Developers want fast pipelines and easy security. Security teams want to protect the business. Together both teams want to deliver high-quality mobile apps on time that support the business and excite mobile users. Teams can achieve these goals together by applying a Mobile DevSecOps Blueprint that leverages Bitrise and NowSecure in your toolchain.
Facing pressure to add more features and hit aggressive release targets, teams may gloss over mobile app security.
But prioritizing speed over quality throughout the pipeline often leads to serious consequences. Left undetected, security and privacy weaknesses can enable attackers to steal confidential data, put users at risk, violate compliance regulations, or damage the business.
The mobile app security and privacy failures of 2022 highlight what can go wrong when issues escape into the wild:
- In December 2022, security issues in the MyHyundai and MyGenesis mobile apps allowed security researchers to remotely lock, unlock, start, and stop post-2012 vehicles.
- In June 2022, Canadian government officials concluded that the Tim Hortons mobile app collected vast amounts of personal data without users’ consent.
- In January, My2022, the mandatory Olympic Games mobile app for attendees, failed to validate SSL certificates and included an encryption flaw that exposed sensitive health and travel data.
Mobile devs might not realize how easily they can build mobile apps fast with a “secure-by-design” development model. By following the core ideas of the Mobile DevSecOps Framework, organizations can quickly release high-quality mobile apps and updates that simultaneously build in the necessary security and privacy.
Implementing the Mobile DevSecOps Blueprint
As explained in the recent joint Bitrise and NowSecure webinar, mobile app dev and security teams should implement the following Mobile DevSecOps Blueprint to easily build security and quality into their pipelines:
Establish Mobile Policy via Standards for Optimization: When building a mobile app, devs must begin with the end in mind. Development and security teams should establish a standard policy before the project starts to ensure everyone stays on the same page. This includes creating an SLA for architects, coding guidelines for developers, and requirements like Open Web Application Security Project (OWASP) Mobile Application Security Verification Standard (MASV) for security teams. Teams can automatically enable and enforce pre-defined rules using a policy engine. An ideal security policy identifies prioritization levels of issues such as P0 (dev must fix), P1 (dev and sec to review), and P2 (routed to backlog for review and consideration) which enable devs to map out their work. By creating a plan early in the life cycle, teams can significantly reduce issues and miscommunication further down the road.
Mobile AppSec Training for Continuous Improvement: Proactive and reactive training can be one of the most effective techniques for quickly and cost effectively improving dev quality throughout the pipeline. With online courseware like NowSecure Academy, devs can learn the ins and outs of building and testing mobile apps with security in mind. Available courses include secure coding techniques, common mobile app vulnerabilities, proper use of crypto, and proper data storage.
Craft Mobile Security-Specific Requirements: High-quality, effective mobile apps start with comprehensive requirements from key stakeholders. Similar to establishing a standards policy, security requirements help teams clearly understand how the mobile app handles key security and privacy items like authentication and authorization or how it uses, stores and transmits sensitive data. Examples include implementing multi-factor authentication, enforcing data encryption over the network, and proper data storage techniques.
Facilitate Secure Mobile Code Development: Third-party code helps dev teams save significant amounts of time and energy on basic functions and features for their mobile apps. This allows devs to dedicate their time to crafting innovative and unique features that make their app stand out from competitors. However, third-party code often includes major security issues. To reduce the risks of third-party code, dev teams should establish a secure code development strategy. This includes approving third-parties libraries for use, scanning library repositories for critical updates and using Software Bill of Materials (SBOMs) to analyze dependencies and provide greater transparency into the makeup of the mobile app.
Automate AppSec Testing for Continuous Security: Testing code for security and privacy issues reduces the chance of issues escaping into the wild. Traditionally mobile application security testing gets pushed to the end of the pipeline before the mobile app launches. This can inevitably lead to release delays, first to complete the manual security testing and then as devs will have to spend time and resources correcting any issues that the security tests uncover. Instead of manually testing at a fixed point late in the dev lifecycle, teams can deploy automation directly into their CI/CD platform to security test mobile binaries every build every day, ensuring security and privacy throughout the lifecycle. Note while automated security testing in the pipeline can find security and privacy issues, it can also identify release blockers that might cause Apple App Store or Google Play Store to reject an app submission.
Embed Dev Remediation for Faster Repair: All the automated mobile app testing in the world means nothing if devs don’t know how to fix the issues they uncover. When devs learn about critical issues they need to fix, they often waste valuable time searching through Google and Stack Overflow to find the answers to their questions. Instead, teams can use testing tools that embed remediation information into the ticketing system alongside the security issue itself so they have all the details they need to fix the issue. This includes remediation instructions, code samples, training resources, and links to iOS and Android developer documentation. With this information, devs can quickly understand and fix the issues at hand and write better code in the future.
Run Periodic Guided Testing and Pen Testing: Automation can cover 100% of a low-risk mobile app and anywhere from 80% to 90% of the security testing required for a high-risk mobile app, but some areas may still require human intervention. Automation has limits and cannot test specific security measures like CAPTCHA and multi-factor authentication. However, NowSecure Guided Testing can offer devs the best of both worlds; harnessing the power of automation with a human touch. Like a quick pen test, guided testing allows teams to take advantage of continuous automated security testing of every build every day, with the added support of a professional security analyst that periodically tests parts of the mobile app that automation can’t support.
Perform Final Battery of Pre-Release Pen Testing: Security teams must make sure that security testing runs throughout the entire pipeline, but that doesn't mean eliminating pre-release pen testing for high risk apps that have sensitive IP or sensitive data that must have maximum protection. In some cases your industry might require independent third-party pen testing validation or certification. Developers of Android apps might want to add an independent security verification for their Google Play Data Safety section declarations.
Monitor Production App Store for Continuous Security: Even if a mobile app gets built securely through the entire development lifecycle, issues can always arise later. Undetected issues can show up days, weeks or months after a release. Devs and security analysts must continuously monitor their mobile apps in production and each update to the app stores to verify their functionality and watch for any known issues.
Integrating the NowSecure platform with your Bitrise workflows
To ensure success, dev and security teams should integrate their Bitrise CI/CD with the NowSecure Platform for a fully automated mobile app pipeline that runs at the speed and quality modern mobile teams demand. Devs get to use their familiar tools and workflows as they crank out code with the security and privacy they need built in. Security teams get the confidence that the most important security issues are identified and remediated before release.
This Mobile DevSecOps Blueprint outlines a full set of capabilities to drive optimal performance. Each organization can pick and choose what works for them, adopting those that matter most in whatever order works best for their organization. Whether devs decide to use one or all of these strategies, they will immediately improve the speed of their release cycles and reduce security issues. Using the DevSecOps blueprint helps ensure security stays in focus throughout the mobile AppSec pipeline, so organizations can deliver quality mobile apps to their users.
Learn more about how to drive quality in mobile app development by watching the NowSecure/Bitrise joint webinar “How to build secure mobile apps effectively with DevSecOps”. Devs can also book a demo to test and explore the benefits of NowSecure Platform for their DevSecOps strategy.