Ending the dispute between developers and security teams

An abstract image of digital security.
(Image credit: Shutterstock) (Image credit: Shutterstock)

Consumers crave seamless digital experiences in mobile applications. An application lacking in trending market features, feeling clunky, running sluggishly and not securing their data will swiftly drive consumers to switch to a rival app.

The business case for a strong mobile app offering is therefore a no-brainer. According to eMarketer, mobile app users spend approximately four hours online daily, with a staggering 88% of that time devoted to app usage rather than websites. Nevertheless, catering to consumer demands, staying competitive in the market, and keeping pace with rivals necessitates a constant and rapid app development process. But for developers, this race is a hurdle. And implementing security frequently present significant challenges.

Incompatible priorities

Security is a necessary part of acquiring and keeping customers. However, there’s often incompatibility between developers and cybersecurity teams.

Developers want to ship as soon and as often as possible but see the security requirements and cyber teams, as blockers. For cyber teams, their priority is keeping consumers and the business secure. Simultaneously, customers are becoming increasingly conscious about cyber security. Appdome’s own UK Consumer Expectations of Mobile Security Survey revealed that nearly six in ten (59%) of British consumers ranked mobile app security as equal to new features in Android and iOS apps, with a quarter of respondents saying mobile app security is more important than features. Consumers no longer just want seamless experiences using a modern mobile app, they also want a secure one.

This underscores the compelling need for businesses to iron out the conflicting priorities and processes between dev and cyber teams.

Alan Bavosa

VP Security Products at Appdome.

DevSecOps 2.0 - Automating mobile app protection and threat detection

Development, security and operations (DevSecOps), a process that integrates security initiatives at every stage of software development, is the answer. The current mobile app release process is rife with conflicts between mobile dev teams and cyber teams. The dev teams have invested time and resources in automating the release process as much as possible. In fact, they are focused on increasing the agility and velocity of their releases as much as possible. Cyber security teams on the other hand are seen as blockers to this agile process. Especially when security findings are reported in the release meeting. This leads to dev teams escalating to management and requesting sign offs on risk exceptions. It’s essential to recognize that such risk exceptions increase the likelihood of potential attacks or breaches because the app is unprotected in production. Even with a commitment made to resolve the security issue in a subsequent release, this opens a window for hackers. But far too often organizations are forced to release apps with known security weaknesses because delays can result in significant loss of revenue opportunity or simply make the app uncompetitive. The impacts of an attack can be extremely costly and devastating to the business or brand. As discerning consumers seek both speed and security, it’s evident that a resolution is imperative for the continued success of the mobile app industry.

The traditional DevSecOps process aims to include automated security tests in the development and deployment pipeline with the intention to streamline the security review process using the pipeline. The problem with this approach is that development teams often do not have the resources, skills, or knowledge to resolve pipeline findings and may assign a low priority to security, since functionality, look and feel, ease of use are the top drivers for them. In addition to the above, automated security and vulnerability scans are certainly a welcome addition to the DevSecOps model, however it’s important to remember that security scans only address part of the problem – because they cannot be used to “fix” or “remediate” the problem. This is where no-code cyber defense automation is required. Cyber defense automation can be used to build protections into android and iOS apps to prevent exploits/attacks or remediate security threats or weaknesses in the app which are identified by security scanning or pen testing.

Using a DevSecOps 2.0 approach, app makers can use mobile application defense automation in the CI/CD pipeline to shift the burden and responsibility for delivering the needed protections from the development team to the cyber team. This way the cybersecurity team can use the same developer best practices to build, test, release and monitor the protection model in the mobile apps on its own, as an equal and independent part of the DevSecOps process.

This allows app makers to maintain a rapid and agile release process for their mobile apps, while ensuring that their apps are fully protected and can easily be upgraded to protect against new threats and attacks. All without the dev team doing any extra work.

Traditional DevSecOps is not the answer

When it comes to mobile apps, the current approach to DevSecOps is not working. The requirement for the traditional DevSecOps process includes automated security tests in the development and deployment pipeline. The idea is that this simplifies the security review process. Although this does speed up the discovery of exploitable vulnerabilities it does not help with implementing the necessary protections in the mobile app leading to cyber and dev teams clashing about protections and risk exceptions.

Traditional DevSecOps model limits the cyber team's ability to enforce protections. Essentially, all the team can do is review, report and recommend to the dev team on the security features that need to be added. Therefore, the cyber team is fully reliant on the developers to make any updates, changes or upgrades.

To make matters more complex, developers may not be entirely familiar with company’s security policies or specific cyber threats. Developers may overestimate the security protections provided by app stores or device manufacturers.

Thankfully, innovative technology can resolve this dilemma. Using a cyber defense automation tool enables dev teams to implement any and all protections required by the security team. In addition, it allows them to address weaknesses identified via security scans or penetration testing – without any manual effort or impact on release schedules or workflows.

Defense automation to the rescue

Mobile app defense automation enables cyber security teams to have more control over the security model for mobile applications, without requiring significant work to be completed by resources they do not control (i.e.: mobile developers). Mobile application defense automation allows the dev and cyber security teams to work collaboratively leveraging the continuous integration and continuous delivery (CI/CD) pipeline, using automation to completely remove the implementation burden off the dev team’s plate. Using cyber defense automation, cyber security teams can build, test, release and monitor the mobile app security model on their own or enable the dev team to implement the security model that they prescribe – all from within the automated workflows that developers already use to build and deliver mobile apps today. This approach ensures that the security assessment of the app operates as an integral component outside the conventional software development lifecycle.

By implementing cyber defense automation in this manner, the cyber team takes direct control within the CI/CD pipeline, relieving the development team of any additional workload or the need to navigate the intricacies of cybersecurity requirements. Consequently, the pipeline runs smoothly, automating the mobile app development process, with built-in security, anti-fraud, and other protective measures. This approach allows both the development and cybersecurity teams to effectively meet consumer demands and fulfil their respective responsibilities. Nobody needs to make the painful compromises that plague traditional mobile app security solutions.

For a dev or cyber team, this is a great position to be in. It clears a backlog of security findings and speeds the release of new protections that come from any new tests or reviews, thus eliminating new and old tension between the organizations.

Game changer

One of life’s natural disputes is between people who build things and people who protect things, but cyber defense automation for mobile apps is a revolutionary game-changer. For too long companies have been using a traditional DevSecOps approach, contributing to significant friction.

To remain aligned with consumer expectations and the dynamic market, modern organisations with mobile app offerings must eliminate this major source of tension. However, before achieving this, seamless internal operations are essential. With the adoption of an innovative automated approach for implementing security features, collaboration supplants disputes, enabling the dev team to focus on its core strengths without the need to overcome obstacles.

We've featured the best encryption software.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro

Alan Bavosa is VP Security Products at Appdome.