When it comes to developing a finance app, the mobile product organization is often pulled in two competing directions. While users expect a quick and seamless UX, the team behind the app knows that the finance industry is heavily regulated; keeping user data secure is crucial, but so is managing the customer experience.
Data shows that industry regulations and red tape can significantly slow down pushing out new features. And while mobile revenue increases across the finance industry, releasing new features and managing red tape bottlenecks becomes increasingly important.
In this article, we’ll go over how to balance UX and security, the concept of DevSecOps, and how to use Bitrise to introduce security checks throughout the development process.
Addressing customer demands: secure, real-time access to banking services
The mobile finance industry is growing rapidly and handling personal finances is becoming more and more mobile. In order to remain competitive in financial services, a highly usable and highly secure app is required.
Customers are demanding new features, faster. According to the initial results of Bitrise’s MODAS survey taken by over 1,500 mobile product teams, most financial app teams take between 31 and 80 days to roll out a new feature to the app store. However, the top-performing teams take less than 14 days to deploy a scoped feature. In order to remain competitive, finance apps need to roll out new features – faster, but equally as secure.
Shifting left: involving security checks earlier and more often
\When developing a finance app, involving security checks as often as possible and as early in the development process is of key importance. Finance app developers can’t afford to fix security and compliance issues later. This is called shifting left in DevSecOps: the operating process of testing the software and moving security to the left in the delivery pipeline — or, adding security checks before the historically typical development lifecycle.
Adding DevSecOps into your workflows means injecting security into the Mobile CI/CD pipelines at the early stages of the development process. It’s an approach to culture, automation, and platform design that integrates security as a shared responsibility throughout the entire Mobile DevOps lifecycle.
So how can mobile app developers add security checks into the early stages of the Mobile CI/CD pipeline? Thankfully, Bitrise can help with that.
Injecting security into the Mobile CI/CD pipeline
When injecting security checks into DevSecOps practices, the ultimate goal is to automate security testing while maintaining a continuous delivery workflow. As the development team implements security testing, they should explore the following security testing methods:
- Static Application Security Testing (SAST): Static Application Security Testing (SAST) involves examining an application's components without executing them, by analyzing the source code either manually or automatically.
- Dynamic Application Security Testing (DAST): Runtime application analysis to look for the vulnerabilities and involves examining the app during runtime.
- Interactive application security (IAST): combines both SAST and DAST to use software instrumentation (active or passive) to monitor application performance.
Using the SASTs, DASTs, and IASTs within Bitrise, security application testing can be automated.
Security automation with Bitrise
Because finance apps have to jump through red tape regulations like GDPR and CCPA, Bitrise has Steps and Workflows in accordance with various application security best practices and guidelines. One such guideline is OWASP’s (Open Web Application Security Project) Mobile Top 10, which identifies the top 10 mobile application security vulnerabilities.
Use the following Verified Steps to automate security testing in accordance with OWASP.
AppSweep
The AppSweep Verified Step automates security and compliance checks that are based on OWASP’s resources and best practices for mobile application security. AppSweep is a free Android app security testing tool designed to address mobile security issues and eliminate risks in your code and dependencies as quickly as possible.
When the pipeline is triggered with Bitrise’s AppSweep Verified Step, it will automatically upload your APK files to AppSweep for security scanning. This way, your developers can see the security and vulnerability issues immediately, and they can also easily fix them with the provided recommendations.
Oversecured
The Oversecured Verified Step also follows OWASP best practices. This Verified Step automatically scans each new version of your app and fixes security vulnerabilities at the earliest stages of development. After you upload the APK file, it automatically scans for all known mobile vulnerabilities following the OWASP, such as arbitrary code execution, theft of arbitrary files, and cross-site scripting.
DexProtector
The DexProtector Verified Step helps protect mobile product organizations against real-time security attacks. This Step builds layers of protection around your app, creating a solid shield for your valuable code and assets. With a secure layer between your app and the operating system, you can protect your app against both static and dynamic attacks.
App-Ray
App-Ray is a fully automated mobile security analysis tool that helps protect your apps and user data from cyber risks. Using the App-Ray Verified Step helps you automatically prevent malicious apps from being installed. It also helps you learn more about the vulnerabilities within your own and within 3rd party applications.
Data Theorem
The Data Theorem Verified Step helps mobile product organizations identify security flaws and gaps in data privacy. Using this Step to analyze the open-source and/or third-party SDKs that your application uses, you can identify security and privacy issues to secure the code within your CI/CD pipeline.
By combining various Steps and Workflows using the Workflow Editor, you can customize your CI/CD workflow to test for the security vulnerabilities that matter to your organization. For example, assume that your development team needs to implement the following CI/CD pipeline to inject the automated security tests:
You would use the Workflow Editor to create the following Bitrise Workflow:
Conclusion: address security vulnerabilities early and often
As mobile finance continues to grow, customers are looking for new features and innovations, reliability, and expect the highest level of security. Adding security checks earlier in the CI/CD mobile pipeline is imperative to the success of your mobile finance application.
Learn more about DevSecOps and how to implement Bitrise security Workflows into your mobile app development process.