Progress announced the latest release of Progress® Semaphore™, its metadata management and semantic AI platform.
Redefining Continuous Security Within a Mobile DevSec Environment
July 19, 2022
In the mobile app development world, security often takes a backseat to developing features and delivering the app. In fact, the 2021 Verizon Mobile Security Index found that 45% of organizations sacrificed mobile security in order to “get the job done.”
It really shouldn't come as a surprise. Certainly, it seems counterintuitive that mobile app development organizations would spend so much time and money to create an exceptional Android or iOS app and then fail to protect it against rooting, jailbreaking, reversing, hacking and other kinds of malicious manipulation. But the average mobile developer releases 12 apps each year, a frenetic pace that requires development to take place in parallel, without ceasing. Schedules and budgets are tight, and competition is fierce. Coding security into an app is both expensive and time consuming, increasing the risk of a delayed release or budget overages.
In many organizations, if security is implemented into a mobile app at all, the process takes place during penetration testing. That's too late, and it's extremely inefficient. Waiting to implement security after development and delivery are essentially finished will anger developers, because now, they have to dive back into their code to make complex changes to work they had thought was finished. The code is no longer fresh, so it's going to take more time than it would have if security implementation had taken place during the development process itself.
But integrating security into the development process is no simple task either. Imagine two friends are spinning a couple of jump ropes. Jumping in the middle without stepping or tripping on either of the ropes while they are moving is difficult. Each time a security feature is introduced into a mobile app software development lifecycle (SDLC), the person building the security could step on the rope. Building security features takes time, and they are hard to build and maintain.
Our Oversimplified Model of DevSecOps
To solve this problem, DevSecOps was introduced to resolve this conflict and overcome the challenge of integrating security into the mobile SDLC. The idea is that organizations can develop features and incorporate security simultaneously. So far, much of the emphasis in DevSecOps has been focused on the processes development, security and operations that teams use to build, protect and release apps. People have done heroic work creating cultures of security and secure coding practices, which has moved the industry forward towards more secure mobile apps for everyone.
Let's take the jump rope analogy a bit further. One friend holding the ropes is the development and engineering team, while the other is the ops-release team. The ropes each represent an iOS and an Android app. In most organizations, the ropes are moving at blazing speeds, as apps are churned out one after the other. Meanwhile on the sidelines, there's the security team, whose job it is make sure the ropes meet security objectives, jumping in where needed, all without stopping the ropes from spinning.
The trouble is that each group has different skills and objectives. Developers aren't typically security engineers, and security teams don't typically have developers. Neither group has the resources or skills to meet the needs of the other, and whenever they try, one of them trips on the rope.
Mobile DevSecOps, Meet Continuous Security
The only way to keep the current breakneck pace of app releases going while simultaneously providing security is to introduce as much automation as possible. AI systems can fuse security to an app more cost-effectively and consistently, complete with validation that the features required have been implemented. It's different from code scanning, which occurs after the app is built and leaves remediation to the dev team. I'm proposing that implementation of security itself be automated.
The growing threats to mobile apps are too significant for development teams to ignore, but so are the market pressures that force such short delivery timescales. The only way out of this dilemma is extensive automation. Otherwise, the dev and sec teams will keep continuously stepping on each other's ropes.
Industry News
August 29, 2024
Elastic, the Search AI Company, announced the Elasticsearch Open Inference API now integrates with Anthropic, providing developers with seamless access to Anthropic’s Claude, including Claude 3.5 Sonnet, Claude 3 Haiku and Claude 3 Opus, directly from their Anthropic account.
August 28, 2024
Broadcom unveiled VMware Cloud Foundation (VCF) 9, the future of VCF that will accelerate customers’ transition from siloed IT architectures to a unified and integrated private cloud platform that lowers cost and risk.
August 27, 2024
Broadcom announced VMware Tanzu Platform 10, a cloud native application platform that accelerates software delivery, providing platform engineering teams enhanced governance and operational efficiency while reducing toil and complexity for development teams.
August 26, 2024
Red Hat announced the general availability of Red Hat OpenStack Services on OpenShift, the next major release of Red Hat OpenStack Platform.
August 26, 2024
Salesforce announced new innovations in Slack that make it easier for users to build automations, no matter their technical expertise.
August 26, 2024
GitLab announced the general availability of the GitLab Duo Enterprise add-on.
August 26, 2024
Tigera now delivers universal microsegmentation capabilities with Calico.
August 22, 2024
Tabnine announced a new platform partnership with Broadcom Inc., an integration with IBM, as well as continuing extensions of existing partnerships with Amazon Web Services (AWS), DigitalOcean, Google Cloud, and Oracle Cloud Infrastructure (OCI).
August 22, 2024
Wallarm released API Attack Surface Management (AASM), an agentless technology to help organizations identify, analyze, and secure their entire API attack surface.
August 21, 2024
LambdaTest launched KaneAI, an end-to-end software AI Test Agent.
August 20, 2024
Kubiya has closed its $12 million seed round with a $6 million extension of equity and debt financing and launched a paradigm-breaking new platform, AI Teammates, that enables true delegation of complex tasks to digital colleagues through organic, human-like conversations.
August 19, 2024
The Cloud Native Computing Foundation® (CNCF®), which builds sustainable ecosystems for cloud native software, announced the schedule for KubeCon + CloudNativeCon North America 2024, happening in Salt Lake City, Utah from November 12 – 15.
August 19, 2024
Diagrid announced the latest version of Dapr, a Cloud Native Computing Foundation incubating project maintained by Diagrid, Microsoft, Intel, Alibaba, and others, as well as an update to Conductor, a Software as a Service (SaaS) that helps manage, upgrade, and monitor Dapr on Kubernetes clusters.
August 15, 2024
Spectro Cloud announced two new formal recognitions of its strengthening position in the government technology space: the Government Software competency from AWS, and ‘Awardable’ status on the CDAO Tradewinds Solutions Marketplace for AI/ML solutions at the tactical edge.
