The Blueprint for Cost-Efficient Mobile AppSec

By Special Guest
Brian Reed, Chief Mobility Officer, NowSecure
  |  June 13, 2023

Mobile apps power revenue generation, customer engagement and analytical insights. They account for 70% of all internet traffic, and data shows they will generate $935 billion in 2023. However, economic uncertainty has many organizations looking for ways to develop and secure their mobile apps while containing costs.

With mobile apps being vital to business success, there has never been a more important time to prioritize mobile app security. To strike a balance between coverage and cost-efficiency, organizations can use the following blueprint to optimize mobile AppSec productivity, minimize costs and deliver high-quality mobile apps faster.

Mobile App Vulnerabilities Impact Business Success

Many well known organizations have felt the impact of launching mobile apps with security and privacy weaknesses:

  • Chick-fil-A faced criticism after a mobile app breach compromised 71,000 user accounts.
  • Hyundai and Genesis received backlash after security researchers discovered post-2012 car models shared a vulnerability that allowed threat actors to access MyHyundai and MyGenesis mobile apps.
  • Under Armour dropped 3.8% in market value after a vulnerability in the MyFitnessPal mobile app allowed threat actors to steal personal information from more than 150 million customers.
  • British Airways also experienced a major market share drop after a mobile app security breach leaked 380,000 credit card payments and personal information.

The costs of neglecting mobile app security outweigh any investment in mobile AppSec. But, organizations can maintain strong mobile app security and improve efficiency without overspending.

Mobile AppSec Cost Savings Strategies

Organizations looking to balance coverage and cost-savings in their mobile AppSec programs can consider several strategies.

Replace Internal/External Penetration Testing with Automation

Small and mid-sized organizations often outsource their mobile app pen testing at a cost of $15,000 – $25,000 per test. For organizations testing twice a year, these costs can grow to $30,000-$50,000 annually, or even more. Conversely, large-scale organizations that conduct internal pen testing must pay employee salaries and provide the technical resources to do their job effectively.

Instead of relying on manual pen testing, mobile AppSec teams can use mobile application security testing for unlimited testing of builds every day for as low as $40 per day, substantially reducing costs while dramatically increasing test frequency. As a bonus, continuous automated security testing eliminates often lengthy wait times for manual pen tests.

Establish Standards Policy in Pre-Production

Establishing mobile application security standards make it easier for development and security teams to agree in advance about what does and does not need to be addressed before the mobile app launches. Devs will know how to write code and security analysts will know what to test, driving alignment and efficiency.

Designing a standards policy based on the Open Web Application Security Project (OWASP) Mobile Application Security Verification Standard (MASVS) ensures mobile apps meet a baseline level of security against a globally trusted security standard. OWASP MASVS also provides the foundation for the App Defense Alliance (ADA) Mobile Application Security Assessment (MASA) to meet Google (News - Alert) Play Data safety requirements.

Integrate Automated Testing Into the DevSecOps Pipeline

The status-quo approach to mobile AppSec testing usually involves testing at the end of the dev pipeline. Internal or external security analysts run manual tests and then notify devs about critical issues and Google Play/Apple (News - Alert) app store blockers. This approach often leads to release delays; Devs must wait on security analysts to provide results, and then spend time and resources to fix issues before the mobile app launches.

Alternatively, teams can shift left and deploy automation into their CI/CD platform to avoid testing at a fixed point in the DevSecOps lifecycle. After devs write new code, automated security testing completes an assessment and generates issue tickets noting security bugs or policy mistakes. Using automated testing solutions with built-in remediation information further improves efficiency by helping devs save time searching for solutions on Google and Stack Overflow.

Upskill Devs on Secure Coding Practices

Developing mobile apps securely from the start remains one of the most effective ways to reduce costs in mobile AppSec. But not all devs and security analysts know the differences between web vs. mobile architecture. Many devs apply their web-based skills when working on mobile apps without realizing those skills don’t always translate. Mobile apps require unique methods to reduce security and privacy risks.

Devs can improve their mobile app development knowledge at no extra cost. Free online courseware helps devs improve code quality and reduce the frequency security issues throughout production. Highly skilled devs write secure code faster, speeding up the production lifecycle and lowering development costs. This reduces testing requirements for security teams, ultimately decreasing their labor and resource costs.

Don’t let budget constraints get in the way of securing mobile apps. Use these cost-effective mobile AppSec strategies to help dev and security teams improve efficiency, reduce costs and ship secure mobile apps faster.

About the author: As NowSecure Chief Mobility Officer, Brian Reed brings decades of experience in mobile, apps, security, dev and operations management including NowSecure, Good Technology, BlackBerry, ZeroFOX, BoxTone (News - Alert), MicroFocus and INTERSOLV working with Fortune 2000 global customers, mobile trailblazers and government agencies. At NowSecure, Brian drives the overall go-to-market strategy, solutions portfolio, marketing programs and industry ecosystem. With more than 25 years building innovative products and transforming businesses, Brian has a proven track record in early and mid-stage companies across multiple technology markets and regions. As a noted speaker and thought leader, Brian is a dynamic speaker and compelling storyteller who brings unique insights and global experience. Brian is a graduate of Duke University.

Edited by Erik Linask
Get stories like this delivered straight to your inbox. [Free eNews Subscription]