Nearly every organization dreads the “S-word,” but security should be something we embrace early instead of avoiding until the last minute.
It’s strange that we would delay something that could derail our entire application release to the very end when we know we will have no time to address it. Fear of the unknown and fear of failure are powerful drivers, but you shouldn’t keep following that development anti-pattern.
Most mobile application development teams lack a security testing practice, or if they do have one, it lacks the maturity to be effective. I think there’s a misconception that in order to have a satisfactory security testing process, it requires a lot of money or an entire dedicated team.
In reality, the effective mobile app security practices are not necessarily those that spend the most money or have the most engineers (although both can certainly help). It’s the ones that have adopted these three fundamental concepts.
Have you ever been told to just “test the application,” but you don’t even have a plan? We can often make “penny wise, pound foolish” decisions to cut planning in testing that will lead to overlooking key functionality, delaying a schedule, or certifying a product that’s not ready to ship.
A good security tester always has a plan, and threat modeling is key to knowing what’s most important to test for, what kind of threats are you most likely to deal with, and what the risks are for your organization, users, and application.
Core security testing concepts
Understanding your mobile application’s architecture and the risks associated with it is essential. Attempting a one-size-fits-all approach to security testing doesn’t scale and often leaves an organization unprepared when something breaks the mold.
Your team must have a common understanding of your application’s risks, as well as knowledge of sound security concepts, such as client-side injection, server-side controls, and code tampering. While testers don’t need to be experts, they must have a strong foundation and an organization that encourages continuous learning and improvement. Testing methods will change as rapidly as new attacks on vulnerabilities are created, so being able to learn new techniques and change with the times is critical for long-term success.
A risk-based testing strategy
As a proponent of DevOps and automation, I believe any test strategy (security or otherwise) should know where to leverage automated tests and tools in order to limit expensive analysis and where to keep manual testing. But how you test is only half of your strategy; what you test is just as important.
It isn’t feasible that your testing strategy will cover every scenario or that your mobile app will ever be 100 percent secure. So instead of trying to check off every box, focus your testing on high-risk areas outlined in your threat model before testing for low-risk threats.
Establishing a strong foundation for your security testing practice, based on these three essential concepts, will set your team up for success.
Alan Crouch is presenting the session Building and Testing Secure Mobile Apps and the keynote Rooting Your Devices to Test Outside the Box at the Mobile Dev + Test 2017 conference, April 24–28 in San Diego, CA.