This week was an interesting and noteworthy one for the app security world because Gartner simultaneously released two key industry reports on July 27, 2020, that reflect the intersection of mobile application security risk and mobile DevSecOps trends.
For more than a decade, we have worked with mobile app security and dev teams to grow their mobile app security programs and have witnessed these trends firsthand. The Gartner key takeaways:
- “Through 2022, mobile application security failures will be the biggest mobile threat for enterprises.”1
- “As IT development and operations processes become more agile (including shifts to DevOps operating models), security must not be an afterthought and should be seamlessly integrated into agile development processes — DevSecOps.”2
Mobile AppSec Risk Growing, But Easy to Address
Mobile app usage has exploded this year with the pandemic, with downloads up 40% year over year in Q2 alone. However, a glimpse at our Mobile App Security in the News page shows that mobile app security and privacy breaches are also significantly growing. Twice as many breaches have been publicly announced so far year compared to last year, and we’re only halfway through 2020.
When 85% of mobile apps have security issues and 70% have privacy issues, the mobile security priorities, strategies and processes for mobile app owners, DevOps and Security teams have to change.
Mobile app security risk has grown so much that Gartner addressed the issue in its new report, “Avoid Mobile Application Security Pitfalls”:
“Mobile application security has become a tangible problem for enterprises. While mobile device security has not been a major source of preoccupation and breaches, mobile application security failures are increasingly responsible for fraud and enterprise breaches. Often, these are public-facing apps that may be the primary or only way an organization is able to interact with its customers or partners. Because they can run on any mobile device, these apps are built to run in a hostile environment, under the control of an attacker. Security and risk management (SRM) leaders must protect mobile applications to enable the organization to advance toward its digital transformation.”
While 70% of all digital time and traffic are spent on mobile apps vs web, most organizations allocate most of their security spend to web, web apps and even MDM/EMM/MTD. Not dedicating enough resources to safeguard mobile apps is a mistake as seen in this infographic that outlines 12 reasons for strengthening mobile appsec.
Adversaries are successfully exploiting this lack of investment in mobile app security. The Gartner report recommends/points out mobile app security testing solutions that provide fast and easy results and names NowSecure among a list of vendors.
Dedicated to a mission of saving the world from unsafe mobile apps, NowSecure has grown a rigorous mobile forensics and pen testing organization with NowSecure Services, built the world’s first mobile app pen testing toolkit with NowSecure Workstation and brought automated continuous security testing for DevOps pipelines and mobile app supply chains to the cloud with NowSecure Platform. By leveraging a decade of experience in mobile security and mobile pen testing thousands of apps, NowSecure uniquely takes the attacker’s point of view. Our software thoroughly tests mobile apps on real devices (not emulators) by executing a battery of more than 200 mobile app and API security tests for the most comprehensive coverage of the mobile attack surface.
Mobile DevSecOps In the Mainstream
Core organization initiatives such as digital transformation, performance optimization and cost efficiencies compel many organizations to leverage DevOps and DevSecOps. As noted in the Gartner “Hype Cycle for Application Security,”DevSecOps has reached early mainstream maturity joining technologies such as application security testing suites, software composition analysis, web application firewalls, cloud access security brokers, and full life cycle API management. Within DevSecOps, Gartner has named NowSecure to the list of transformational leaders in DevSecOps along with many of our partners including Contrast Security, Sonatype and Synopsys.
At NowSecure, our most successful customers assemble a toolchain with multiple best-of-breed tools to ensure full coverage of the wide breadth of web and mobile app security risks. Each tool fits a different set of security risk exposure points and provides efficient, layered protection. This enables mobile development and security teams with faster feedback loops and efficient remediation instructions to deliver secure high-quality mobile apps faster.
NowSecure Platform plugs into the SDLC toolchain running autonomously in the background to provide full test coverage of mobile app and API security, privacy and compliance risks with high accuracy. NowSecure directly integrates into leading CI/CD, ticketing and vulnerability management systems. The CI/CD system completes a build, passes the binary to NowSecure to automatically test, then NowSecure generates tickets with priority, context and fix instructions flowing into ticketing and vuln mgmt systems. The NowSecure continuous security testing approach enables faster feedback loops, faster mean time to repair, and reduced security bug escape defect rates.
We’ve arrived at the inflection point where mobile app security testing and DevSecOps are coming together now in the mainstream, recognized by enterprises and analyst firms like Gartner. Progressive, leading organizations like Allstate, Carfax, Caribou Coffee, Cisco, Uber, the U.S. Air Force and others are already well down this path. Other organizations should take this opportunity to examine their appsec programs (web and mobile), evaluate their mobile app risk exposure, examine their mobile DevSecOps programs and commit to investing in mobile app security to improve their organization performance while reducing risk.
1 Avoid Mobile Application Security Pitfalls, 2020 Zumerle. 27 July 2020 ID: G00730988
2 Hype Cycle for Application Security, 2020 MacDonald, Gartner. 27 July 2020 ID: G004482