Mobile app security doesn’t start when you deploy your shiny new mobile app to users. Rather, mobile app security needs to become part of user stories and be part of mobile app development from the date of project kick-off. “We need to teach developers to think about mobile app security up front, and not as an afterthought,” advises Zubin Irani, founder and CEO of cPrime, an agile transformation consultancy.
A fractured mobile marketplace combined with rising threats such as malware can make it harder on mobile app developers to develop secure apps, according to John Britton, director of security for VMware.
Compliance programs including the Payment Card Industry Data Security Standard (PCI DSS), the Health Insurance Portability and Accountability Act (HIPAA), and Sarbanes-Oxley also bring new challenges for mobile app testing.
Here are seven ways to make mobile app security part of your agile process.
1. Make app security considerations nonfunctional requirements
Aziz Gilani, a partner at Mercury Fund, likes to see his portfolio companies treat mobile app security considerations as nonfunctional requirements during the earliest stages of app development, work them as part of sprints from day one, and not wait for a final pass for compliance purposes at the end of the development cycle.
At a high level, Gilani advises using threat modeling analysis combined with a risk-based approach to come up with the highest degree of application vulnerabilities you could run into from day one. Based on the threat modeling and other up-front work, you can prioritize your nonfunctional security requirements and then embed them across your sprints.
2. Flesh out user stories with platform and enterprise specifics
Understanding mobile OS- and platform-specific issues along with the business and enterprise requirements for managing the particular mobile app are necessary up-front steps, advises VMware’s Britton.
“Use an SDK to handle the management components that you will need to use,” he advises. “Understand not only what the business requirements are but also the enterprise requirements for managing that particular application.” For example, he says, enterprise requirements might include:
- Social media integration/support
- Mobile app use cases
- Mobile app management
- App deployment methodologies
- Single sign-on (SSO), Kerberos, or other user authentication service
- Data loss prevention (DLP) controls, including copy/paste prevention and opening management
3. Add your security team to your agile process up front
Open your agile boards to your security team, Irani advises. If you are using Atlassian Jira or similar platform, then flag development stories as high-risk or priority. While security resources are often stretched in many enterprises, flagging out stories for your security team is bound to get their attention before the app hits general availability (GA).
4. Treat secure communications as the forgotten user story
Ilya Pupko, vice president of product management for Jitterbit, told me that secure user communications are a forgotten user story and a leading cause of insecure apps. He cites APIs and internal apps as examples—even if you block all other means of access and they are only on the internal network, that is still not an excuse. They need to be totally secure.
5. Write the authentication/authorization story early in the agile development cycle
Pupko also advises resolving authentication and/or authorization early in the agile development cycle, because people confuse authentication and authorization.
"Often people look at either authentication or authorization when developing a mobile app, but they don't look at the other, especially in internal builds," according to Pupko. He also sees issues around companies just opening their APIs without concern for who is getting access to their mobile app. "Let me open up the API. Well, who got access to your mobile app? In theory, anybody could get their access through this app.”
He adds, “Are you checking the login and password or do you have other means of confirming who the user is? Did you keep their sign-in persistent, so the session is indefinite? Which means if they stole from you once, and you never check what the username and password is, they can steal from you again? That's another pet peeve of mine. Again, people just assume that since it's a mobile app, that it's secure.”
6. Test security early and often during sprints
Automation is your best friend when it comes to mobile app testing, according to Gilani. He recommends using automated scripts and regression testing to test against common vulnerabilities such as SQL injections. He then goes back to threat modeling and a risk-based approach that feeds your nonfunctional security requirements; you can then automate your testing against those requirements. The testing takes place across your sprints, testing against security considerations that you thought were eliminated at the beginning of your process.
You can augment testing at the end of each sprint with mobile application management (MAM), pushing out software builds to internal testers before the mobile app goes GA, according to Chris Hazelton, director of product marketing and strategy for Apperian. His company has customers that follow this approach to test how mobile apps interact with their infrastructure and internal business processes. With this iterative testing, its customers can fix website scripting, simple VPN, and other settings before the app’s GA.
Hazelton also relates that Apperian’s development team sprints include a demo-heavy sprint review, where an engineer takes the user story and runs through a demo of what the issue was and its resolution. Security issues are part of the sprint review discussions.
7. Make app security part of your definition of done
Mobile app security needs to become part of your definition of done, advises Irani. The nonfunctional security requirements you generate—if you follow Gilani’s previous tip—will help you add the mobile app security factors that should be part of your definition of done.
Use proper agile technique to improve mobile app security
“If you're using agile correctly and you're adding additional security requirements in as nonfunctional requirements with every sprint, then your application is only going to get better with each and every release, but only if you have the discipline to follow the process correctly,” says Gilani.
How do you factor mobile app security into your agile development process? Please let us hear from you by posting your comments below.
Keep learning
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed fast on the state of app sec testing with TechBeacon's Guide. Plus: Get Gartner's 2021 Magic Quadrant for AST.
Get a handle on the app sec tools landscape with TechBeacon's Guide to Application Security Tools 2021.
Download the free The Forrester Wave for Static Application Security Testing. Plus: Learn how a SAST-DAST combo can boost your security in this Webinar.
Understand the five reasons why API security needs access management.
Learn how to build an app sec strategy for the next decade, and spend a day in the life of an application security developer.
Build a modern app sec foundation with TechBeacon's Guide.
