You are here

7 ways to build security into your mobile app dev lifecycle

public://pictures/Will-Kelly-Freelance-Technology-Writer.jpg
Will Kelly, Freelance Technology Writer, Will Kelly Writes

Mobile app security doesn’t start when you deploy your shiny new mobile app to users. Rather, mobile app security needs to become part of user stories and be part of mobile app development from the date of project kick-off. “We need to teach developers to think about mobile app security up front, and not as an afterthought,” advises Zubin Irani, founder and CEO of cPrime, an agile transformation consultancy.

A fractured mobile marketplace combined with rising threats such as malware can make it harder on mobile app developers to develop secure apps, according to John Britton, director of security for VMware.

Compliance programs including the Payment Card Industry Data Security Standard (PCI DSS), the Health Insurance Portability and Accountability Act (HIPAA), and Sarbanes-Oxley also bring new challenges for mobile app testing. 

Here are seven ways to make mobile app security part of your agile process.

[ Get up to speed fast on the state of app sec and risk with TechBeacon's new guide. Plus: Get the 2019 Application Security Risk Report. ]

1. Make app security considerations nonfunctional requirements

Aziz Gilani, a partner at Mercury Fund, likes to see his portfolio companies treat mobile app security considerations as nonfunctional requirements during the earliest stages of app development, work them as part of sprints from day one, and not wait for a final pass for compliance purposes at the end of the development cycle.

At a high level, Gilani advises using threat modeling analysis combined with a risk-based approach to come up with the highest degree of application vulnerabilities you could run into from day one. Based on the threat modeling and other up-front work, you can prioritize your nonfunctional security requirements and then embed them across your sprints.

[ Take a deep-dive with our Application Security Trends and Tools Guide, which includes our 2019 App Sec Buyer's Guide. ]

2. Flesh out user stories with platform and enterprise specifics

Understanding mobile OS- and platform-specific issues along with the business and enterprise requirements for managing the particular mobile app are necessary up-front steps, advises VMware’s Britton.

“Use an SDK to handle the management components that you will need to use,” he advises. “Understand not only what the business requirements are but also the enterprise requirements for managing that particular application.” For example, he says, enterprise requirements might include:

  •        Social media integration/support
  •        Mobile app use cases
  •        Mobile app management
  •        App deployment methodologies
  •        Single sign-on (SSO), Kerberos, or other user authentication service
  •        Data loss prevention (DLP) controls, including copy/paste prevention and opening management

3. Add your security team to your agile process up front

Open your agile boards to your security team, Irani advises. If you are using Atlassian Jira or similar platform, then flag development stories as high-risk or priority. While security resources are often stretched in many enterprises, flagging out stories for your security team is bound to get their attention before the app hits general availability (GA).

4. Treat secure communications as the forgotten user story

Ilya Pupko, vice president of product management for Jitterbit, told me that secure user communications are a forgotten user story and a leading cause of insecure apps. He cites APIs and internal apps as examples—even if you block all other means of access and they are only on the internal network, that is still not an excuse. They need to be totally secure.

5. Write the authentication/authorization story early in the agile development cycle

Pupko also advises resolving authentication and/or authorization early in the agile development cycle, because people confuse authentication and authorization.

"Often people look at either authentication or authorization when developing a mobile app, but they don't look at the other, especially in internal builds," according to Pupko. He also sees issues around companies just opening their APIs without concern for who is getting access to their mobile app. "Let me open up the API. Well, who got access to your mobile app? In theory, anybody could get their access through this app.”

He adds, “Are you checking the login and password or do you have other means of confirming who the user is? Did you keep their sign-in persistent, so the session is indefinite? Which means if they stole from you once, and you never check what the username and password is, they can steal from you again? That's another pet peeve of mine. Again, people just assume that since it's a mobile app, that it's secure.”

6. Test security early and often during sprints

Automation is your best friend when it comes to mobile app testing, according to Gilani. He recommends using automated scripts and regression testing to test against common vulnerabilities such as SQL injections. He then goes back to threat modeling and a risk-based approach that feeds your nonfunctional security requirements; you can then automate your testing against those requirements. The testing takes place across your sprints, testing against security considerations that you thought were eliminated at the beginning of your process.

You can augment testing at the end of each sprint with mobile application management (MAM), pushing out software builds to internal testers before the mobile app goes GA, according to Chris Hazelton, director of product marketing and strategy for Apperian. His company has customers that follow this approach to test how mobile apps interact with their infrastructure and internal business processes. With this iterative testing, its customers can fix website scripting, simple VPN, and other settings before the app’s GA.

Hazelton also relates that Apperian’s development team sprints include a demo-heavy sprint review, where an engineer takes the user story and runs through a demo of what the issue was and its resolution. Security issues are part of the sprint review discussions.

7. Make app security part of your definition of done

Mobile app security needs to become part of your definition of done, advises Irani. The nonfunctional security requirements you generate—if you follow Gilani’s previous tip—will help you add the mobile app security factors that should be part of your definition of done.

Use proper agile technique to improve mobile app security

“If you're using agile correctly and you're adding additional security requirements in as nonfunctional requirements with every sprint, then your application is only going to get better with each and every release, but only if you have the discipline to follow the process correctly,” says Gilani.

How do you factor mobile app security into your agile development process? Please let us hear from you by posting your comments below.

[ Get Report: Gartner Magic Quadrant for Application Security Testing 2019 ]