I’m excited to announce a new part to the Appdome service, called Certified Secure™. Appdome has quickly become the standard in securing Android and iOS apps. Because of this, it’s the right time to bring to market an exciting new offering: certified secure mobile apps.
What Are Certified Secure Mobile Apps?
Appdome Certified Secure is the mobile industry’s first security certification service designed to guarantee visibility and security readiness, release by release for all Android and iOS mobile apps. Unlike vulnerability scans and pen testing, which occur after and can delay the SDLC and release process. Appdome’s Certified Secure certifies that the security features needed in the app during the release process. And it documents that the required security measures are present and protecting the app prior to release.
With each build secured on Appdome, customers receive an Appdome Certified Secure certificate. It details the app, bundleID, buildID, creator, security template (security feature list) added to each app and more.
Why is Appdome Releasing Certified Secure for Mobile Apps?
Developers and security teams know that mobile consumers and the mobile workforce expect Android and iOS apps to be secure. Great developers and security teams worldwide work hard to achieve the goal of safe and secure mobile apps for all users. However, the tools that are typically used to ensure that the specific security requirements needed in an app or industry are met, often pose immense challenges in the SDLC, agile or otherwise.
Certified Secure for Mobile Apps focuses on operationalizing Android and iOS security. It does so as part of the SDLC, eliminating security-related release blockers. And it provides internal security and compliance teams certified proof that security requirements are met, release by release.
Challenges of Code Scanning and Pen Testing
Traditionally, developers and security teams have use code scanning and pen testing to provide insight into vulnerabilities, outdated libraries or frameworks, and other risks inherent in each mobile app. These tools are often used at the end of the SDLC, after the app is built. And they are applied to each release candidate just before publication to the relevant app stores. Sometimes, code scanning and pen testing are embedded in the SDLC itself. No matter where code scanning and pen testing are used, they are designed to “find vulnerabilities.” They do not certify that the needed security requirements have been met.
When using these tools, developers are forced into a series of trial-and-error attempts. With a goal to clear and remediate vulnerabilities listed in each report, often complicating the release process and delaying mobile app releases. And, when push comes to shove, all too often the security objective gives way to allow the release, leaving the business and users at risk.
How is Certified Secure for Mobile Apps Different?
Certified Secure is fundamentally different than code scanning and pen testing. Its premise is that app makers know the security model needed in their Android and iOS apps. As a result, it gives organizations the ability to document and guarantee that the security features needed in each app are present and protecting the app prior to release. Using Appdome and Certified Secure, organizations (developers, security teams, DevOps, DevSecOps, and SecOps) are in full control. They can define the security model needed in each mobile application. And when Appdome completes the security implementation on each Android and iOS app, Certified Secure certifies the release, documenting the app, bundleID, version, buildID, feature set and more, release by release.
Certified Secure Certificate
The certificate can be used by DevOps, release teams and others to clear mobile apps for release with confidence in the security readiness of each app. Certified Secure certificates can be maintained, release by release, to satisfy audit and compliance requirements. Examples are requirements under contracts, regulations, SOC standards and internal policies. For example, Certified Secure certificates can be used in SOC II and Type II compliance. They can also be used in satisfying obligations to customers and end users to keep and maintain apps and app data safe and secure.
I’ve added an example of the certificate to the bottom of my blog.
Will Developers Still Need Code Scanning and Pen Testing?
Yes. Certified Secure is not intended to replace code scanning and pen testing entirely. There are still plenty of good uses for periodic (e.g., quarterly) code scanning and pen testing when using Certified Secure. Certified Secure was built to aid and simplify the release process and streamline security readiness for Android and iOS apps. As well as provide documented certification for meeting compliance objectives. Code scanning and pen testing are great complements to Certified Secure. They each fill a critical role in meeting mobile app compliance and security objectives.
How Can I Use Certified Secure In My Release Process?
Use Certified Secure as part of your release and internal compliance processes. Certified Secure is the best way to demonstrate that your mobile development processes are complying with all internal and industry security requirements, including compliance with SOC, PCI, data privacy, HIPPA and other regulations. In each release meeting, Certified Secure allows release team to trust that all your internal security requirements are met, without a pen test and without any code scanning.
Thanks to all our Beta users of Certified Secure! Your support has been amazing and so helpful. Keep your feedback coming and, as always, keep yourself, your apps and users safe.