DevSecOps Best Practices: Integrating Mobile AppSec Testing Into the Dev Pipeline

As organizations aim to shift left by building security into the mobile app dev pipeline, DevOps teams may have some trepidation. They worry about break-the-build interruptions, delayed releases, eleventh hour scrambles to fix defects and an abundance of false positives to address.

Like their security counterparts, developers want to ensure the security of their mobile apps and customer data. But they need the process to be fast and easy, which is how automated mobile application security testing supports DevSecOps processes.

Finding and fixing flaws earlier in the development process provides many benefits to DevSecOps pros. These include speeding releases, boosting productivity and reducing friction between departments, among others. In addition, detailed feedback about security defects found in each build can help developers hone their coding skills while baking in security.

But if not chosen carefully and deployed correctly, mobile appsec testing tools can hinder the progress of DevSecOps teams. Some common obstacles include generating too many false positives, difficulty understanding vulnerability findings and tests taking too long to complete. Although many tools may present a tradeoff between coverage vs. speed and depth vs. ease of use, the NowSecure solution doesn’t require this compromise.

Boost your success by following these strategies for evaluating a mobile appsec testing tool and integrating it into the continuous integration/continuous delivery (CI/CD) pipeline.

• As with all DevSecOps initiatives, seek to automate everything in the testing process.
• Collaborate across security, dev and operations teams to identify options and choose the right solution.
• Factor in static and dynamic analysis capabilities in your selection criteria for completeness of coverage.
• Integrate testing into the existing technology stack and build cycle — look for plug-ins for popular build systems such as Jenkins, CircleCI and others.
• Choose a testing tool that automatically logs findings in an issue-tracking system such as Jira.
• Ensure the appsec testing tool can break the build and feed data into other dashboards/workflows.
• Seek an automated testing solution that plugs into the toolchain on the back-end and doesn’t require deployment, installation or training that interrupts the dev workflow.
• Choose a solution that provides a high degree of accuracy to minimize the rate of false positive findings.
• Ensure you select a tool that can scale to accommodate greater frequency of releases.
• Conduct testing on real devices instead of emulators for real-world coverage.
• Focus on achieving consistency in coverage, results and reporting.
• Look for a testing tool that offers detailed remediation instructions to speed resolution.
• Seek a seamless automated mobile app security testing solution that allows an administrator to set it and forget it.
• Tune the solution to uncover important vulnerabilities and fix those first.

By following these tips for selecting a testing tool and integrating it into the CI/CD pipeline, devs teams can reduce mobile app risk while saving time. Finding and fixing flaws earlier in the process will help teams issue ever-faster and frequent mobile app releases while maintaining security, compliance and privacy.

Request a demo to see how NowSecure can help advance DevSecOps in your organization.