleCI Orb to plug into the dev pipeline
- More than half of smartphone users have suffered from data loss
- Hackers access Dunkin’ Donuts rewards program passwords
Subscribe now to receive #MobSec5 updates each Friday in your inbox.
“Marriott says up to 500 million hotel guest records were stolen through a database breach. Guest records from its Starwood hotel chain are affected, and the company says it’s investigating alongside law enforcement.”
“Eight apps with a total of more than 2 billion downloads in the Google Play store have been exploiting user permissions as part of an ad fraud scheme that could have stolen millions of dollars, according to research from Kochava, an app analytics and attribution company that detected the scheme and shared its findings with BuzzFeed News.”
Described as ‘wildy over-permissioned,’ the shady Chinese apps in question include Battery Doctor, Cheetah Keyboard, Clean Master, CM File Manager, CM Launcher 3D, Kika Keyboard and Security Master. The click injection scheme works by requiring users to grant permission to see when new apps are downloaded, and to be able to launch new apps. Users should closely examine the level of permissions a mobile app requests and consider the country of origin. For example, apps from China and other high-threat nations are a key concern for the U.S. Marshals Service, which deployed a NowSecure mobile app vetting solution to evaluate apps for security, compliance and privacy risks.
“Let’s examine how the new NowSecure AUTO Orb for CircleCI integrates directly into CircleCI software and ticketing systems such as Jira to deliver fast, closed-loop dev cycles for building and deploying secure mobile apps.”
“The MEF’s Global Consumer Trust Study found that only a minority, 27 percent, of smart phone users feel in control of their data. A third feel that they have to accept app vendors’ terms and conditions, even if the app asks for personal data they would rather not share.”
Dunkin’ says some DD Perks accounts may have been hacked
“Dunkin’ is warning customers that its mobile order and pay app DD Perks may have been hacked. The coffee and doughnut chain’s parent company, Dunkin’ Brands, revealed Thursday that some usernames and passwords were obtained by third parties, gaining them access to some customers’ first and last names, their email addresses and their Perks account number.”
If you want to receive #MobSec5 updates each Friday in your inbox, subscribe now.