DevSecOps: injecting security into the mobile CI/CD pipeline

A guide to understanding the concept behind DevSecOps and how you can inject security into your mobile CI/CD pipeline to deliver more secure mobile applications.

For a few years, the mobile application development lifecycle has changed a lot. There is a need for applying shift-left testing and Mobile DevOps, meaning that tests need to be conducted often and from early on to minimize the cost of bugs.

As the speed and frequency of releases increase, traditional application security teams cannot keep up with the pace of releases to ensure each release is secure.

What is shift left testing?

Shift-left testing is the approach of taking the action of testing the software and moving it to the left in the delivery pipeline — or, testing the software prior to the development lifecycle that is historically typical.


Image Source - https://www.xenonstack.com/insights/shift-left-testing

What is Mobile DevOps?

Mobile DevOps is a set of processes to implement Continuous Integration and Continues Delivery practices into build and release processes to achieve a quick and frequent release schedule. They include different key components, such as continuous communication, planning, integration, testing, delivery, deployment, and monitoring.

However, if you want to make the most out of the agility and responsiveness of the Mobile DevOps approach, you should also integrate security into the entire lifecycle of the mobile app releases. With today's collaborative Mobile DevOps approach, security becomes a shared responsibility that is integrated into the process from the start. This principle is called “DevSecOps” to underline that all DevOps initiatives must be based on a strong security foundation.

Why is security so important?

Security plays an important role in many areas of our life, especially in the digital transformation wave. We are using our sensitive data like emails, addresses, credit cards, and mobile numbers with different mobile applications in different businesses — like automotive, healthcare, financial, retail, e-commerce — embedded and IoT devices on a daily basis. Security is becoming more important than ever

What’s DevSecOps?

DevSecOps means injecting security into the Mobile CI/CD pipelines at the early stages in the development process. It’s an approach to culture, automation, and platform design that integrates security as a shared responsibility throughout the entire Mobile DevOps lifecycle.

The importance of DevSecOps

In DevSecOps, security is the shared responsibility of everyone in the DevOps value chain. Companies involved in the development and distribution of applications must consider security on an equal footing with development and operation. When you integrate DevSecOps and DevOps, security is always a priority for every developer when developing and deploying applications.

The Benefits of DevSecOps

A key benefit of DevSecOps is to coordinate the efforts of DevOps and security teams, which traditionally work in separate silos but there are other benefits such as the following points:

  • The more automation the better: By embedding automated security controls and tests early in the development cycle, you can ensure that your applications are deployed quickly.
  • DevSecOps to increase efficiency: You only add security to your workflows. By using tools that can check code as it is written, security gaps can be identified at an early stage. (Test early and often).
  • Threat Modelling: This can help you identify the weaknesses in your resources and address any gaps in security controls. 

DevOps vs. DevSecOps

DevOps focuses on the speed of app delivery, while DevSecOps augments speed with security by delivering apps that are as secure as possible, as quickly as possible. On the other hand, the goal of DevSecOps is to promote the fast development of a secure codebase.

From DevOps to DevSecOps

Building security in from the start, extending the culture of shared understanding and responsibility to security concerns, and building security checks into the CI/CD pipeline by implementing the following steps:

  • Applying Shift Left Testing (Test early & often).
  • Choose the right security testing methods.
  • Establish coding standards for your team.

Choose the right security testing methods?

When the team starts thinking about implementing security testing, they should explore different methods: 

  • Static Application Security Testing (SAST): Static Application Security Testing (SAST) involves examining an application's components without executing them, by analyzing the source code either manually or automatically.
  • Dynamic Application Security Testing (DAST): Runtime application analysis to look for the vulnerabilities and involves examining the app during runtime.
  • Interactive application security (IAST): combines both SAST and DAST to use software instrumentation (active or passive) to monitor application performance.

Automated security tests

The ultimate goal of DevSecOps is to automate security practices and vulnerability detection into a continuous delivery workflow. As developers gain more responsibility to push applications all the way to production, they are under pressure to release code quickly.

“Automated Security Testing is the future for mobile security. Integrating automated security testing with the build and deploy cycles pushes security testing for mobile apps out to the development teams which results in more secure apps while allowing the security teams to focus on complex penetration testing.” - Justin Somaini, Chief Security Officer at Unity Technologies

Automated Security Tests with Bitrise

Bitrise is a Continuous Integration and Delivery (CI/CD) Platform as a Service (PaaS) with the main focus on mobile app development (iOS, Android, React Native, Flutter, and so on). It is a collection of tools and services to help you with the development and automation of your software projects.

Test automation is more and more becoming the norm in mobile development, as it guarantees more robust apps and a faster development lifecycle with earlier bug detection. When writing automated units, integration, and end-to-end tests, security features should be considered as any other functionality. 

If your team has been incorporating security requirements into user stories and discussing threat models as part of the design process, adding tests that cover security functions is a natural extension to that work. Let’s assume that a team needs to implement the following CI/CD pipeline to inject the automated security tests. 



Then with Bitrise, you already have a Workflow Editor to build and customize your CI/CD workflows by adding the required Steps in the above design. After adding all the steps, the final Workflow will look like this:

Bitrise has different Security Verified Steps you can add into your CI/CD workflow includes static and dynamic testing tools such as: 

NowSecure

NowSecure is a powerful mobile app security testing platform that helps teams identify and fix security vulnerabilities, protecting user data and ensuring compliance with security standards. Its comprehensive security testing, integration with development pipelines, and expert remediation guidance make it an excellent choice for teams looking to strengthen their mobile app's security. 

Here are some features of NowSecure:

  • NowSecure automates the process of identifying security vulnerabilities in your mobile apps, making it easy to find and fix issues quickly.
  • Integrate NowSecure into your development pipeline for continuous security testing throughout the app development lifecycle.
  • Leverage NowSecure's expert security analysts for in-depth manual penetration testing to uncover hard-to-find vulnerabilities.
  • Ensure your app complies with security standards such as GDPR, HIPAA, and PCI-DSS using NowSecure's compliance testing features.
  • Access detailed reports on identified vulnerabilities, along with remediation guidance to help your team address security issues effectively.

Find the NowSecure Verified Step: NowSecure

DexProtector

DexProtector is an app-hardening service created by Licel that helps developers to control key processes and secure the most sensitive parts of their apps and libraries. Supporting both Android and iOS apps, it builds layers of protection on top of one another, creating a solid shield around your app, preventing real-time attacks. To use the DexProtector Verified Step, you need a valid DexProtector Enterprise license.

Find the DexProtector Verified Step here: DexProtector

Oversecured

By adding Oversecured to your Workflow, you can scan each new version of your app automatically, and fix vulnerabilities at the earliest stages of development. Once the APK file is uploaded to the service, it automatically scans for all known mobile vulnerabilities, including arbitrary code execution, theft of arbitrary files, and cross-site scripting. As a result, it generates a report that can be exported as a PDF file for a detailed overview. Oversecured currently supports Android apps written in Java and Kotlin — find out more about the Step here.

Find the Oversecured Verified Step here: Oversecured

App-ray

App-Ray is a fully automated mobile security analysis tool that helps you protect your apps and user data from the risks posed by cyberattacks. Set up security rules for your device, prevent malicious apps from being installed, and learn about vulnerabilities in your own or 3rd-party applications with this integration. Currently available for native iOS and Android apps, App-Ray only takes around 10 minutes to complete a scan. Read more here.

Find the App-Ray Verified Step here: App-Ray Mobile Security

Data Theorem

Data Theorem is a leading provider in modern application security with a core mission to analyze and secure any modern application anytime, anywhere. The Step sends the artifacts to Data Theorem: this way the build keeps running, regardless of the result of the analysis. You can analyze open-source and/or third-party SDKs your application uses, secure your code within the CI/CD pipeline, identify security and privacy issues, and so on. Check out this article for more details.

Find the Data Theorem Verified Step here: Data Theorem Mobile Secure

Want to learn more about our Verified Steps, you can watch our playlist here

And if you need to learn more about DevSecOps you can watch my previous talk at Mobile Day about DevSecOps: Injecting Security into Mobile CI/CD Pipelines.

Conclusion

Since security is becoming more important than ever, we should make sure to always add security testing into our CI/CD pipelines. Similarly to DevOps, DevSecOps is also a set of culture, mindset, processes, and tools. Security should not only be the security team’s responsibility but a whole team approach, with test automation being a vital part of DevSecOps practices. 

Future Reading

Get Started for free

Start building now, choose a plan later.

Sign Up

Get started for free

Start building now, choose a plan later.