Brian Reed, chief mobility officer for NowSecure and longtime All Day DevOps speaker, showed us how we can apply DevSecOps to mobile application development—not only for small mobile apps, but for apps that could have zillions (OK, maybe millions) of users.
Mobile now dominates all time spent on digital platforms. I can start my car with an app. I can measure my temperature and health with a watch. There is an amazing amount of things we can do with mobile today. COVID-19 accelerated this even further. And one trend we see emerging is the multiscreen experience. We may use our desktop to tackle some of our tasks and then quickly switch to our phones to finish it.
Of course, as more software has gone mobile, so have the bad guys.
85% of mobile apps have security risks. The exposure to malicious intent is potentially larger than ever before. This brings some issues:
- Depth of security testing
- Lack of automation and integration
How well teams tackle this risk depends on their testing strategy. In many cases, teams are achieving only 20% risk coverage because they focus on static testing.
The Journey of Mobile Security
There is a trend for companies to go through a sort of journey.
They often start by making manual security programs, and then they eventually scale these out, finding opportunities to automate parts of it. At the peak, development teams can self-serve the tooling and automation they need to provide mobile security to their application.
One example of a company that went through this journey is Uber. They went hardcore on microservices and rely heavily on automating everything in their pipeline. Another example is McDonald’s: They went through a $6 billion digital transformation. Many of their stores are franchised. And stores can choose what they want to sell. Not all stores offer the same menu. The McDonald’s mobile experience lets franchisees manage their menus and tackle other tasks easily.
Tip 1: We’re All in this Together!
A commonality across the success stories of many companies is that they built a common culture of security. Key principles were secure by design and trust by design.
The ultimate shift left is in the mind of the developer. This requires focused training programs and inspiring your teams. You want to place strong security advocates on your teams. One program could be teaching standards like OWASP mobile top 10 list.
Tip 2: Web and Mobile are Fundamentally Different
The next tip calls out that the architectures of web and mobile applications are very different. Nobody goes to school to be a mobile developer. Teachings typically focus on how web applications work. Most people envision applications as living behind a “glass wall”—i.e., being on a server gives layers of protection: firewalls, cloud services, etc.
With mobile apps, most of your logic often lives on the mobile device, which makes it easy for an attacker to survey and attack it. For example, you need to manage your own certificates, write your own security code, and so on. This mobile attack surface needs to be better understood by developers.
Tip 3: Leverage the OWASP Mobile Security Project
In order to facilitate training our development teams, we want to take advantage of existing resources. One of these is the OWASP Mobile Security Project. This project demonstrates what a secure mobile architecture can look like.The OWASP security top 10 list is a great starter guide to understanding mobile security. It contains the most important mobile vulnerabilities that tend to occur across the industry.
It’s good to train developers on the OWASP top 10 by looking at the most frequent issues that cause apps to fail, such as insecure data storage.
Tip 4: Automate Mobile Binary AppSec Testing
Once developers understand the greatest risks to mobile security, they should create tests that help root out such risks. Don’t just use simulated devices for these tests; use real devices as well. Attackers are using real devices, so you should, too.
Automate what you can. We have a great suite of tooling that can support this. One example is that you can automatically create JIRA tickets in the development team’s backlog when a security vulnerability is found.
Tip 5: Inject Security Throughout the Toolchain
Beyond just testing, we want to put security into as much of our toolchain as possible. You can use repository scanning tools and practice threat modeling before you implement your code.
Shift Left Your Developers’ Mindsets
Your developers are the key to achieving secure mobile development. Their minds are the ultimate shift left. We need to train them to understand security, starting with the difference between mobile and web architectures. Then, we end by bringing that knowledge to bear in injecting secure practices and tooling into your toolchain to create a safe mobile experience.
This session was summarized by Mark Henke. Mark has spent over 10 years architecting systems that talk to other systems, doing DevOps before it was cool, and matching software to its business function. Every developer is a leader of something on their team, and he wants to help them see that.