Historically, the process of releasing mobile apps to production is not smooth sailing. In fact, it is rocky. In a survey of Appdome customers, we found that about 1/3rd of releases are held back because of security issues with the app. We also know that study after study has shown that most mobile apps are released to the public app stores with vulnerabilities. A recent academic study found that 67% of the malicious app installs came from the Google Play Store.
Tension between DevOps and Security
- Fact: most apps in production have vulnerabilities.
- Fact : One out of 3 apps do not make it through the release meeting because of vulnerabilities.
- This begs the question: why did the other 2/3rds of apps get the (reluctant) approval from the release team meeting?
The reason for that is tension. Tension between DevOps teams and Security teams. This tension is caused by engineering schedules, pressure from sales to release products to customers, pressure from marketing to meet product release dates. And then there are competitive and regulatory forces demanding that new versions of the mobile get released to production.
The demands on DevOps to get new releases out of the door quickly are high. And security is in many cases seen as a negative force that is holding back innovation. And we hear this from customers on a regular basis. A security review can be a real pain. “Did you add the company-approved security features to the app”, “Can you prove that the approved security features are in the app”, “Can you guarantee that the app is secure” are just some of the questions that in many cases can’t really be answered.
Why Are DevOps and Sec so often at odds when it comes to releasing mobile apps?
DevOps.com said that “security should be baked into the DevOps process, from tools to skills to collaboration. DevOps and security are not mutually exclusive.” So why is this so hard when it comes to Mobile DevSecOps? Why are DevOps and Sec so often at odds when it comes to releasing mobile apps?
The answer lies in how work is done in mobile app DevOps vs mobile app security. All the work done in DevOps is automated, from GitHub to Jenkins to Fastlane. And everything in Mobile App Security is manual. Developers have to manually code security features like anti-tampering, obfuscation, data-at-rest encryption, jailbreak/root, data-in-transit encryption, and more. A plethora of security SDK vendors position themselves as an alternative, but buyer beware, implementing a security SDK is NEVER just a couple lines of code. It is hard to do, still a manual process, brittle and does not offer a guaranteed outcome.
Mobile app security solutions available today DO NOT FIT into the automated delivery model that is DevOps. The only way to automate security and make it fit within the DevOps workflow, is stop trying to squeeze it in at the end of the Dev cycle. As a result, security does not have a seat at the mobile app development table today. And as long as security is manual and cannot be seamlessly plugged into the existing DevOps workflows, it will remain an afterthought, at best.
No surprise then that DevOps teams consider the security review during release meetings a pain and no surprise then that there is tension between DevOps and Security.
Appdome Offers a Mobile DevSecOps Workflow
Appdome is the only mobile app security solution available today that fully automates building security into mobile apps (ie: in-app security) – without coding, and without causing developers to change the way they build apps. The Appdome APIs integrate with CI/CD tools including Jenkins, GitLab CI, TeamCity, Travis CI, Bamboo, CircleCI, Codeship, Codefresh, Azure DevOps, Azure Pipelines and others. As a result, the Appdome security workflow can be fully integrated into the existing DevOps workflow, without any need for changes to that workflow. This gives security a prominent seat at the app development table. Dev and Sec can work together to apply the approved security features at any point of the build phase.
And during the release team meeting, the Dev team can easily answer all the above-mentioned pesky questions with Appdome Certified Secure, a service that certifies that the approved security features were added to the specific version of the app that is targeted for release. Appdome also integrates with Ops tools like Fastlane to automatically push the release-approved version of the app to the public app stores.
Highlighting the Positive Contributions of the Security Team
With Appdome’s Mobile DevSecOps workflow, mobile app security can be fully integrated into the DevOps workflow without creating any disruptions. This removes the tension between DevOps and Sec. Appdome elevates security to become a full member of the DevSecOps process. With Appdome, the security team can focus on the positive contributions they add to the DevSecOps process rather than being perceived as a pain you know where.
Step up to Mobile DevSecOps today! Create your free Appdome account and get started today.
