3 Ways to Get Started with Secure Mobile Application Development | Guardsquare

With mobile app development, security isn’t always incorporated throughout the development lifecycle. In many cases, security gaps are addressed at the end, or worse, after a security breach has occurred. The reason? Many development teams are racing to market with their apps. Being “first” can often make or break an app publisher. 

Unfortunately, there’s a perception that security can slow mobile development teams down. The reality is that with secure coding expertise and the right tools, this process could happen much faster. As mobile teams iterate, they can quickly progress through all the phases of the secure software development lifecycle (SSDLC). 

Here are three ways to get started with secure mobile app development.

Offer compliance-centric security training

Every company’s mobile app security needs are different. These may be driven by local or industry-specific compliance regulations such as: 

• Data privacy regulations (GDPR in Europe, CCPA and other state-specific regulations in the U.S., PIPEDA in Canada, etc.)
• PSD2, PCI, or GLBA for financial apps
• HIPAA for healthcare 
• SOC 2 for the organization’s internal information security
• SOX for internal financial reporting
• And many more.

As your application is being conceptualized and planned, offer compliance-based security awareness training sessions for developers based on the specific regulations they need to follow. This will save time later in the development and testing phases of the software development lifecycle.

Ask the right questions during requirements analysis

During the requirements phase, the team lists out all of the business and solution-specific needs for the mobile application. Specific to security requirements, teams start working on threat modeling and risk modeling. In other words, they look at the application and its third-party dependencies to evaluate risk.

In the risk analysis and threat modeling process, your team should consider these key security questions, among others, before moving forward:

• How will the app connect to company servers?
• Will the app store sensitive information from customers or the company?
• How much valuable intellectual property (which gives a competitive edge) will be involved in developing the app?
• What third party libraries or other services does the app rely on? What are the security risks associated with these third-parties?

Knowing the answers to these questions can help define how to proceed with architecture and design of the application, and eventually development.

Know the secure coding basics

Every developer on the team should follow secure coding best-practices. Incorporating security directly into the development process makes security more proactive, rather than reactive to potential incidents. Some secure coding basics, according to Carnegie Mellon’s CERT, include:

• Validate input. Validate input from all untrusted data sources. Proper input validation can eliminate the vast majority of software vulnerabilities. 
• Heed compiler warnings. Compile code using the highest warning level available for your compiler and eliminate warnings by modifying the code. Use static and dynamic analysis tools to detect and eliminate additional security flaws.
• Architect and design for security policies. Design software to implement and enforce security policies. 
• Keep it simple. Keep the design as simple and small as possible, as complex designs increase the likelihood that errors that could lead to security issues will be made in their implementation, configuration, and use. 
• Use effective quality assurance techniques. Good quality assurance (QA) techniques, such as fuzzing, penetration testing, and source code audits, can help identify and eliminate vulnerabilities. These can then be addressed using a layered mobile app security platform like Guardsquare.

Following these best practices will help the organization get closer to achieving its mobile security goals.

Want to know more about the SSDLC?

This blog post covers just a few phases in the SSDLC. Teams should continuously incorporate security throughout the lifecycle – for both new mobile applications and updates alike. Our latest eBook walks through each phase of the SSDLC, offering practical tips and tools for teams to bake security into their mobile app development process.