Is It Time for Customer-Centric DevSecOps?
May 16, 2023

Tom Tovar
Appdome

The conventional wisdom in security, and mobile app protection in particular, was that consumers care about features, not security. At mobile brands across the globe, a healthy internal debate exists over this dichotomy. Mobile developers say features are more important. Cyber security teams say security is more important. Operations teams serve as the tie breaker, often choosing whatever will get the app out the door the fastest.

Enlightened mobile brands might concede that consumers do care about security but care about features first. In our second year of conducting a global survey of 25,000 consumers the data tells a different story. Far from caring about features "only" or "first," 62% of global consumers said that protecting them against security, fraud and malware threats is as important as new features. Approximately 24% said protecting consumers is more important.

Why Is the Consumer Voice Important to DevSecOps?

The current DevSecOps ecosystem was built to serve internal or regulatory compliance objectives, not the customer voice. These days, most consumers use mobile apps before and more than any other digital channel. Likewise, most consumers have become increasingly cyber, fraud and malware aware. This combination makes the customers' voice fully capable of driving DevSecOps objectives.

Imagine a world in which DevSecOps objectives were agile and informed by the same class of real-time feedback and KYC systems used by other parts of the mobile DevOps pipeline. Imagine building consumer voice and feedback into DevSecOps lifecycles to improve business metrics like customer acquisition costs, retention, and NPS. Internal and regulatory requirements could still be met. And, the value of DevSecOps to the organization, brand, consumer-customer and economy would rise as well.

What Is Customer-Centric DevSecOps?

Customer-centric DevSecOps is a culture and set of technologies designed to leverage and address the consumer voice in cyber, anti-fraud and other defense priorities as an equal part of the DevOps CI/CD pipeline. With customer-centric DevSecOps, brands have a big opportunity to match cyber defense spend to business need, differentiate themselves, increase customer loyalty and even harness that loyalty to grow.

For example, 23.8% of global consumers openly express fear of mobile developers that don't protect their app's users and use. Not surprising, consumers were clear what happens when brands fail to keep their mobile apps secure. When this happens, more than 66% of consumers said they'd abandon a mobile app, and more than 4 in 10 (44%) would tell their friends to do likewise.

Simply knowing that mobile consumers value protection against synthetic fraud (55.7%), hacking (50.1%) and on-device malware (28.5%) is enough to guide cyber, anti-fraud and other defense priorities. It is thrilling to see that 93.8% of global consumers said that they would promote a brand if the brand's mobile app protected their use and their data from hackers, fraud, malware and other threats.

What's the Biggest Difference Between Customer-Centric DevSecOps and Traditional DevSecOps?

There are three big differences between customer centric DevSecOps and traditional DevSecOps. Traditional DevSecOps focuses on code scans, DAST/SAST and pen testing to measure protection against a target list of cyber objectives. Customer-centric DevSecOps leverages data and technology to incorporate and use (1) voice of the customer, (2) automation, and (3) live, real-time data and threat intelligence from in-production mobile apps.

Where traditional DevSecOps zeroes in on discovering vulnerabilities, customer centric DevSecOps emphasizes delivery of mobile app security, anti-fraud, anti-malware and other relevant protections as most important (and most impactful) to the mobile app, consumer and business. We've covered the voice of the customer above. Now let's turn to using automation and live, real-time data and intelligence to deliver the required protections directly inside mobile apps based upon the actual threats and attacks that those apps and the mobile consumers using those apps are facing in the real world.

There's a thriving, fast-growing "exploit economy" that enables entrepreneurial hackers to monetize vulnerabilities, malware, and other tools and make these creations available to a broader ecosystem of cybercriminals. Moreover, these exploit creators leverage automation to create attacks at increasing scale and sophistication. These exploits are often extremely capable of masking or hiding their malicious purpose. On top of this, tons of tools and methods inside frameworks like Magisk, Frida, Flex, Objection and others enable attackers to go deep into apps and execute exploits fast.

Against this backdrop, mobile app defenders need automation systems to deliver protections into mobile apps as fast as attackers can release exploits. Done right, cyber defense automation empowers the mobile development and/or cyber security team to deliver on any cyber objective on-demand, with full agility and speed needed in DevOps CI/CD pipelines.

At the core of customer-centric DevSecOps is using live, real-time attack and threat intelligence to provide the hard evidence that the mobile app security, anti-fraud, anti-malware and other protections released in the mobile app are successfully defending against attacks. The data, in this context, serves two purposes: (1) makes it easy to prove the value of the mobile app security, anti-fraud and other protections deployed in the app, and (2) allows the mobile app to be threat-aware, opening the door to new user experiences (UX) that inform and delight users. In other words, real-time attack and threat data serves both an organizational purpose and an end-user purpose, allowing the mobile consumer to see protections working in the app and on their behalf, and showcasing the protections throughout the mobile app lifecycle for all stakeholders.

So, there it is. No doubt, mobile threats and the consumer expectations around mobile app security, anti-fraud, anti-malware and other protections are rising. Customer-centric DevSecOps promises to help organizations match their cyber spending to the protections that matter most (and are the most impactful) to mobile consumer. More than that, customer centric DevSecOps offers the promise that Dev, Sec and Ops teams have the data to collaborate more effectively and a cyber defense automation platform to rapidly deliver the protections needed in their mobile apps efficiently and effectively. In the end, customer centric DevSecOps elevates DevSecOps from compliance tooling to systems that create trust, add business value, and set the stage for long-term customer-consumer loyalty.

Tom Tovar is CEO of Appdome
Share this

Industry News

June 20, 2024

Oracle announced new application development capabilities to enable developers to rapidly build and deploy applications on Oracle Cloud Infrastructure (OCI).

June 20, 2024

SUSE® announced new capabilities across its Linux, cloud native, and edge portfolio of enterprise infrastructure solutions to help unlock the infinite potential of open source in enterprises.

June 20, 2024

Redgate Software announced the acquisition of DB-Engines, an independent source of objective data in the database management systems market.

June 18, 2024

Parasoft has achieved "Awardable" status through the Chief Digital and Artificial Intelligence Office's (CDAO) Tradewinds Solutions Marketplace.

June 18, 2024

SmartBear launched two innovations that fundamentally change how both API and functional tests are performed, integrating SmartBear HaloAI, trusted AI-driven technology, and marking a significant step forward in the company's AI strategy.

June 18, 2024

Datadog announced the general availability of Datadog App Builder, a low-code development tool that helps teams rapidly create self-service applications and integrate them securely into their monitoring stacks.

June 17, 2024

Netlify announced a new Adobe Experience Manager integration to ease the transition from legacy web architecture to composable architecture.

June 17, 2024

Gearset announced a suite of new features to expand the capabilities of its comprehensive Salesforce DevOps platform.

June 17, 2024

Cequence announced a new partnership with Singularity Tech, an Australia-based professional services company with expertise in APIs and DevOps.

June 13, 2024

Elastic announced a partner integration package with LangChain that will simplify the import of vector database and retrieval capabilities of Elasticsearch into LangChain applications.

June 13, 2024

Fastly announced the launch of Fastly AI Accelerator, the company’s first AI solution designed to create a better experience for developers by helping improve performance and reduce costs across the use of similar prompts for large language models (LLM) apps.

June 13, 2024

Shreds.AI, ant AI capable of generating complex, business-grade software from simple descriptions in record time, announced its formal beta launch.

June 12, 2024

GitLab announced the public beta of expanded integrations with Google Cloud that will help developers work more effectively, quickly, and productively.

June 12, 2024

Pulumi announced Pulumi Copilot, AI for general cloud infrastructure management.

June 12, 2024

Harness completed the acquisition of Split Software, a feature management and experimentation provider, effective June 11, 2024.