How to Deliver on DevSecOps with Automated Mobile AppSec Testing ToolsPosted by Michael Krueger
Before I joined NowSecure, I was a cybersecurity engineer at MITRE, and confident I could do my job well with the collection of open source software (OSS) tools I used every day. After testing the NowSecure automated mobile app security testing tool, it was clear the solution could help my two colleagues and I get out from under the backlog of several thousand mobile apps we needed to assess.
And it did. I was impressed enough that I eventually went to work for NowSecure. Now, here I sit, trying to convince other security professionals of the virtues of DevSecOps and automated security testing for mobile application development.
As a security engineer, my goal is to help security professionals identify the key attributes to look for in an automated security testing tool for mobile apps.
The Role of OSS Tools
First, a word to those like my former self who are sure they can get along just fine with open source tools. Maybe you can, especially if you’re in a smaller company dealing with a limited number of applications, because open source tools such as Drozer, Frida, Mitmproxy and Radare all can perform certain functions in an assessment. As a side note, our own NowSecure security researchers created the popular Frida and Radare tools.
But a commercial penetration testing platform augments open source tools by combining them into an efficient and effective workflow, streamlining how they are used together. A commercial product makes it easier for security analysts to do their work – even those who don’t necessarily have the technical acumen required to work with OSS tools.
Commercial tools take on the burden of care, maintenance and upkeep for the OSS tools, ensuring that each tool works as expected in its larger ecosystem and produces accurate results. The end result, as I learned at MITRE, is you can spend more of your valuable time focusing on the quality of your work and completeness of testing.
Table Stakes for AppSec Testing Teams
Larger, fast-moving organizations with more mature mobile application development need a more advanced approach to security testing that includes at least three attributes.
1. Automation: Chances are, larger fast moving are using a DevOps approach to mobile application development, in which case an automated testing tool is a must. Without security automation, it’s nearly impossible to implement any kind of repeatable process that will stand the test of time through changes in staff, technology and toolsets. What’s more, building automated security testing into the DevOps process, and addressing vulnerabilities during that process, will save lots of time as compared to conducting security testing only after an application has been released. You’ll likely find that using this approach, known as DevSecOps, will be a welcome change for both the DevOps and security teams.
2. Flexible reporting: You also need a tool that can deliver reports with different audiences in mind. Developers want technical information on any security vulnerabilities while security teams need information on the overall application risk profile. Executives need all of that same information, but in a high-level, succinct format that enables them to make decisions on resources, budget and overall risk.
3. Manual penetration testing: Automated testing doesn’t take the security engineers out of the equation altogether. Certain types of deep testing – including forensic analysis and data recovery, API analysis, reverse engineering and code analysis – require a deep dive from a security engineer.
Key Purchasing Considerations
When assessing automated mobile security testing tools, the most important attributes to look for are coverage, accuracy, remediation advice and timely updates.
Coverage means the amount and type of tests the tool conducts. Many OSS and commercial tools do one thing really well. But for mobile app security testing, you need a tool that can conduct numerous tests that cover the full mobile attack surface. Otherwise, you’re back in the open source conundrum, trying to piece together a slew of tools to get the coverage you need and wasting time and effort.
Accuracy, of course, is paramount. If a tool delivers lots of false positives, you revert to manually checking results, which defeats one of the primary purposes of automation — saving time. When researching any new security tool, security analysts should check the results the tool delivers against their existing way of doing things. It’s good practice to continue to pen test your mobile apps occasionally even after you’ve adopted a new automated tool. Some companies I’ve worked with cross-check results by pen testing with two or three vendors to ensure findings are valid.
A good security automation tool should also provide remediation advice about fixing any issues it uncovers. It should cite a reason for the vulnerability findings, context for where the flaw is located, and options for how to mitigate it — which will be welcomed by the development team.
Finally, one last attribute is the vendor’s ability to issue timely updates to its automation tool to keep up with technological changes, mobile OS updates and new threats as they emerge. Ask prospective vendors about their track record in responding to emerging threats.
NowSecure Keeps It Real
A big differentiator for the NowSecure approach to automated mobile app security testing is that all of our testing is done on real mobile devices, never emulators. While emulators have been around for quite some time, and many in the security community are comfortable with them, the reality is no emulator can accurately mimic any given mobile device with complete confidence. There are just too many variables.
Not coincidentally, we also take pride in the accuracy of our test results. When our dynamic analysis discovers a vulnerability, our test engine attacks it to verify its authenticity. We vet our own results carefully, regularly having our security researchers and subject-matter experts double check our findings to be sure we’re not presenting false positives.
And we do it all quickly, in a matter of minutes – at least 10 times faster than any testing you can do manually. In fact, our automated test engine can be plugged directly into your dev pipeline to enable you to run at DevSecOps speed.
Dive Into DevSecOps
As a security professional, you know the opportunities and challenges working with developers and DevOps teams. While your mission is to protect the organization from security risks, it’s no fun telling a developer that a mobile app can’t be released because of security issues. An automated security testing tool that’s integrated within the DevOps workflow enables you to partner with development and deliver the real value of DevSecOps. By building security into the development process, you can deliver secure mobile applications at DevOps speed.
To learn more about how mobile appsec testing fits into the dev toolchain, download our free guide,”Phased Approach to Securing DevOps for Mobile Apps.”