When you look at the numbers behind the organization case for automated mobile app security testing as compared to manual testing, I honestly don’t understand why anyone would stick with the inefficient method. The only explanation I can fathom is that not everyone is privy to the organization case — so I’m going to address that right now.
Two key figures spell out the story:
- Automated testing can deliver a tenfold productivity gain for your security personnel.
- An automated testing platform that you can use to test a mobile app multiple times per day, every day, can be had for about 30% of the cost of a single penetration test.
In a moment, we’ll look at how we arrive at those numbers. But first, it’s important to understand the difference between web and mobile applications, and thus the limitations of applying web application security and privacy testing methods to mobile apps.
These differences have to do with the fact that mobile apps run on a full operating system on a device, which makes code susceptible to being intercepted from an insecure device. Mobile app code also interacts with device memory, files and network connections in a way that web apps don’t. And because commonly used static application security testing (SAST) tools for source code cover less than 25% of the mobile attack surface, mobile apps require dynamic application security testing (DAST) tools. Similarly, a penetration test conducted once or twice per year can’t keep up with the pace of mobile app updates, which can occur as frequently as several times per day. (See “Debunking the Top 3 Myths About Mobile Application Security Testing” for more on this topic.)
The Business Case for Automated Testing
Now, on to the business case. As the name implies, with automated mobile application security testing tools, security personnel can perform tests much faster than with manual tools. In my experience, a manual pen test takes about two weeks from start to finish to conduct the tests and write a report. Figure a security analyst making about $120,000 per year can conduct about 24 tests per year, about one every two weeks. That puts the cost per test at $5,000 ($120,000/24). And that assumes the analyst does nothing but pen tests all day long, which of course is not likely.
An automated security testing tool can conduct that same pen test in less than a day. (Actually, it’s not the same test at all — it’s far better, because it covers more ground, but I’m being conservative.) That means the same security analyst can now conduct one test every workday, or about 240 tests per year. At the same $120,000 salary, now your cost per test is $500 ($120,000/240). That is a 10x productivity gain — or probably more, in reality, because now the analyst does have time to work on things other than pen tests.
Lots of companies don’t conduct pen tests in-house and outsource them instead. Here, the costs are even more dramatic. The outsourcing route takes two to four weeks per test and costs $15,000 to $25,000 each. Those costs can add up quickly. Back to our 24 tests per year example, that’d be $360,000 per year using the low-end $15,000 figure; clearly not affordable.
Getting to DevSecOps
But the math gets really interesting if you plug automated mobile app security testing into the Continuous Development/Continuous Delivery (CI/CD) toolchain.
Let’s say an automated mobile app security testing tool costs $10,000 per app per year and can be used for unlimited testing of each and every build. For at least 30% less than the cost of a single pen test, now you can test the app every single organization day of the year. In fact, this is exactly how many companies fund automated testing technology purchases — reallocating manual pen testing expenses to realize dramatic savings.
Integrating mobile app security testing into the CI/CD process is a natural fit for organizations adopting DevOps practices to forge a DevSecOps culture. It’s a highly effective way to roll out mobile applications at scale while ensuring security and privacy. To learn more, check out our new white paper, “Building the Business Case for Automated Mobile App Security & Privacy Testing.”