Is It Time for Customer-Centric DevSecOps?
May 16, 2023

Tom Tovar

The conventional wisdom in security, and mobile app protection in particular, was that consumers care about features, not security. At mobile brands across the globe, a healthy internal debate exists over this dichotomy. Mobile developers say features are more important. Cyber security teams say security is more important. Operations teams serve as the tie breaker, often choosing whatever will get the app out the door the fastest.

Enlightened mobile brands might concede that consumers do care about security but care about features first. In our second year of conducting a global survey of 25,000 consumers the data tells a different story. Far from caring about features "only" or "first," 62% of global consumers said that protecting them against security, fraud and malware threats is as important as new features. Approximately 24% said protecting consumers is more important.

Why Is the Consumer Voice Important to DevSecOps?

The current DevSecOps ecosystem was built to serve internal or regulatory compliance objectives, not the customer voice. These days, most consumers use mobile apps before and more than any other digital channel. Likewise, most consumers have become increasingly cyber, fraud and malware aware. This combination makes the customers' voice fully capable of driving DevSecOps objectives.

Imagine a world in which DevSecOps objectives were agile and informed by the same class of real-time feedback and KYC systems used by other parts of the mobile DevOps pipeline. Imagine building consumer voice and feedback into DevSecOps lifecycles to improve business metrics like customer acquisition costs, retention, and NPS. Internal and regulatory requirements could still be met. And, the value of DevSecOps to the organization, brand, consumer-customer and economy would rise as well.

What Is Customer-Centric DevSecOps?

Customer-centric DevSecOps is a culture and set of technologies designed to leverage and address the consumer voice in cyber, anti-fraud and other defense priorities as an equal part of the DevOps CI/CD pipeline. With customer-centric DevSecOps, brands have a big opportunity to match cyber defense spend to business need, differentiate themselves, increase customer loyalty and even harness that loyalty to grow.

For example, 23.8% of global consumers openly express fear of mobile developers that don't protect their app's users and use. Not surprising, consumers were clear what happens when brands fail to keep their mobile apps secure. When this happens, more than 66% of consumers said they'd abandon a mobile app, and more than 4 in 10 (44%) would tell their friends to do likewise.

Simply knowing that mobile consumers value protection against synthetic fraud (55.7%), hacking (50.1%) and on-device malware (28.5%) is enough to guide cyber, anti-fraud and other defense priorities. It is thrilling to see that 93.8% of global consumers said that they would promote a brand if the brand's mobile app protected their use and their data from hackers, fraud, malware and other threats.

What's the Biggest Difference Between Customer-Centric DevSecOps and Traditional DevSecOps?

There are three big differences between customer centric DevSecOps and traditional DevSecOps. Traditional DevSecOps focuses on code scans, DAST/SAST and pen testing to measure protection against a target list of cyber objectives. Customer-centric DevSecOps leverages data and technology to incorporate and use (1) voice of the customer, (2) automation, and (3) live, real-time data and threat intelligence from in-production mobile apps.

Where traditional DevSecOps zeroes in on discovering vulnerabilities, customer centric DevSecOps emphasizes delivery of mobile app security, anti-fraud, anti-malware and other relevant protections as most important (and most impactful) to the mobile app, consumer and business. We've covered the voice of the customer above. Now let's turn to using automation and live, real-time data and intelligence to deliver the required protections directly inside mobile apps based upon the actual threats and attacks that those apps and the mobile consumers using those apps are facing in the real world.

There's a thriving, fast-growing "exploit economy" that enables entrepreneurial hackers to monetize vulnerabilities, malware, and other tools and make these creations available to a broader ecosystem of cybercriminals. Moreover, these exploit creators leverage automation to create attacks at increasing scale and sophistication. These exploits are often extremely capable of masking or hiding their malicious purpose. On top of this, tons of tools and methods inside frameworks like Magisk, Frida, Flex, Objection and others enable attackers to go deep into apps and execute exploits fast.

Against this backdrop, mobile app defenders need automation systems to deliver protections into mobile apps as fast as attackers can release exploits. Done right, cyber defense automation empowers the mobile development and/or cyber security team to deliver on any cyber objective on-demand, with full agility and speed needed in DevOps CI/CD pipelines.

At the core of customer-centric DevSecOps is using live, real-time attack and threat intelligence to provide the hard evidence that the mobile app security, anti-fraud, anti-malware and other protections released in the mobile app are successfully defending against attacks. The data, in this context, serves two purposes: (1) makes it easy to prove the value of the mobile app security, anti-fraud and other protections deployed in the app, and (2) allows the mobile app to be threat-aware, opening the door to new user experiences (UX) that inform and delight users. In other words, real-time attack and threat data serves both an organizational purpose and an end-user purpose, allowing the mobile consumer to see protections working in the app and on their behalf, and showcasing the protections throughout the mobile app lifecycle for all stakeholders.

So, there it is. No doubt, mobile threats and the consumer expectations around mobile app security, anti-fraud, anti-malware and other protections are rising. Customer-centric DevSecOps promises to help organizations match their cyber spending to the protections that matter most (and are the most impactful) to mobile consumer. More than that, customer centric DevSecOps offers the promise that Dev, Sec and Ops teams have the data to collaborate more effectively and a cyber defense automation platform to rapidly deliver the protections needed in their mobile apps efficiently and effectively. In the end, customer centric DevSecOps elevates DevSecOps from compliance tooling to systems that create trust, add business value, and set the stage for long-term customer-consumer loyalty.

Tom Tovar is CEO of Appdome
Share this

Industry News

June 01, 2023

Couchbase announced a broad range of enhancements to its Database-as-a-Service Couchbase Capella™.

June 01, 2023

Remote.It release of Docker Network Jumpbox to enable zero trust container access for Remote.It users.

June 01, 2023

Platformatic launched a suite of new enterprise-grade products that can be self-hosted on-prem, in a private cloud, or on Platformatic’s managed cloud service:

May 31, 2023

Parasoft announced the release of C/C++test 2023.1 with complete support of MISRA C 2023 and MISRA C 2012 with Amendment 4.

May 31, 2023

Rezilion announced the release of its new Smart Fix feature in the Rezilion platform, which offers critical guidance so users can understand the most strategic, not just the most recent, upgrade to fix vulnerable components.

May 31, 2023

Zesty has partnered with skyPurple Cloud, the public cloud operations specialists for enterprises.

With Zesty, skyPurple Cloud's customers have already reduced their average monthly EC2 Linux On-Demand costs by 44% on AWS.

May 30, 2023

Red Hat announced Red Hat Trusted Software Supply Chain, a solution that enhances resilience to software supply chain vulnerabilities.

May 30, 2023

Mirantis announced Lens Control Center, to enable large businesses to centrally manage Lens Pro deployments by standardizing configurations, consolidating billing, and enabling control over outbound network connections for greater security.

May 25, 2023

Red Hat announced new capabilities for Red Hat OpenShift AI.

May 25, 2023

Pipedrive announced the launch of Developer Hub, a centralized online app development platform for technology partners and developers.

May 25, 2023

Delinea announced the latest version of Cloud Suite, part of its Server PAM solution, which provides privileged access to and authorization for servers.

May 24, 2023

Red Hat announced Red Hat Service Interconnect, simplifying application connectivity and security across platforms, clusters and clouds.

May 24, 2023

Teleport announced Teleport 13, the latest version of its Teleport Access Platform to enhance security and reduce operational overhead for DevOps teams responsible for securing cloud infrastructure.

May 24, 2023

Kasten by Veeam announced the release of its new Kasten K10 V6.0 Kubernetes data protection platform.

May 23, 2023

Red Hat announced Red Hat Developer Hub, an enterprise-grade, unified and open portal designed to streamline the development process through a supported and opinionated framework.