Data-Driven DevSecOps uses system-level visibility and real-time attack data to make the cybersecurity function in a mobile DevOps CI/CD pipeline more agile and efficient. Traditionally, there was only one way to achieve DevSecOps in a mobile CI/CD pipeline. Now, with the release of ThreatScope
™ mobile threat intelligence center, that’s changed. Join us on the journey towards a better mobile DevSecOps future.
The Challenge of mobile DevSecOps Today
The challenge of traditional DevSecOps inside the rapid and agile DevOps CI/CD pipeline looks a lot like that of an old-world “bucket brigade.”
In a bucket brigade, firefighters line up and pass buckets of water to each other to try and contain or extinguish a fire. In this noble battle, the brigade works extremely hard. The intention of every brigade member is heroic. Every bucket starts off full. But, at the end of the line, that same bucket is only half full or empty. Most of the effect of the effort is leaked, dropped, spilled, and splashed on the ground.
Similarly, think of cyberattacks and cyberthreats happening against real mobile customers and the mobile business as a fire. This fire is constant, growing, shifting, and adapting hour-by-hour. It’s not contained, as in a fireplace or stove. Cyberthreats leap, attack, and spark new fires everywhere. To combat this threat, cybersecurity teams use a “bucket,” i.e., the traditional DevSecOps tools like penetration testing and code scanning. Into the bucket, Mobile-Dev and Cybersecurity teams pour the water, the artifacts of the build process, or the builds and binaries of Android & iOS apps. These Android & iOS builds are protected by whatever could be added in time for the submission to the pen tester. As these buckets traverse the brigade, from Mobile Dev to cybersecurity, to Pen Tester, back to cybersecurity, and finally back to Mobile Dev, what returns is a value (+/-) for an artifact that no longer matters. Neither the DevOps CI/CD process nor the fire waited. The app was most likely released. The cyberattacks moved. All while the bucket brigade stayed in place. A bucket brigade can only do so much.
What is Data-Driven DevSecOps
delivers a more agile and efficient operating model for the cybersecurity function in a mobile DevOps CI/CD pipeline. Data-Driven DevSecOps combines two key elements: (1) a system of record to automatically build and deliver mobile app security, anti-fraud, anti-malware, and anti-cheat protections into Android & iOS apps, and (2) inside that system of record, real-time cyberattack and cyber threat data from Android & iOS apps in the production mobile environment. In the Data-Driven
model of mobile DevSecOps, the cybersecurity team stays lock step with cyberattacks and cyber threats, uses a system to manage and control the delivery of protections into Android and iOS apps, and gets instant feedback on the value of each protection in the production environment.
How Data-Driven DevSecOps Works
With Data-Driven DevSecOps, mobile brands, mobile developers, and cybersecurity teams have a better way to protect Android & iOS apps. Each can:
- Know what hackers and attackers are doing against real users and mobile apps in the production environment;
- Use real-time cyberattack data to deploy the right protections in each release of an Android & iOS app in the DevOps Ci/CD pipeline; and
- Prove the value of each protection deployed against real attacks and threats.
Here’s a diagram that shows a basic model of a Data-Driven DevSecOps platform for Android & iOS apps at work:
In this model, real-time data drives the protections released into Android & iOS apps. With real-time data and a system to build protections into Android & iOS apps inside the CI/CD, the old problem of the mobile dev team releasing the app before the pen test is complete or removing protections submitted to the pen tester to release the app is gone. On top of that, all penetration testers operate under a pre-defined scope, or SOW, and may not even test what’s actually occurring in the production environment. With real-time data driving the protection decisions, mobile brands, developers and cyber teams guarantee the relevance of every protection to the mobile business. Finally, in Data-Driven DevSecOps, teams get instant feedback by build and by release on the protections added and the impact of protections against real-world, live attacks and threats in the production environment.
Data and Visibility in Data-Driven DevSecOps
Data-Driven DevSecOps offers mobile brands, developers, and cybersecurity teams four levels of data and visibility in the DevSecOps process.
- Data from mobile cyberattacks themselves, including from hackers, fraudsters, and other mobile threat actors. This cyber attack and threat data are taken into the DevSecOps platform. Using this data, the Data-Driven DevSecOps platform automatically generates the needed protections as part of the CI/CD build process. The protected Android & iOS app is then released with the protections needed to resolve the threats, automatically.
- System-level data and visibility of the DevSecOps platform itself. Inside the DevOps pipeline, mobile developers and cyber teams use system event, user, build logging, versioning, and control as well as Certified Secure™ mobile app security certification to guarantee the protections in each build.
- Data from the mobile app protections deployed in Android & iOS apps. This information shows the defenses working against mobile cyber-attacks and threats. This information shows the impact of protections against live attacks and threats in the production environment.
- Data about the in-app enforcement integrity when each mobile cyber attack or threat occurs. This data shows if the enforcement model is working as expected and provides instant feedback if the attackers are infiltrating, tampering, or attempting to interfere with the in-app enforcement model.
The goal of Data-Driven DevSecOps is to provide visibility, transparency, and data to all stakeholders in the mobile DevOps CI/CD pipeline.
We hope you enjoy and get tremendous value out of Data-Driven DevSecOps in your DevOps CI/CD pipeline.
I’m so passionate about this topic and would love to speak with you anytime.