Mobile app developers work at a fervent pace to push out release after release and stay ahead of the competition, so it’s only natural that coding mistakes are often made. The work of the mobile appsec team in finding and fixing vulnerabilities without slowing down developers has never been more important.
However, some organizations are just beginning to build their mobile application security programs or may be seeking to insource a job previously handled by consultants. Based on my experience with hundreds of successful NowSecure customers, I’d like to share some lessons learned in staffing a strong mobile appsec team. It all starts with identifying the right blend of skills from mobile application security professionals and extends to the right tools, training and processes.
Most application security teams include a manager, security engineers or security analysts and one or more software developers to write scripts or review code. Regardless of role, something unusual about mobile app security talent is the rarity of finding a single person that embodies all the skills needed to cover the entire mobile attack surface. The hard-fought competition for skilled cybersecurity personnel presents another challenge.
Required Mobile AppSec Skills
An effective mobile application security testing staff needs a combination of information security and application development skills. Seek professionals with expertise covering these aspects of the mobile app attack surface in order to effectively reduce risk:
- Mobile forensics and data recovery: Knowledge to forensically examine data at rest to ensure apps do not store sensitive data insecurely on the device.
- Network security and web services/API testing: Evaluate whether apps properly encrypt the data sent to various endpoints. Vulnerabilities classified as high and critical severity according to the Common Vulnerability Scoring System (CVSS) stem from failures to protect data in transit.
- Server-side penetration testing: Diagnose the insecure access and storage of sensitive data on the backend.
- Reverse engineering and code analysis: Identify weaknesses in code that are vulnerable to exploit.
- Cryptography: Understand the use of cryptographic keys in mobile apps and how to secure them.
- Threat modeling: Identify threats and gauge risk; strategize to balance risk with resources.
It’s also important to hire or cultivate soft skills in your team. For example, mobile security engineers and analysts will need to communicate with developers and other stakeholders. Look for written and oral communication, a history of teamwork, collaboration skills, comfort with decision making and an analytical mindset or capabilities.
Mobile AppSec Staff Size
The size of your team will vary depending on the number of apps that need testing and the type and complexity of the security tools you use. The ideal team will boast a mixture of skill sets as described above and include people of varying experience. Count on entry-level security analysts to handle some aspects of initial testing and pass their findings on to a more experienced analyst or engineer. More experienced analysts can then focus their time and energy on the areas that require their expert knowledge.
A small team might consist of one or two mobile app security analysts responsible for testing one to 10 applications each year, along with bug fixes, feature additions, minor releases, or major updates for those apps. Analysts on smaller teams don’t typically test mobile apps full time. It’s usually only a subset of their overall job responsibilities.
This arrangement can help a new analyst gain experience and grow into his or her role.
Medium teams tend to have three to four mobile app security analysts. This group handles organization-critical apps that require testing at each and every build, which could occur daily.
And a larger team typically includes at least five mobile app security analysts that continually test numerous mobile apps and updates on a regular basis. Typically, this team’s sole responsibility is app testing because the organization develops a large volume of apps that they release or update frequently.
To make the case for more staff, demonstrate the gap between current abilities and the number of apps the team needs to secure. In-house staff tend to cost less than external consultants and can work closely with developers to find and remediate vulnerabilities. But no matter how large your mobile appsec team is, one universal truth is it will be outnumbered by developers with a 100 to 1 ratio of devs to application security personnel.
As you build out your mobile application security program, start small. Begin by testing mission-critical apps and address the most severe vulnerabilities. As the program and staffing grows, expand the scope to cover the entire app environment.
Mobile AppSec Tools of the Trade
A combination of open-source application security testing tools may suffice for small teams if the group has expertise in the areas described above and it only has a few mobile apps to test periodically. However, OSS tools can be problematic if the team already faces a backlog of apps to evaluate. Manually setting up different testing environments, troubleshooting, and compiling results from multiple tools into one handwritten report consume precious hours of a small security team’s already limited time.
One way to scale to handle larger workloads without adding additional staff members is to automate mobile application security testing. Larger teams that struggle to cope with a hefty testing backlog and pressure from the organization to go faster should deploy automated mobile appsec testing tools in the SDLC toolchain to gain speed and coverage. This frees security analysts up to focus the bulk of their time on areas that require more in-depth manual analysis and to train and advise developers.
Synchronize with DevOps
When you launch a mobile app security testing program, it’s imperative to establish buy-in and cross-team collaboration with DevOps. Begin by reminding developers, the DevOps team and yourself that you’re all on the same team in pursuit of the same organization goals. The apps the team develops generate revenue, increase the organization’s productivity, and contribute to organization objectives in any number of ways. The security team contributes by protecting these valuable assets and eliminating mobile app security risks that can cost the organization millions.
Smart tactics include training developers about app security and assigning devs to perform code audits to help hone their craft. Look for security testing tools that provide remediation details and test early and often.
Once you introduce testing into the software development lifecycle, work to achieve DevSecOps through full automated testing integrated into your CD/CD build system. Leverage the build process and hook testing into commits. The sooner developers get feedback, the better.
As you establish and staff your mobile appsec testing program, consult our ebook for helpful advice. And if you find your organization stuck, feel free to reach out to our professional services team for expert insight about staffing your team from the ground up.