Integrating Security Throughout the Mobile App Development Lifecycle
Today, Guardsquare is announcing new technology to enable teams to “shift left” with their iOS and Android security by integrating mobile app security throughout their development lifecycle. First, we’re excited to announce that we’ve acquired the assets of Breakpoint, whose Mobile Application Security Testing (MAST) engine, App-Ray, will provide a framework for automated security scanning of Android and iOS applications. App-Ray will be integrated into our open source and commercial products throughout the course of 2021.
In addition, we’re shipping new releases for iXGuard for iOS and DexGuard for Android, our advanced solutions for protecting mobile applications. The highlight of these releases is our new Protection Report, which helps teams validate security protection immediately after implementing it.
Let’s take a look at how this technology helps integrate security early and often within the mobile app dev lifecycle.
Shifting Left with Protection Report and App-Ray
While 85% of companies say that DevSecOps (or the continuous delivery of secure apps) is an important goal, only 35% have implemented it as an established practice. The reality? Many organizations prioritize time to market and user experience over security, and address security when it’s too late. The results can be costly.
According to NIST research, the cost of bug fixes increases steadily toward the later phases of the development lifecycle. For example, bugs fixed during post-production cost 30x more than during the early requirements/architecture phase. The same goes for security gaps: the longer organizations postpone identifying and addressing them, the greater the risk that applications/SDKs could ship with potential vulnerabilities.
That’s why we developed the Protection Report feature for iXGuard and DexGuard. It helps development teams shift left by validating their application of both code hardening and Runtime Application Self-Protection (RASP) mechanisms immediately after implementing these protections. The Protection Report grades the security implementation against five categories of common and impactful threats. If any concerns are identified, the Protection Report outlines the steps needed to enhance protection, enabling development teams to take immediate action. With Protection Report, app development and security teams get robust protection of their apps in production, eliminating the risk of releasing insufficiently hardened mobile applications and SDKs.
To build security even further into the development lifecycle, App-Ray MAST technology offers additional automated security testing for iOS and Android. App-Ray allows developers to automatically test their apps for security vulnerabilities, and make improvements without having to rely on external pentesting. This process helps teams address issues more efficiently and cost-effectively. App-Ray will be integrated into Guardsquare’s existing products in 2021.
After developers complete security testing and publish their mobile apps, our real-time threat monitoring tool ThreatCast helps them continuously improve app protection based on live threat data. All three tools combined will allow teams to seamlessly integrate security throughout the mobile app dev lifecycle – by hardening their applications, automating security testing, and constantly monitoring both the app and its environment.
DexGuard and iXGuard usability updates
In addition to this news, we’re announcing new usability updates for both DexGuard and iXGuard.
Contrary to popular belief, security doesn’t have to slow development teams down. A new setup change allows users to run DexGuard as a command line tool to process applications and SDKs. The result: increased flexibility and efficiency.
The command line setup shortens time to market by allowing development teams to focus on developing and testing their application or SDK, and applying protection once it is ready and working. Separating the build process and the implementation of protection layers makes the debugging process much more efficient for developers. Teams can also benefit from reduced maintenance of the development environment, freeing up more time to develop apps and SDKs.
Finally, we’re announcing an enhanced In-App Assistant for iXGuard users, which automatically generates configuration for applications. This feature now provides assistance with the implementation of call hiding and the configuration and debugging of RASP functionality. By using the In-App Assistant, developers can more efficiently implement robust security protections for iOS.