A Mobile App Dev’s Guide to ‘Secure by Design’ & ‘Trust but Verify’Posted by Brian Reed
As mobile app development teams seek to speed the pipeline to deliver high-quality apps faster, providing everyone with a clear roadmap can make the journey more efficient. To simplify work prioritization and better partner with security teams, consider adopting a practical, effective set of principles to achieve your goals: “Secure by Design” and “Trust but Verify.” This pair of best practices enhances collaboration and eases remediation to speed delivery.
Secure by Design Principles
A Secure by Design development approach ensures security is built in by specifying architecture, requirements and knowledge well before a single line of code is written. Forming communities of practice with security enables knowledge sharing and consensus about what security standards to adopt, secure coding skills and how to address issues.
- Adopt best practices for secure coding. The easiest way to create a secure mobile app is to write it securely from the start so you don’t have to come back and fix or rewrite parts later. Seek out opportunities for secure development training to learn how to write bug-free code. Training should include mobile appsec concepts and how to avoid the five most common security issues. (Register for NowSecure Developer Days for free training on the issues above.)
- Strike agreement with appsec about security standards. Agreeing on security standards with the mobile appsec team and other stakeholders up front gets everyone on the same page. This common understanding fosters predictability and reduces friction between dev and sec teams. Most importantly, standards enable devs to code faster and avoid security scope creep by knowing exactly what will be tested and what security bugs need to be fixed. Apply the OWASP MASVS and relevant industry-specific standards such as NIAP, ioXt and more. (Download our guide to OWASP MASVS guide.)
- Keep threat modeling in mind when designing a mobile app. Familiarize yourself with basic mobile app threat modeling concepts. Understanding what’s risky and what’s not enables you to code at speed based on risk. For example, nobody wants to waste time carefully crafting highly secure code for a public bus schedule app or deeply testing and chasing bug fixes for such low-risk apps. Instead, use threat modeling to identify sensitive data and IP that needs to be protected and focus your efforts there. In addition, strive to minimize the collection, use and transmission of sensitive data in the apps you develop. (Watch this recorded webinar to learn more about mobile threat modeling best practices.)
- Consult security user stories or non-functional requirements up front. Requirements drive the development machine, so be sure that your product managers and product owners generate user stories or non-functional requirements specifically for security, privacy and compliance in parallel with feature requirements. Sample stories for devs might include “As a user, I want to be protected from unintentionally or accidentally sharing personal information” and “As an attacker, I should not be able to access a user’s account number.” These stories might lead to a feature implementation like bank account numbers will not be transmitted to the mobile app from the backend. (Find OWASP resources for writing security stories.)
- Use mobile OS native security APIs and pre-verified libraries. Using preapproved components removes some of the guesswork of mobile app dev. Take advantage of native security APIs like Android Network Security Configuration and iOS App Transport Security. In addition, be sure to properly use TLS and certificate pinning for highly sensitive data. (Consult Google Android security resources and Apple iOS security resources.)
Standards enable devs to code faster and avoid security scope creep by knowing exactly what will be tested and what security bugs need to be fixed.
Trust but Verify Principles
The maxim ‘Trust but Verify’ refers to the way mobile app security teams operate in partnership with devs and QA. While they have confidence that developers will do the right thing and write secure code, security teams need to perform mobile appsec testing to validate that apps meet the agreed security bar and are free of security and privacy issues. Developers benefit from this security testing because it ensures the quality of releases and reduces the defect escape rate. Identifying security bugs early in the software development lifecycle with fast feedback loops also helps you shrink dwell time and mean time to remediation.
- Embed automated security testing into the pipeline.
Security testing at the end of development leads to surprises that slow or even block releases. Avoid those problems by plugging automated continuous security testing into the dev pipeline and integrating it with your CI/CD and ticketing systems. Automated mobile binary security tests can run in parallel with your UX/functional/Integration testing and feed security bug and resolution data into existing tools. With no new tools to learn, you can work in your native environment and maintain velocity. (See these examples of CircleCI, Jenkins and Microsoft Azure and integration workflows.)
- Continuously test every build every day against security standards.
When you write new code and tap new third-party libraries daily, you may inadvertently be introducing security bugs. Incrementally testing security every day helps you catch and fix security bugs early in the cycle, increasing overall app quality.
If you write 500 lines of code a day and wait three months to test, that leaves 30,000 lines of code to test. But testing 500 lines of code each day finds bugs earlier so you can fix them faster. Modern automated testing uncovers security, privacy, compliance and appstore blockers across the mobile app and APIs, returning highly accurate results in 30 minutes or less. (Learn more about continuous testing in this recorded webinar.)
- Automatically feed security bugs into ticketing systems.
Fast feedback loops enable devs to address issues faster, but manually reviewing security bugs slows the process down. Ensure automated testing software is highly accurate and look for a tool that feeds security bugs directly into ticketing systems so you don’t waste time. Prioritized findings help you focus on fixing the most severe bugs that have the greatest impact, ultimately reducing the escape defect rate and mean time to remediation.
- Ensure tickets embed dev remediation assistance.
Finding security bugs is important, but what matters more is fixing them quickly in the priority required. To speed developer resolution, be sure tests offer embedded dev remediation assistance that includes priority, evidence, fix instructions, code samples and links to native iOS docs and Android docs. Well-formed tickets with embedded dev assistance can turn a two-day bug hunt to find and fix an issue into a few minutes to resolve, easing the burden for everyone.
- Periodically pen test high-risk apps as needed.
While continuous security testing automation covers many use cases and risk scenarios to speed delivery of secure mobile apps, threat modeling identifies some mobile apps as high risk due to the types of sensitive information they contain. Many mobile appsec programs rely on automated continuous security testing to cover the majority of issues then add periodic full-scope mobile app pen tests to focus on aspects that require a human. Such pen tests can help validate the quality of your work. (Consult our checklist for choosing an external pen test provider.)
Adopting the ‘Secure by Design’ and ‘Trust but Verify’ principles outlined above benefit development and security teams alike. Wouldn’t you like to achieve the following goals?
- More secure mobile apps
- Fewer release blockers
- Faster innovation and release cycles
- Faster feedback loops
- Faster mean time to remediation
- Reduced defect escape rate
- Reduced friction between development and security teams
- Happier, more productive development and security teams
NowSecure offers a comprehensive suite of automated mobile app security and privacy testing solutions, penetration testing and training services to speed the delivery of secure mobile apps. Get a free mobile app security test today to uncover security, privacy and compliance issues along with dev remediation and code examples to help you fix them.