Mobile app development used to be a carefree place, where software development best practices and application security standards were lax across most of the industry. After countless high profile cyberattacks against mobile platforms and apps over the past several years, however, customers have grown to understand that mobile apps are serious software, and they are more savvy about mobile security. The industry has recognized the threats represented by unsecured mobile apps.
What makes mobile apps different from many desktop apps is that many of them aren’t just vulnerable to security issues, but privacy issues. Consider the wealth of information even the most benign application needs access to: GPS data, SMS logs, call history, and audio and video recording—let alone mobile banking and payment systems. Most of them now require active internet connections to function properly (or at all), too. Countless entities and organizations would pay very, very well for this kind of information, which make mobile apps high value targets for cyberattacks.
Then consider that over the past few years mobile device use has grown staggeringly quickly, and mobile application use has overtaken all desktop use. It’s become hard to conceive of any meaningful enterprise application or software product that doesn’t have a mobile component. And it’s important to remember that in most cases the mobile app is just a small part of a much larger application, reaching up into the cloud.
The sheer volume of users downloading and accessing apps remains a huge market opportunity for entrepreneurs, and pressure to release new mobile apps from investors quickly means corners have been cut in the past. This doesn’t even account for the huge numbers of independent developers working on their own, without the resources most larger businesses have, like dedicated quality assurance or security teams.
In short, mobile apps need to be secured faster and more completely. With the release of Code Dx Enterprise 2.6, this has become easier than ever.
Mobile Application Security Tool Integration with Code Dx
Code Dx Enterprise already works with popular open-source vulnerability scanners for the mobile space—Android Lint for Java and OCLint for Objective C. These are excellent static code analysis tools that help identify vulnerabilities and code quality issues. When combined with Code Dx’s third-party library scanners, OCLint and Android Lint provide strong source code analysis for any mobile developer—but when it comes to security, it’s always better to have more options.
New features in Code Dx 2.6 increase its mobile application security testing and compliance offerings.
OWASP Mobile Top 10
The Open Web Application Security Project (OWASP) is a highly respected non-profit organization that supports cybersecurity and secure coding practices. They provide what many consider to be the industry standard Top 10 Vulnerabilities list, colloquially known as the OWASP Top 10. Code Dx has mapped vulnerabilities against the OWASP Top 10 as part of its normalization feature since its original release.
But mobile platforms are vulnerable in different ways than desktops and cloud services, and compliance with the standard Top 10 isn’t enough. Now, Code Dx 2.6 maps your mobile application onto the OWASP Mobile Top 10, so you can easily see how your source code measures up against the most critical vulnerabilities.
With the release of version 2.6, Code Dx Enterprise integrates with NowSecure, a popular commercial mobile application vulnerability scanner. NowSecure is a powerful application security testing tool for the mobile space, providing excellent code coverage across a wide range of vulnerability types. NowSecure offers static and dynamic testing for mobile applications, providing much stronger and more complete tests.
With Code Dx Enterprise integration, the results of those tests can be brought together with the security analysis results of all of your system’s components—from cloud to desktop to device—so you can manage them and run a successful and efficient application security program all in one place.
In addition to all the capabilities of NowSecure, supplemented by scans from the built-in Android Lint and OCLint, Code Dx Enterprise lets you check your mobile code against compliance standards like HIPAA and PCI-DSS, government requirements such as DISA-STIG and NIST 800-53—and, of course, OWASP. Our integration with software composition analysis tools will make sure that your third-party libraries are secure and up to date. To communicate your findings to the development team, Code Dx integrates with the popular issue tracker Jira, so remediation can be quickly assigned and monitored, right from Code Dx.