In our second blog post, Sophisticated Simulation Still Isn’t Real - Just Ask Mobile App Developers, we continued to discuss the reasons why mobile application security testing should be done on a virtual hardware platform. Our last blog post explored the limitations of simulators, and this one explores the challenges of Mobile Application Security Testing (MAST) tools.
Enterprises need to incorporate mobile application security testing for compliance and include mobile applications in their compliance audits as part of their cybersecurity resilience best practices. Building compliance into mobile application security testing is critical, however compliance remains elusive to many organizations.
A recent report from the CISO Society found that more than half of CISOs stated that compliance is not embedded into their CI/CD pipeline. But building in a compliant way is more critical than ever before due to the increasing number of compliance regulations enacted globally. In addition to countries enacting regulations, there are twenty states in the United States that have enacted their own data privacy laws. Unaddressed data security issues within mobile applications can put organizations at risk for failure of compliance with security, compliance, (GDPR, HIPAA, PCI-DSS) and data privacy regulations. This could result in potential loss of reputation, legal action, fines and class action lawsuits resulting in millions of dollars of lost revenue.
Industry frameworks for managing these risks and testing for mobile app security are helpful but they are also challenging. There are many industry standard bodies including OWASP MASVS MASTG as well as CWE and CVE guidelines that are helpful in identifying risks, but they are also time-consuming to apply. Manual testing for these risks can take time away from deep exploitation and vulnerability testing. If the testing time allocated is a week to 10 days, and half of that is spent manually testing for compliance checks, that leaves less time for the deeper analysis that is really needed. Tight application development timelines and time-consuming manual efforts can lead to risk in overlooked vulnerabilities or exploits, especially those for compliance.
MAST scanning tools can be helpful, but these tools are not completely sufficient. They may be used in conjunction with a physical device that may or may not be jailbroken, or with a device emulator that has limited scope. Other automated MAST scanning tools try to simulate real device usage but are a black box – with the OS and model of device remaining unknown. These tools don’t allow a tester to mix and match various OS and Device combinations for testing an application and may miss findings because they are not run using a jailbroken device.
Additionally, many of these scanning tools only create a static report of findings, such as a pdf file, instead of being delivered on a dynamic platform that shows impact status and evidence of findings and remediation guidance that can be easily actioned and brought into development pipelines.
Want to see the rest of the reasons to switch to a virtual hardware platform? Click here to download.
Ready to see how a virtual hardware platform can transform your mobile app development for yourself? Click here to get a free trial.