In the mobile-first era, the quality of mobile applications directly impacts business success. Users expect mobile apps to deliver a great user experience with valuable functionality, as anything less may decrease engagement, lower revenue and even harm brand reputation. Yet many Dev, DevOps and QA teams fail to recognize that security directly correlates to the quality of a mobile app.
Mobile dev teams face great pressure to create the best mobile apps they can while managing strict deadlines, ticket backlogs and other routine tasks. This pushes them to focus their time and energy on the functionality of the mobile app to keep user activity high and maintain positive experiences. As a result, security testing often gets pushed to the end of the dev lifecycle, which increases pressure on testing, risks quality failures and the chance of security bugs escaping into the wild.
To build a first-class mobile app, devs must treat security as a function of quality. Instead of waiting until the end of the dev cycle to assess security, they should adopt a continuous security testing approach. Devs should consider the following five points to secure their mobile apps and drive quality at scale.
Stakeholders must define the security requirements of the mobile app early in the lifecycle to ensure secure development from start to finish, from architecture through delivery. When establishing security standards and policies for mobile app development, testing and delivery, stakeholders should leverage trusted industry standards such as the Open Web Application Security Project (OWASP) Mobile Application Security Verification Standard (MASVS). Once stakeholders agree on security requirements for the mobile app, PMs can submit proper security requirements, architects can design a secure architecture, devs can follow secure coding best practices, and QA and security teams can test throughout the dev process.
To ensure secure dev and testing throughout the app lifecycle, DevSecOps teams can leverage an automated policy engine to ensure adherence to the standard policy of the organization throughout the pipeline. Instead of manually checking that new code follows standards and policies, automated software controls can confirm that the software meets the defined requirements without human interference.
Although many devs can write effective code, not all know how to write secure code. Because of this, devs should learn basic secure coding techniques by leveraging online training and third-party resources on a regular basis. While a single training session alone can improve code quality, continuous education drives quality in the long term. Not only does this ensure a safer mobile app, Devs will spend less time fixing bugs and spend more time on other elements of the mobile app.
In addition to regular training, devs should treat new issues as another opportunity to advance their skills. When devs have trouble using code or APIs, they often turn to Stack Overflow and Google for a quick solution. But searching for solutions online can waste time, and can often provide devs with the wrong answers. Embedding remediation instructions, training resources and links to iOS and Android documentation into security bug tickets helps developers fix issues quickly at the moment of need while also teaching them to prevent coding failures in the future.
Performing manual security tests at the latest stages of the development cycle can stall progress and increase the risk of security bugs escaping into the wild. So why not use automated tools to perform highly accurate mobile application security testing in the background as the mobile apps are developed? Integrated into CI/CD tools and code repos, devs can run continuous security testing on every mobile app build through an automated battery of +600 standards-based tests for sensitive data, Google/Apple app store blockers, regulatory compliance and dynamically generated SBOMS. These tests can run continuously after work hours, and feed tickets with embedded remediation and training information back to the devs to resolve issues for fast feedback loops. Not only does this lower the workload for devs, QA, security and release teams, it will also dramatically increase velocity as well.
Automation can cover the majority of security testing cases, but it does have limitations. Multi-factor authentication, CAPTCHA, IoT device connections and other complex features require human assistance for security testing. But that doesn’t mean dev pipelines cannot automate anything or have to disrupt their workflow for manual security testing. A recent NowSecure Platform innovation called Guided Testing enables dev and security teams to combine the benefits of automation with human expertise. Automated continuous security testing runs in the pipelines, with NowSecure expert analysts periodically stepping in to orchestrate complex tasks for maximum coverage at high speed. NowSecure Platform with Guided Testing brings the best of both worlds!
Mobile app devs that want to build a quality product from top to bottom should embrace security throughout the entire production lifecycle. With proper planning, education, automation and expert support, devs can secure their mobile apps and achieve the quality users expect, driving high adoption rates, revenue generation and more.
About the author: As NowSecure Chief Mobility Officer, Brian Reed brings decades of experience in mobile, apps, security, dev and operations management including NowSecure, Good Technology, BlackBerry, ZeroFOX, BoxTone, MicroFocus and INTERSOLV working with Fortune 2000 global customers, mobile trailblazers and government agencies. At NowSecure, Brian drives the overall go-to- market strategy, solutions portfolio, marketing programs and industry ecosystem. With more than 25 years building innovative products and transforming businesses, Brian has a proven track record in early and mid-stage companies across multiple technology markets and regions. As a noted speaker and thought leader, Brian is a dynamic speaker and compelling storyteller who brings unique insights and global experience. Brian is a graduate of Duke University.