Rethinking the Status Quo of Mobile App Security
Most executives view mobile applications as a crucial component of their organization’s business strategy. Mobile apps help companies generate revenue, engage with customers and create new business opportunities. With mobile apps accounting for over 70% of all digital time, they will help generate nearly $1 trillion in revenue by the end of 2023.
However, many CISOs fail to prioritize mobile app security or under-invest, assuming legacy security approaches are sufficient, leaving them vulnerable to breaches. These incidents can jeopardize revenue streams, damage customer trust and can incur regulatory penalties.
Benchmarks of millions of mobile apps in public app stores show that 85% have exploitable vulnerabilities. So what’s causing these mobile app security failures? Organizations today exhibit three fundamental failure patterns.
First, too many organizations use web static source code scanning tools to scan mobile app code, leaving substantial test coverage gaps. They may add one annual mobile app penetration test, but when the dev team releases monthly or biweekly, that means 11 or 23 releases go without sufficient security testing.
Second, when organizations apply mobile-specific security testing, it often gets pushed to the end of the development life cycle, with security teams testing for vulnerabilities right before a release date. As a result, releases may be delayed or vulnerable apps may be shipped with “accepted risk.”
Third, while CISOs often leverage standard frameworks like the NIST Cybersecurity Framework, their implementation often lacks automated controls specifically for mobile app security that could be deployed in development pipelines and security testing programs.
CISOs should abandon the status quo and reevaluate their approach. Use the following guide to learn best practices for improving mobile app resiliency cost-effectively.
Embrace OWASP MAS
CISOs that want to strengthen mobile app security should ensure their teams become familiar with the Open Web Application Security Project (OWASP) Mobile Application Security (MAS) flagship project. OWASP MAS was developed to establish a common foundation for mobile app security requirements while also providing educational resources for devs, architects, analysts and engineers to build with security in mind.
Used by thousands of mobile development and security teams, the OWASP program provides a well-recognized standard for mobile app security that your team can leverage in operations and for your proof of controls. CISOs should encourage their dev and security teams to learn about the OWASP MAS project to build security into their pipelines to help protect mobile apps from the most common vulnerabilities.
Encourage Secure Development Training
Secure coding training helps devs enhance mobile app security and reduce development and security testing costs. Although it may be challenging to convince devs to commit to comprehensive training programs, targeted and proactive training focused on critical mobile app development skills can lead to major improvements.
For mobile apps, the most common coding issues occur in storage/crypto, networking, insecure coding and resiliency. Free mobile AppSec courses available online can drastically improve mobile app security in these specific areas and more. In fact, NowSecure finds that trained professionals can release up to 30% faster at lower cost and reduce risk by up to 40% with just a few hours of training.
Increase Efficiency and Reduce Risk With Automated Security Testing
Dev teams move quickly and may inadvertently introduce security issues, and they can’t always stop working to fix every one. Additionally, pressuring teams to deliver quickly can lead to critical vulnerabilities being overlooked, which increases risk further down the road. CISOs should invest in continuous automated mobile application security testing to improve efficiency for devs and security teams while reducing costs.
When devs write new code, automated security testing can run daily during off hours and generate tickets with built-in remediation the next day. Devs can fix issues as they appear instead of waiting weeks for results. An automated policy engine can be tuned to a tiered risk model, feeding only those most critical issues to devs, automatically prioritizing the work and establishing a minimum bar for release approval.
This policy-driven approach can help as the first step in a shift left strategy and, over time, as teams and processes mature can expand the type, breadth and volume of security issues directly routed to devs for remediation. Continuous security automation also helps security analysts by automating tedious, time-consuming tasks while reducing their workload at the end of the pipeline, minimizing the need for expensive and release-delaying full-scope manual penetration tests.
A single mobile app security breach can instantly damage customer trust, brand loyalty and financial stability, even for the most reputable brands. CISOs should prioritize mobile app security by embracing MASVS principles, encouraging mobile-specific dev training and adopting continuous mobile application security test automation to reduce risk.
