As the mobile device revolution continues to grow, application security is now an emerging threat to all of our favorite apps we download from the store every day.
Mobile app architecture, device hardware, and operating system versions continue to unintentionally plague users who are unable to act in their own best interest. Users ignore update messages and reuse the same combination of login credentials across many of their most sensitive apps (like social media and banking). Additionally fragmentation, especially with Android, can suppress security updates from reaching devices. Mobile app developers are under constant pressure to produce high quality products within strict timelines. There is a perpetual tug of war between first-to-market and security-risk exposure. Naturally, some security concerns are going to slip through the cracks.
To combat these pitfalls, developers need to concentrate on building security into their application development process. One popular approach is to use Threat Modeling. The goals of Threat Modeling are to breakdown the system into components, understand how data flows, understand where data is stored (whether on a database server or on the physical device), identify trust boundaries (public vs. internal networks), and where to store an organization’s most valuable algorithms (app packages can be decompiled revealing source code!). Threat modeling is a team effort to brainstorm what an attacker might do and what countermeasure can be implemented to mitigate threats. The Microsoft SDL Threat Modeling Tool is an excellent framework that helps development teams diagram, analyze, and report on common architecture threats (by the way it’s free!). It’s based on the STRIDE methodology which is a classification scheme for characterizing known threats according to the kinds of exploits that are used by attackers (source: OWASP).
Other benefits of Threat Modeling are the report artifacts it produces which can then be used by QA teams to conduct security tests. A good testing practice will include: Dynamic Analysis: Observes application communication between system components (app code <> web service <> database) Static Analysis: Application code at rest (examining source code) Forensic Analysis: Files and timestamps created after an application executes There are a number of free and open source tools to create a lab and exercise these approaches.
As a test manager with tight budget constraints, it’s become extremely important to take a closer look at how new technologies can be used in the testing field to become better, cheaper, and faster. A good solution will provide a healthy balance of tools, process, and governance. Together these three disciplines formulate a QA system that can react to the testing demands of mobile, web, and desktop applications. In the spirit of ‘you think your automation framework is better than mine’ here at FogChain, we provide a patented, tool agnostic framework that simplifies your favorite scripting tools. We provide a user-friendly interface to create automated test cases but, unlike script-less vendors, we encourage the use of scripting and programming. In our opinion, QA groups that are provided an organized framework (interface and code modules), clear architecture goals, and knowledge from a qualified automation firm, will excel at their task. Having the ability to mix & match commercial and open source tools under one solution truly answers the question, “how do we automate mobile, web, or the next big thing?”
About The Author
Chief Strategy Officer, FogChain Inc.