Best Moments from NowSecure Connect 21 Mobile App DevSecOps Conference

Held over two days in mid-November, the NowSecure Connect 2021 virtual conference assembled hundreds of mobile application security and mobile DevSecOps directors and practitioners for industry insights, discussions, in-depth training and peer-to-peer interaction. Event registrants can watch NowSecure Connect 2021 sessions on demand for free.

Attendees included C-level executives, directors, managers, architects, engineers, analysts, developers and consultants in a wide range of industries including finance, healthcare, retail, government, technology, energy/utilities, manufacturing, entertainment and education. NowSecure customers and guests gained insights from mobile AppSec and DevSecOps speakers representing organizations such as AWS, BugCrowd, the Department of Defense, Department of Justice, GitHub, Google, IBM, iRobot, OWASP, Sonatype and the Walt Disney Co., among others. In addition, NowSecure executives, researchers and analysts offered advice, observations and expert training.

What follows are a few highlights of some 30+ NowSecure Connect 2021 conference sessions covering all things mobile AppSec and DevSecOps. 

• NowSecure CEO Alan Snyder welcomed virtual conference attendees to the company’s flagship virtual community event. Citing improvements to NowSecure Platform cloud-based automated mobile appsec testing, Snyder said the company added value by making the findings better and more usable so developers can remediate issues significantly faster. “We understand that it’s not enough to find things,” said Snyder. “We also have to fix them very quickly.” In addition, Snyder noted NowSecure focuses on integrating with the tools developers and security analysts already use to avoid interrupting workflows. For example, a new NowSecure Action for GitHub enables developers to test directly inside GitHub for developer-first security. 

• Emily Freeman, principal of DevOps Solutions at AWS and author of DevOps for Dummies and curator of “97 Things Every Cloud Engineer Should Know” delivered an inspiring keynote about revolutionizing the software development lifecycle. “I believe the SDLC is an artifact of a previous era and I think we should throw it away,” she said. After all, the SDLC predates color television and the touch-tone telephone.
  
  Freeman proposed a new model of modern software development that scraps a linear process for one that captures the multi-threaded, non-sequential nature of our work.

• 

• The model elevates cybersecurity to a first-class citizen and balances the desire for speed with the need to mitigate risk by democratizing accountability for security. “It’s really critical that engineers who take on the role of developer and the people who are knowledgeable in security work together to overcome [OWASP MASVS] challenges and areas of security vulnerabilities,” Freeman said. “Neither group can possibly do this alone.” She recommended educating each other in secure coding techniques through resources such as NowSecure Academy and investing in automated security testing and interoperability across services and systems.

• NowSecure Research Director Dawn Isabel moderated a ‘Hack to the Future’ discussion featuring hacker extraordinaires Jasmine Jackson of the Walt Disney Co., Lisa Jiggetts of the Women’s Society of Cyberjutsu and Dr. Katie Paxton-Fear of BugCrowd. All panelists shared interest in exploring automotive IoT from an offensive security mindset. “Definitely automotive,” Jiggetts responded. “That’s just exciting for a lot of security folks like ‘I can hack a car and make it drive from my computer?!’ ” Paxton-Fear added that she can’t drive but likes the idea of hacking autos and even airplanes because they are big things.

• Chris Lockard, a senior application security engineer for iRobot, revealed in a DevSecOps fireside chat that millions of customers interact with the consumer tech company’s Internet of Things devices solely through the mobile app. An ever-growing team of developers focuses on all aspects of mobile but the product security team doesn’t come close to matching them in numbers, Lockard said.
  
  As a result, Lockard said automated mobile AppSec testing directly in the CI/CD pipeline ranks as critically important in identifying and remediating mobile application security issues prior to release. “NowSecure has been very helpful to allow us to not only automate the process of scanning on a recurring basis, but also rapidly turning around results in a short amount of time,” he said. “It saves me time I don’t have.”

Mobile Risk Tracker

New NowSecure MobileRiskTracker™ – A Game Changer with Live Industry AppSec Scores

Read More

• Carlos Holguera of NowSecure and Sven Schleier of F-Secure, co-leaders of the OWASP Mobile Application Security Project, offered a sneak peek into the group’s ongoing work to more closely align the complementary Mobile Application Security Verification Standards (MASVS) and Mobile Security Testing Guide (MSTG) resources. The MASVS standard establishes security requirements for testing mobile application security and MSTG is a comprehensive manual for mobile AppSec testing and reverse engineering. Over the coming months, the OWASP Mobile Application Security Project seeks to combine MASVS and MASTG into an automated checklist to use in mobile app development and pen testing and embark on the significant work of refactoring the MASVS requirements. The duo shared a preview of a new cover design of the resources that reflects their complementary nature.

• Jose Palafox, director of organization development at GitHub, joined NowSecure Connect 2021 to debut the new NowSecure Mobile Security Action. This GitHub Action empowers developers to kick off assessments and consume results directly from their GitHub Workflows. “There’s just a gap in mobile coverage in the industry and mobile needs to be addressed more directly,” Palafox said. “So we are super excited about this partnership with NowSecure and its heavy emphasis on mobile SAST and DAST.” GitHub Advanced Security and NowSecure customers can use this new action to plug the mobile security gaps in their enterprises. Reach out to us for more details.

I’ve come to look at NowSecure as my spellcheck for mobile security. – John Mutter, Chief Architect, Mobile Practice Worldwide, IBM

• Mike McHugh, a software engineer for the U.S. Department of Justice, shared his agency’s experience in reducing third-party supply chain risk in a panel about federal government mobile app vetting. “The biggest turning point or evolution, if you will, in our program was integrating our application assessment solution with our mobile device management,” said McHugh. “We get near real-time application security assessments on every app we have running in our environment and we can identify the different deltas from when that app was approved, has it gotten worse, has it gotten better or does it need further investigation.”
  
  McHugh’s key takeaways for risk management come down to best practices and training and best practices. “Get out in front of issues proactively so you don’t have to pull the plug on projects down the line,” he recommends. “Train the end user whether it be the development team with NowSecure Academy or just the user of your endpoints.”

• John Mutter, chief architect of the worldwide mobile practice for IBM, explained that the applications his company builds on behalf of clients must reach the highest echelon of maturity and security. “It has to be the absolute best,” he said. To achieve success, IBM uses continuous integration/continuous development and relies on NowSecure Platform to ensure the security of those mobile apps. “I’ve come to look at NowSecure as my spellcheck for mobile security,” said Mutter.

Registrants can catch up on all the thought leadership and training that they missed at NowSecure Connect 2021 by viewing the recordings. Contact us for more information about NowSecure solutions for mobile application security, DevSecOps, mobile app penetration tests, supply-chain risk monitoring and security and developer upskilling.