Anyone that knows me knows I love golf.
Golf is a challenging sport because it involves so many variables. A big part of golf is knowing, or playing with someone that knows, the course. I call this “knowledge of the terrain,” level 1 data. Another big part of golf is choosing the right club for each swing, based on the conditions of the course on that day (i.e., the wind, ball position, etc.). I think of this type of “situation awareness,” level 2 data. And, the final big part of golf is knowing how you play, over time and relative to all other players in the game. I think of this type of “comparative data,” level 3 data. Every good system, whether it’s golf, sales leadership, or a cybersecurity and DevSecOps program needs all three levels of data to be successful.
Right now, most Mobile DevSecOps™ programs don’t use data. Said better, most Mobile DevSecOps programs don’t use the right data. Instead of using real-time, “production” level data from or about the course itself, traditional Mobile DevSecOps models rely on out-of-band, controlled experiments, performed in a lab by a single skilled pen tester. No doubt the skilled mobile app pen tester has an idea of what to test. But that pen tester can’t test everything, and only knows as much as she or he knows. Most importantly the mobile pen tester most likely isn’t testing continuously and certainly isn’t collaborating with a community to hack, steal or break into the mobile app.
Here’s an example of the kind of practical problem mobile brands face without a Data-Driven DevSecOps platform in the mobile DevOps pipeline every day. The cyber security team performs a mobile pen test of the Android or iOS app. Based on that test, creates a list of protections to add to the mobile app in the next release. The cyber team asks the dev team if the required protections were added to the most recent release of the mobile app. The dev team responds “yes, it’s in there.” In many organizations, the cyber security team are typically not the engineers or coders who add the protections to the mobile app. The cyber security gets the answer they get, in other words, they get no data, no proof of protection at all. In larger organizations, to prove compliance, the security team purchases a costly pen test or code scanning bundle and performs tests. Positive or negative, the cyber security team does not have the budget to validate every build, or every release. Eventually, having only 1 way to check that the specified protections are present in the app, the cyber security team runs out of budget.
In the traditional Mobile DevSecOps model, nobody checks what is actually attacking the mobile app or users in production. The recommendation from the mobile app penetration tester doesn’t include Level 1 or Level 2 data. Off the tee, there’s a mismatch. The club and the shot don’t fit. What if what’s tested in the original pen test, isn’t representative of the attacks impacting mobile end user or the business? What if, what is actually attacking mobile end users and the business is completely different? If most of the cyber security team’s budget is spent on checking for protections recommended by the mobile app penetration tester, the real and evolving attacks and threats impacting real users and the mobile business go undefended. Likewise, in the traditional Mobile DevSecOps model, nobody verifies that the deployed protections are actually working against real-world attacks. The mismatch continues, amplifying the problem further.
I believe a more agile DevSecOps model can emerge to include knowledge of the terrain, situational awareness and comparative data at every level of the Mobile DevSecOps process. That model is called Data-Driven DevSecOps. The Data-Driven DevSecOps model provides mobile DevOps organizations with a way to leverage all three levels of data to improve their mobile cybersecurity game. Use real-time attack and threat intelligence from their mobile apps to gather knowledge of the terrain of exploits happening in their production mobile environment. Use the same data to gain situational awareness and make data-based decisions about which protections to deploy. And, finally, leverage the same data to achieve comparative data over time and prove the protections are working against real-world attacks and threats.
Cyber security and mobile-dev need a better way to deliver mobile app protections and achieve Mobile DevSecOps compliance. All stakeholders in the DevSecOps cycle need a dedicated system of record for mobile app protection that leverages real-time production data to deliver the actual protections mobile end users and the business needs. Done right, the same system can provide visibility, management, and control over what protections go into mobile applications and to prove that these protections were actually embedded into mobile applications. Why be at the mercy of a third party to prove the protections added in your own DevOps CI/CD. Instead, save some money and redeploy budget by shifting left using Data Driven DevSecOps. Now there is a build system that allows security teams to use real-time, real-world data to make intelligent choices on what protections are needed and implemented. With a true system of record on all protections being embedded into mobile applications, everyone can exercise control over the real protections needed in the mobile business right inside the CI/CD pipeline.
With the right data, you can choose the right club and improve your mobile cyber security game dramatically.