Left Shifting Mobile Security with DevSecOps

Steven Smiley

In today’s fast-paced digital world, organizations can no longer afford to overlook the importance of strong security measures when developing software. With the increasing frequency of cyber attacks targeting businesses of all sizes and industries, having a robust cybersecurity posture has become a necessity. To achieve this, companies must prioritize product-specific security and integrate it with their engineering team’s culture, adopting the DevSecOps approach.

The key to building software with strong security is to establish a culture that prioritizes it from the outset. All stakeholders must understand the importance of security and its impact on business value. Secondly, security must be integrated into every phase of the software development life cycle. This means adopting a “left shift” mindset that always makes security a top priority in mobile application development.

Finally, round-the-clock monitoring of DevOps systems and services is crucial in today’s world. Dedicated teams must be in place to keep a constant watch over security. These teams are the most effective when partnerships are established with their product team(s) to provide the critical data required to ensure constant oversight over the mobile applications they are supporting. By implementing these strategies, organizations can build a strong and reliable cybersecurity posture that safeguards their products against potential threats.

3 Strategies for Mobile DevSecOps

1.  Culture Is Key

Establishing a strong culture of security within an engineering team requires a shared sense of mission and purpose. One effective strategy to achieve this is by creating a product security team that offers continuous support and educational resources to address potential security risks.

But simply establishing a security team is not enough. Organizations must also prioritize security education programs that engage and inform all employees. This can involve initiatives such as required training/certification, newsletters, interactive workshops, and other security incentive programs. By implementing these measures, organizations can create a culture of security that emphasizes proactive risk management and continuous improvement. This, in turn, can help to minimize the risk of security breaches and protect the organization’s reputation and pocketbook.

2.  Putting the Sec into DevSecOps

When it comes to software development life cycles, each phase – planning, development, testing, and release – requires its own set of security best practices. To effectively prioritize security the product manager should identify the most important security concerns based on sources like risk reduction, executive priorities, customer requests, security findings and regulatory requirements.

During the development phase, it’s essential to implement security testing, threat modeling, security baselines, and automated scanning to ensure that potential threats are identified and mitigated early in the process.

Teams should also create secured images that meet security policies and have mandatory security agents pre-installed for both OS images and containers. This provides a level of security without the need for ongoing security reviews, and baseline updates should automatically flow into CI/CD systems. Automated scanning should also be a part of the process. Helpful tools for continuous testing include static application security testing, dynamic application security testing, interactive application security testing, and static code analysis.

Integrating these tools into the development pipeline is a critical part of securing mobile applications in a CI/CD development process. Providing immediate feedback to developers can be invaluable, as it allows for immediate action while code changes are still mindfully fresh with development. Overall, automation is key to building strong security measures that can be repeated in the SDLC to ensure better risk management and mitigation.

In the release phase of SDLC, penetration testing is a critical component that can be performed internally or by a third party. An internal team will have a better understanding of the technology, thus having broader scope than an external team or service. A well-executed penetration testing strategy can help identify vulnerabilities and ensure that products are secure before they are released, reducing the risk of potential security breaches.

3.  Monitor, Monitor, Monitor

Although a Security Operations Center (SOC) is usually owned by a CIO/CISO, a real-time feedback loop to Engineering/Software Groups is critical for upstream learning and modifying SDLC processes and checkpoints for future releases.

A dedicated security operations center (SOC) should be established to scrutinize threats against the company, employees, and customers. The SOC’s responsibilities go beyond those of a product security team as their scope covers the entire attack surface of the organization. But if and when vulnerabilities are identified that concern internally developed software, whether that software is the source of the vulnerability or the target of external threats, information is fed back to software development teams to investigate, address, and release updates as quickly as possible.


Mobile technology will continue to advance and so should an organization’s DevSecOps policies and practices. While there is no perfect one-size-fits-all mobile security blueprint, new technology innovations are continually being released that can dramatically impact human time investments, time-to-market, and overall costs.

Find out how Corellium can streamline your Software Development Life Cycle for mobile app development and put the Sec into DevSecOps.

Visit us at Corellium.com to learn more about our mobile device virtualization technologies and how organizations around the world are reinventing their DevSecOps.

Steven Smiley

Tags: ,