Hi everyone, welcome to 2022!
One of the biggest themes this year, for mobile developers and mobile security teams alike, is known as the “Shift-Left” security model. Crunchbase covers the shift left security model as one of the next big trends in 2022. According to Crunchbase, mobile app development will “move towards a world that would allow developers and IT departments to formally verify that software is in compliance with a [security] specification before the software goes into production.”
Sounds great, right? I agree.
How Do You Apply Shift-Left Security in Mobile Development?
The Shift-Left security model says that mobile app developers must build mobile app security, fraud prevention and anti-malware features into mobile apps as early as possible in the mobile app’s development cycle. In other words, mobile developers must build the needed security features into Android and iOS apps at the same time as they are building the mobile app, not after they have finished building the app.
In a standard development process, including DevOps or DevSecOps, there is tension between the objectives of the developers and the objectives of the security teams. Developers are constantly working to improve the top KPIs for all mobile apps. The number of downloads, active users, screens per visit, ARPU, COCA, crash rates, and more are critical to the success of a mobile app. Security teams are constantly working to improve the security of the mobile app. For security teams, the type and class of exploits, the protections needed to satisfy regulatory compliance, and the protections expected by the mobile app’s end users, matter most. While code scanning improved visibility, the work of securing the app, users, and data remained. The hard work of building protections was still left to the mobile development team.
But “what if,” mobile developers and security teams can each get what they want and need? What if, instead of relying on code scans to identify vulnerabilities, code scans (instead) validate the security already present and built into the mobile app? What if, instead of “red light” alarm bells going off in the release process, “green lights” show up and releases are cleared easily?
That’s the point of shift-left security for mobile app development.
How is Shift-Left and DevSecOps Different?
This “Shift-Left” in security is very different from DevSecOps models used by mobile app developers today. In the DevSecOps model, mobile developers first build the mobile app. Then, they send a ‘release candidate’ to a third-party pen tester or automated scanning tool to find vulnerabilities. When vulnerabilities are found, the development and security teams scramble to remedy the security deficiencies before the app is released. If anything in this process is manual – including SDKs and coding – the release is stalled or security is compromised to achieve the release deadline.
The classic DevSecOps model brought visibility through code scanning and pen testing inside the mobile development process. But, as the developer, if you didn’t have the tools, skills, people or time to fix the issues uncovered by the pen tester or app scan, you were stuck. In Shift Left Security Models, developers actually build specified security features into mobile apps using their existing systems, workflows, automation suites and platforms used to release apps today. Security teams specify the needed protections, much like product managers, delivering feature requirements to the mobile engineering team that are required for the app. Engineering teams take these requirements and include them in the same DevOps development processes used to create the app.
The benefit of a shift left security strategy inside a mobile DevOps model is simple – better protection, faster. Done right, a shift-left security model combined with DevOps leads to greater release certainty, rapid threat response, and reduced costs as well. Don’t get me wrong, DevSecOps remains vitally important. But, combining Shift Left Security Models with DevSecOps, I believe, is the new way.
How Does Appdome Deliver Shift-Left Security for Mobile Apps?
Appdome is the only security build system for Android and iOS apps. With Appdome, the security and development teams define the security, fraud prevention, and anti-malware features needed in each release, and use a machine to build the required protects into a mobile app. At the heart of Appdome’s security build system is a set of patented technologies:
- An easy-to-use, comprehensive, security, fraud prevention & anti-malware feature selection interface.
- Security build templates, called Fusion Sets that can be created, ungraded, version controlled, ported, shared and used across one or many mobile applications at the same time.
- AI-Security Coding Engine that is capable of building any combination of security features into any Android and iOS app.
- Security Release Management™ toolbox, including Dev-APIs, project teams, CI/CD integration, and more.
- Certified Secure™ provides the audit reporting that your compliance teams or external auditors require.
Combined, this allows developers or security teams to specify and build the security features required for the app or respond quickly to security issues as they arise, all with zero dependencies on the development team. It also allows developers and security teams to standardize and agree on a common security model, iterate, expand, and improve that security model release by release.
If you’re ready to apply Shift-Left Security to your mobile app security objectives like app shielding, data encryption, native and non-native code obfuscation, jailbreak/rooting prevention, MitM prevention, Frida/dynamic binary instrumentation prevention, Magisk root-hiding, screen overlay attacks, ad fraud, game cheating, and more – use the button below to request a live Appdome demo.
