Flipping the Economics of Cybersecurity with “Policy as Code”

Businesses invest capital to create valuable products and services and bring with them an expectation of a high return on that investment. Costs in a business are based on the efficiency of production, expenditure of effort and consumption of resources required to deliver, support and maintain that product or service.

Over the years, software development teams have evolved from waterfall to agile to DevOps to gain time to market advantages and continuously improve the apps they create. Automation and CI/CD platforms radically changed software delivery, making software development lifecycles even more efficient, iterative and adaptable. Then, AI-factories entered the picture, and empowered development teams with tools like Microsoft Copilot, and others, eliminating the grunt work and learning curve often associated with building great software at scale. 

Against this backdrop, I’ve been unpacking a new model I call cyber “Policy as Code” that’s ushered in by the power and promise of Appdome’s advanced technology and mobile app defense platform for mobile brands and enterprises. 

The Not-So-Hidden Expense of Secure Coding 

Let’s start by looking at the traditional cost and time models for building secure software. To manage and reduce risk, multiple teams invest time, effort and resources in ensuring security is a key element throughout the software development lifecycle. Dev, security, architects, DevOps, and platform engineers along with a plethora of manual security pen testing and automated security testing tools are put to use. From my time at NowSecure, the top Mobile Application Security Testing platform, I learned that there are typically ten (10) points of “security” cost and time in the DevOps pipeline: 

1. Security training – cost of developer and security training materials, cost of time to train, opportunity cost (ie time away from coding actual software to learn), knowledge retention challenges and retraining.
2. Secure by Design – cost and time to design and architect security features to meet requirements, including threat modeling.
3. Writing secure code – cost of feature development including time for developer to write secure code for application workflows, auth, keys, network connections, data entry, checkout, payment, and other functions.
4. Testing code security – cost of purchase and management for appsec testing (AST) tools, plus time and cost of security analysts to configure, run and maintain testing tools.
5. Pen testing – cost and time of insourced or outsourced red team or analyst labor.
6. Security Bug Backlog debates– cost and time for sec and dev to review, discuss, debate what issues to fix and how to fix them.
7. Security Code remediation – cost and time for dev to fix security bugs.
8. Security Retesting – cost and time to retest and verify proper remediation before release.
9. Security Incident Response – cost and time to identify production issues, remediate those issues, retest and re-release.
10. Resource Drain — loss of the security trained dev resource (which starts the cycle over).

Essentially, organizations have been stuck in this costly hamster wheel of train – design – code – test – fix – test – ship – incident – find – fix – test – ship for decades that slows releases, frustrates all stakeholders, drives up costs and gets worse by the year. Consider the DevSecOps challenge: automated AST tools in the CI/CD pipeline can generate hundreds or thousands of security bug tickets for every build every day, creating a long costly backlog that distracts dev, consumes resources and may never get fixed. 

Secure Coding vs. Coding Security 

The big “aha” moment came a while ago when I realized that secure coding wasn’t the same as coding security. Properly coding security “features” requires cybersecurity engineers, or researchers, a specialized skill that most organizations don’t have. These cybersecurity engineers are the resources that organizations need to build sophisticated defenses like anti-tampering, obfuscation, anti-fraud, anti-bot, anti-social engineering, biometrics and more. This is why dev teams look to open source or commercial SDKs to shorten the process. Whether devs use open source or commercial SDKs, these approaches aren’t free. They too add cost to the software development process and draw in valuable dev resources whose best use is building the amazing mobile apps the business was established to create(And sometimes those open source SDKs bring in their own supply chain vulnerabilities further increasing overall risk and costs).

Leaky Bucket in Incident Response Drains Resources 

Good incident response requires two things: (1) a system to detect the attack as soon as possible, and (2) a means to deliver the required remediation as fast as possible. At an industry level, we’ve done a great job on the cloud and web to be aware of attacks and had almost equal level of success in remediating attacks in cloud and web infrastructures. On the mobile side, however, no such systems exist. Most organizations don’t know when/how big attacks on the mobile apps and devices happen leaving them continuously exposed to risk on the perimeter. Some organizations try to monitor mobile attacks but rely on costly manual processes to identify and remediate, creating a leaky bucket in their incident response and drains valuable resources.

The New World: Cyber “Policy as Code” 

What if you could apply the power of machine learning to eliminate the engineering burden of manually coding, building and releasing security, anti-fraud, anti-bot, anti-cheat and other defenses into mobile applications? What if the same system could give you the power of visibility, agility, and response to any mobile incident that occurs in your business by addressing it automatically in the CI/CD pipeline? What if the system could do all this in minutes? 

Imagine cyber and fraud teams (and cyber fraud fusion centers) had the power of “Policy as Code” – the ability to set policy in a system and have that system automatically code and build the security and other defenses based on policy into the mobile app in the CI/CD pipeline. The machine would be responsible for coding the security and defenses the right way every time, every build, no matter what the mobile OS, language or framework. And for proof, the machine would automatically generate Certified Secure attestation. 

Mobile developers no longer need to transform themselves into cybersecurity engineers overnight, suffer trial and error, face the steep learning curves or go up against the onslaught of AI-powered attack tools available to internal red teams (let’s face it, these tools do outgun the engineering teams right now) and external attackers. The security bug backlog could be flushed immediately. Gone are the time and costs of manual learning, coding, troubleshooting, and fixing security. At last, secure software is released faster at lower cost and risk. 

The economic transformation of using the “Policy as Code” approach is staggering. In the old world, it could take a mobile brand months of dev and security time, resulting high costs to get to the 1st release, and that same mobile brand may never reach the full remediation of all known security gaps and production level attacks. With “Policy as Code,” building defense into mobile apps and incident response is less than 5 minutes away. Collapsing months of time and cost to minutes.

These economic gains of “Policy as Code” compound over time. The more frequent the releases and the higher the number of apps, the more machine learning and automation eliminate time and deliver cost savings to the business.

“Policy as Code” also transforms every enterprise risk program, bringing full visibility and auditability with predictable, reliable automated controls for resiliency. This approach drives enterprise value with proactive measures to assess, quantify, manage and mitigate, consistently driving down risk while reducing program costs – a true win-win. Relegate mobile to the bottom of your risk register. 

The Future: Platforms, Automation and Machine Learning for Efficiency 

Simply put, the toughest challenges in delivering secure code and coding security are smashed by the “Policy as Code” benefit of the Appdome platform’s automation and machine learning advantages. The promise of technology has always been to either complete work that isn’t getting done or make work that we’re doing more efficient. Appdome does both, delivering dramatic operational cost savings and faster software releases to drive real business ROI.

My prediction is that developers, cyber, and fraud teams, and business leaders will embrace “Policy as Code” for its simplicity, transparency, agility and efficiency — making those businesses using legacy manual methods fade away. In kind, it will also reduce mobile business risk and improve resiliency across the board. 

Sign up for a demo to see Appdome in action. Bring your whole team — leadership, dev, devops, security and cyber-fraud teams — to see how you can deliver your mobile apps faster at lower cost with the confidence of always-on mobile app defense.