Major mobile app security gaps place millions of mobile app users at risk, demonstrating that current security and privacy methods are not working and change is needed to protect the consumer.

Media Announcement
magnifying glass icon

How to Deliver on DevSecOps with Automated Mobile AppSec Testing Tools

Posted by

Michael Krueger

Director of Application Security
As a mobile security analyst, Michael helps NowSecure customers design and implement mobile app security solutions and assess the security of their apps. Previously, Michael was Senior Cyber Security Engineer at MITRE specializing in digital forensics, vulnerability assessment, and reverse-engineering. At MITRE, Michael helped multiple organizations build and maintain mobile app security programs through the evaluation and selection of tools, performing deep technical testing, and coordinating across multiple teams of engineers. As a result, he's an invaluable resource to NowSecure customers as they confront and overcome mobile app security challenges.

Before I joined NowSecure, I was a cybersecurity engineer at MITRE, and confident I could do my job well with the collection of open source software (OSS) tools I used every day. After testing the NowSecure automated mobile app security testing tool, it was clear the solution could help my two colleagues and I get out from under the backlog of several thousand mobile apps we needed to assess.

And it did. I was impressed enough that I eventually went to work for NowSecure. Now, here I sit, trying to convince other security professionals of the virtues of DevSecOps and automated security testing for mobile application development.

As a security engineer, my goal is to help security professionals identify the key attributes to look for in an automated security testing tool for mobile apps.

The Role of OSS Tools

First, a word to those like my former self who are sure they can get along just fine with open source tools. Maybe you can, especially if you’re in a smaller company dealing with a limited number of applications, because open source tools such as Drozer, Frida, Mitmproxy and Radare all can perform certain functions in an assessment. As a side note, our own NowSecure security researchers created the popular Frida and Radare tools.

But a commercial penetration testing platform augments open source tools by combining them into an efficient and effective workflow, streamlining how they are used together. A commercial product makes it easier for security analysts to do their work – even those who don’t necessarily have the technical acumen required to work with OSS tools.

Commercial tools take on the burden of care, maintenance and upkeep for the OSS tools, ensuring that each tool works as expected in its larger ecosystem and produces accurate results. The end result, as I learned at MITRE, is you can spend more of your valuable time focusing on the quality of your work and completeness of testing.

Table Stakes for AppSec Testing Teams

Larger, fast-moving organizations with more mature mobile application development need a more advanced approach to security testing that includes at least three attributes.

1. Automation: Chances are, larger fast moving are using a DevOps approach to mobile application development, in which case an automated testing tool is a must. Without security automation, it’s nearly impossible to implement any kind of repeatable process that will stand the test of time through changes in staff, technology and toolsets. What’s more, building automated security testing into the DevOps process, and addressing vulnerabilities during that process, will save lots of time as compared to conducting security testing only after an application has been released. You’ll likely find that using this approach, known as DevSecOps, will be a welcome change for both the DevOps and security teams.

2. Flexible reporting: You also need a tool that can deliver reports with different audiences in mind. Developers want technical information on any security vulnerabilities while security teams need information on the overall application risk profile. Executives need all of that same information, but in a high-level, succinct format that enables them to make decisions on resources, budget and overall risk.

3. Manual penetration testing: Automated testing doesn’t take the security engineers out of the equation altogether. Certain types of deep testing – including forensic analysis and data recovery, API analysis, reverse engineering and code analysis – require a deep dive from a security engineer.

Key Purchasing Considerations

When assessing automated mobile security testing tools, the most important attributes to look for are coverage, accuracy, remediation advice and timely updates.

Coverage means the amount and type of tests the tool conducts. Many OSS and commercial tools do one thing really well. But for mobile app security testing, you need a tool that can conduct numerous tests that cover the full mobile attack surface. Otherwise, you’re back in the open source conundrum, trying to piece together a slew of tools to get the coverage you need and wasting time and effort.

Accuracy, of course, is paramount. If a tool delivers lots of false positives, you revert to manually checking results, which defeats one of the primary purposes of automation — saving time. When researching any new security tool, security analysts should check the results the tool delivers against their existing way of doing things. It’s good practice to continue to pen test your mobile apps occasionally even after you’ve adopted a new automated tool. Some companies I’ve worked with cross-check results by pen testing with two or three vendors to ensure findings are valid.

A good security automation tool should also provide remediation advice about fixing any issues it uncovers. It should cite a reason for the vulnerability findings, context for where the flaw is located, and options for how to mitigate it — which will be welcomed by the development team.

Finally, one last attribute is the vendor’s ability to issue timely updates to its automation tool to keep up with technological changes, mobile OS updates and new threats as they emerge. Ask prospective vendors about their track record in responding to emerging threats.

NowSecure Keeps It Real

A big differentiator for the NowSecure approach to automated mobile app security testing is that all of our testing is done on real mobile devices, never emulators. While emulators have been around for quite some time, and many in the security community are comfortable with them, the reality is no emulator can accurately mimic any given mobile device with complete confidence. There are just too many variables.

Not coincidentally, we also take pride in the accuracy of our test results. When our dynamic analysis discovers a vulnerability, our test engine attacks it to verify its authenticity. We vet our own results carefully, regularly having our security researchers and subject-matter experts double check our findings to be sure we’re not presenting false positives.

And we do it all quickly, in a matter of minutes – at least 10 times faster than any testing you can do manually. In fact, our automated test engine can be plugged directly into your dev pipeline to enable you to run at DevSecOps speed.

Dive Into DevSecOps

As a security professional, you know the opportunities and challenges working with developers and DevOps teams. While your mission is to protect the organization from security risks, it’s no fun telling a developer that a mobile app can’t be released because of security issues. An automated security testing tool that’s integrated within the DevOps workflow enables you to partner with development and deliver the real value of DevSecOps. By building security into the development process, you can deliver secure mobile applications at DevOps speed.

To learn more about how mobile appsec testing fits into the dev toolchain, download our free guide,”Phased Approach to Securing DevOps for Mobile Apps.”