Updated on July 6, 2022
Facing tight delivery deadlines and high expectations from the business, mobile app development teams rely on DevOps tools and GitHub repos to ship mobile apps faster. Today’s teams want developer-first, integrated security in the software development pipeline to deliver high-quality releases on time and avoid vulnerable software dependencies to safeguard the software supply chain.
To that end, NowSecure and GitHub, the world’s leading code development platform, teamed up to integrate two key security capabilities directly inside GitHub workflows for developer-first security. NowSecure delivered the NowSecure GitHub Action for Mobile App Analysis, the first automated dynamic mobile app security testing solution integrated into GitHub Advanced Security’s code scanning interface. In addition, the NowSecure and GitHub duo recently debuted the NowSecure GitHub Action for Mobile SBOM to support Software Bill of Materials (SBOM) generation into GitHub Dependabot. Available in the GitHub marketplace, these two actions drive DevSecOps and reduce the risk of outdated or insecure software dependencies.
GitHub is the leading software development platform for more than 83 million developers. The NowSecure partnership with GitHub brings developer-first mobile app security analysis through GitHub Actions to enable millions of Android and iOS developers to quickly raise the bar on mobile app security.
NowSecure GitHub Action for Mobile App Analysis
NowSecure delivers fast, automated, and accurate security analysis that can now be configured to run on every code commit with the NowSecure GitHub Action for mobile application security testing. This NowSecure GitHub Action for Mobile App Analysis tests iOS or Android mobile apps written in any language or with any framework, and feeds security issues back directly to the GitHub Security tab. You and your dev team will be able to configure this action to run in your existing workflows and view results as code scanning alert tickets which will include details such as severity, priority, evidence, remediation instructions, code examples and links to Apple iOS and Google Android developer documentation.
Using the NowSecure GitHub Action for Mobile App Analysis, you can test security and privacy on each and every commit, or you can configure it to run continuously during every build. After you receive GitHub code scanning alerts directly in your workflow, you can remediate the finding using the detail provided, identify the commit that introduced the issue and resolve it, or dismiss a finding as “Won’t Fix” to mark the finding as closed in this and future reports. If a pull request includes a new error, the NowSecure Action that runs build and scan on the commit will ultimately fail the build. As a reviewer, you can inspect the files changed to identify where the security issue was introduced and find more detail about the issue itself to resolve it quickly.
Including frequent security checks in your daily development workflows enables development teams to find and fix security issues faster to deliver on time and avoid late-stage release blockers. As a result, teams can speed mobile app delivery to meet the needs of the business while driving continuous improvement. This integration into GitHub also enables teams to effectively scale secure development programs to reduce both release and security risk. Using NowSecure and GitHub Advanced Security empowers organizations to automate more, deliver faster, and continuously improve.
The NowSecure GitHub Action for Mobile SBOM populates the GitHub Dependency Graph with mobile data so that in the future GitHub Dependabot alerts can update dependencies to the latest and more secure versions of libraries in mobile apps.” – David Weinstein, NowSecure CTO
The NowSecure GitHub Action for Mobile SBOM dynamically generates mobile SBOMs into GitHub Dependabot to help developers ensure they are using latest, safe versions of software component libraries, third-party libraries and frameworks as they build mobile apps.
The NowSecure GitHub Action for Mobile SBOM generates component detail for visibility into the libraries/frameworks included in all mobile apps, identifying direct and transitive dependencies, pinpointing libraries/frameworks that are using older versions, identifying components that remain but may have previously specified to be removed, and uncovering component license details.
“The NowSecure GitHub Action for Mobile SBOM populates the GitHub Dependency Graph with mobile data so that in the future GitHub Dependabot alerts can update dependencies to the latest and more secure versions of libraries in mobile apps,” said NowSecure CTO David Weinstein. “Furthermore, comparing SBOMs and dependencies from different versions of a mobile app provides insight into changes made by the developer over time that may require further analysis or help identify technical debt. Overall, we’ve been very impressed with GitHub’s implementation, enabling third-parties to extend the Dependency Graph and Dependabot to support new ecosystems like mobile.”
Now available in an early access program, GitHub developers and security teams can register for their free NowSecure GitHub Action for Mobile SBOM today. This can be used in conjunction with the NowSecure GitHub Action for Mobile Analysis which provides automated static and dynamic security testing for mobile applications. Both actions require a NowSecure Platform license for production use. Together NowSecure and GitHub are delivering a full suite of mobile app security solutions inside GitHub workflows to speed developer productivity and high-quality mobile app releases.
In order to utilize the NowSecure Action you must be a NowSecure customer. The action requires both a NowSecure Platform token and a NowSecure Platform Group ID. If you’d like to learn more or see the new Action in action read our announcement or reach out to the NowSecure team.