As companies make the cultural shift towards DevOps, native mobile applications present a number of unique challenges. Results of a recent survey suggest that 81 percent of enterprises and 70 percent of small-to-medium businesses have adopted some form of DevOps. Yet another survey, though, reports that only 29 percent of mobile applications are undergoing security assessments. Why does this gap exist? I will examine the unique DevOps problems put forth by mobile app development, and discuss how implementing mobile DevSecOps practices can mitigate their effects.
The talk will focus on identifying and demonstrating the impact of mobile-specific DevSecOps challenges:
Broader mobile framework specialties: Examining a mobile app extends beyond the application code itself. A fully functional mobile security team must be able to forensically analyze data stored on the phone, examine APIs and communications protocols, perform server-side penetration testing, and reverse engineer an application to perform thorough assessments at scale.
Technology fragmentation: Not only are mobile apps deployed across a multitude of hardware devices, steps taken by Apple and Google to secure the iOS and Android platforms eliminate avenues security pros use to detect and respond to mobile security threats.
Mobile apps expose enterprise architecture: A mobile app is often an endpoint for a much deeper enterprise architecture, so a compromised app can have far reaching effects.
Faster time frames: Even in the fast paced DevOps world, mobile applications have even more accelerated timelines for release. In order to build - and maintain - a user base, mobile apps need to be deployed and updated more frequently. This shorter development cycle stresses systems that may already be in place.
Push vs. pull updating - the unique nature of app stores mean that users have to “pull” updates, rather than the developer “pushing” them to existing installations.
The talk will then focus on how to leverage the strengths of DevSecOps processes to mitigate each these challenges in mobile. I will discuss strategies connected to each of the problems above with a focus on leveraging automation, process, and culture. A particular focus will be making the case for early and automatic security testing and providing examples of practical solutions.
