Download as PDF, PPTX
Uploaded byNowSecure
5 Tips for Agile Mobile App Security Testing
The document outlines a comprehensive approach to software development and security testing, emphasizing the integration of automated security testing in the CI/CD pipeline to reduce time and costs. It highlights the need for testing across multiple vectors, including dynamic and static binary testing, as well as leveraging new technology to improve compliance and reduce defects. Recommendations for best practices include continuous monitoring, risk management reporting, and automating issue ticket generation to enhance coverage and efficiency in development workflows.
![[DevSecOps Live] DevSecOps: Challenges and Opportunities](https://cdn.slidesharecdn.com/ss_thumbnails/20200316dsochallengesopportunities-200416111818-thumbnail.jpg?width=600ounds&width=560&fit=bounds)
5 Tips for Agile Mobile App Security Testing
- 1. © Copyright 2018NowSecure, Inc. All Rights Reserved. Proprietary information.
- 3.
- 4.
- 6.
- 8.
- 9. Commit Code Build Binary Test Binary Certify Audit Stage Deploy 2WEEKS 1 DAY AGILE DEVOPS
- 10. Increasing Frequency ofreleases Increasing Volume of apps Reducing Time to test Reducing Cost to test
- 11. 2 hrs 10mins 2 hrs 10mins 2hrs 10mins 2 hrs 10mins 20-30 hrs ...CONFIG T CONFIG T CONFIG T CONFIG T DEBUG FALSE POSITIVES CREATE REPORT... 8-10 hrs 1-2 weeks TTTT <1 Hour HOW CAN WE COMPRESS THIS TIME?
- 13.
- 14. Data over theair between device and backend systems APIs on backend systems exposed to the internet & mobile apps Mobile app code written by internal developers, open source & 3rd parties Data on the device accessed in memory and stored on device
- 15. LEGACY WEB & SAST ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ 15 ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪Cross originresource sharing ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪
- 17. STATIC BINARY TESTING DYNAMIC BINARY TESTING observesthe binary at runtime to discover vulnerabilities within the app analyzes the binary post-compilation to discover vulnerabilities including those in third-party libraries 17 BEHAVIORAL BINARY TESTING attacks the binary & network environment to discover vulnerabilities within the app with near zero false positives Need to test across all 3 vectors on real iOS & Android devices Use Attacker POV to identify more real issues and verify vulnerabilities for near zero false positives
- 18. iOS APPS Dynamic code and assets MITMattacks Take the the attacker POV to test across app, compiler, data at rest, data in transit, OS, HW & SW during and after running the mobile app iOS FRAMEWORKS iOS NATIVE LIBRARIES iOS Mach/XNU KERNEL iOS HAL HARDWARE Buffer overflows Race conditions Forensic artifacts Vulnerabilities Contact hijacking TARGET APP
- 20. Commit Code Build Binary Test Binary Certify Audit Stage Deploy 2+WEEKS 1-2 WEEKS DEV TEST 1 mo 2 mo 3 mo 4 mo Final Pre-release Certification Reports
- 21. Commit Code Build Binary Test Binary Certify Audit Stage Deploy FinalPre-release Certification Reports Risk & Compliance Reports Management Reporting 2+ WEEKS 1-2 WEEKS DEV TEST 1 WEEK 1 mo 2 mo 3 mo 4 mo
- 22. DAILY Commit Code Build Binary Test Binary Certify Audit Stage Deploy OnDemandTest Security Daily, Weekly or other Pass Issue Tickets into flow DAILY 2 WEEKS DEV TEST 2+ WEEKS WEEKLY 1 mo 2 mo 3 mo 4 mo WEEKLY
- 23. DAILY Commit Code Build Binary Test Binary Certify Audit Stage Deploy OnDemandTest Security Daily, Weekly or other Pass Issue Tickets into flow DAILY 2 WEEKS DEV TEST 2+ WEEKS 1 WEEKLY 1 mo 2 mo 3 mo 4 mo Final Pre-release Certification Reports Risk & Compliance Reports Management Reporting
- 24. Commit Code Build Binary Test Binary Certify Audit Stage Deploy AUTOTest Security with every build AUTO Generate Issue Tickets into flow DAILY DAILY DEV TEST 2+ WEEKS 1 mo 2 mo 3 mo 4 mo
- 25. Commit Code Build Binary Test Binary Certify Audit Stage Deploy AUTOTest Security with every build AUTO Generate Issue Tickets into flow DAILY DAILY DEV TEST 1 mo 2 mo 3 mo 4 mo
- 26. Commit Code Build Binary Test Binary Certify Audit Stage Deploy AUTOTest Security with every build AUTO Generate Issue Tickets into flow DAILY DAILY DEV TEST 1 mo 2 mo 3 mo 4 mo Final Pre-release Certification Reports Risk & Compliance Reports Management Reporting
- 27. Commit Code Build Binary Test Binary Certify Audit Stage Deploy AUTOTest Security with every build AUTO Generate Issue Tickets into flow Security Test / Advise in IDE Security Source Scan pre-build DAILY DAILY DEV TEST 1 mo 2 mo 3 mo 4 mo 2+ WEEKS
- 29. Commit Code Build Binary Test Binary Certify Audit Stage Deploy AUTOGenerate Issue Tickets into flow AUTO Test Security with every build CS CI/CD DEV TEST 1 mo 2 mo 3 mo 4 mo
- 30. Commit Code Build Binary Test Binary Certify Audit Stage Deploy AUTOGenerate Issue Tickets into flow AUTO Test Security with every build CS CI/CD DEV TEST Final Pre-release Certification Reports Risk & Compliance Reports Management Reporting 1 mo 2 mo 3 mo 4 mo
- 32.
- 33.
- 34.
- 35. Commit Code Build Binary Test Binary Certify Audit Stage Deploy TestSecurity with every build Integrate tickets into workflow, for every build Risk & Compliance Reports Management Reporting Final Pre-release Certification Reports
- 36.
- 37.
- 38.
- 39.
- 41. AppSecQADev CERTIFYTESTCODE - Protect thebusiness - Define & share best practices - Monitor for Compliance - Automate the manual work - More coverage with fewer people - Lower escape defect ratios - Leverage new technology, new features - Lower costs by fixing early PHASE YOUR SHIFT LEFT
- 42. Test Every BuildEvery Day Findings created automatically in local JIRA instance Reports routed to risk & compliance stakeholders Results auto-routed to management dashboard Deep Dive Investigations in NowSecure when needed Test 3rd party apps used by employees via NowSecure 1 mo 6 mo 12 mo 16 mo Increasing Volume of apps Increasing Frequency of releases
- 43. © Copyright 2018NowSecure, Inc. All Rights Reserved. Proprietary information. Recommendations & Next Steps
- 44.
- 46.
- 47.
- 48.
- 49.