Manual penetration tests occupy a valuable role in the appsec world. Human pen testers put mobile apps through their paces in real-world operating conditions to uncover security, privacy and compliance flaws. But while we recommend periodic in-depth pen tests for high-risk apps that run business-critical processes or access sensitive information, this practice doesn’t scale well for DevOps teams.
Mobile app penetration testing requires intensive amounts of human labor that simply can’t keep pace with the volume, velocity and frequency of DevOps releases. That’s why most mature appsec programs use penetration tests as part of a balanced breakfast. For web app development teams, this means pairing periodic pen tests of critical apps with a wide range of automated testing for security bugs.
This balanced approach often breaks down in the mobile development world, however. Because mobile apps run on devices in the wild, they need more complete testing in live environments to uncover the majority of the risks posed by mobile apps. Static scanning performs poorly on mobile apps because it generates a plethora of false positives. Meanwhile, automated dynamic application security testing (DAST) has been a missing link in the mobile app dev toolchain. With no automated alternative to static testing, many organizations relied almost solely on manual penetration testing to secure their mobile apps.
Here’s a back-of-the-envelope calculation that shows why this approach cannot sustain an enterprise mobile appsec program. NowSecure works with a range of large financial institutions to help them bolster their mobile DevSecOps practices and strengthen their mobile appsec maturity. An appsec leader at a large financial services provider explained that his company employs nearly 10,000 developers who work in tandem on some 3,000 web apps and 200 mobile apps. Meantime, the security team comprises only 20 people. There’s no amount of wizardry that can enable these staffers to uncover all of the risks in the mobile app portfolio through manual penetration tests.
The executive came to the realization that if his team performs a manual pen test on every app as they had been attempting to do, they’ll always lag behind because the process takes several days or weeks. Instead, the organization automates as much as possible and embeds analysts within development teams. When it came to mobile apps, that meant bolstering the company’s mobile DevSecOps practices by looking beyond traditional tools and seeking out a solution that could deftly automate mobile app security testing within the DevOps pipeline.
The team didn’t give up on pen testing for mobile apps but instead, found a place within its mobile DevSecOps model that made sense for its risk appetite. Now it targets manual penetration testing on ‘green dollar’ apps — the critical ones that generate revenue for the business — and leave automated tools to catch problems in less critical apps.
This kind of discipline and planning doesn’t have to be the sole domain of large financial companies. Many organizations today can benefit from developing a strong mobile DevSecOps toolchain to support a mobile software development lifecycle that delivers mobile apps quickly and securely. To learn more best practices for getting started, check out our “The Ultimate Guide to Establishing an Effective Mobile DevSecOps Toolchain” ebook.