DevOps process development for mobile app developers

Development teams—perhaps especially mobile development teams—have invested heavily in systems to automate their processes and accelerate the delivery of mobile apps. From build, test, and release to tracking and monitoring, your mobile DevOps team relies on systems like Fastlane, Bitrise, Jenkins, Azure Pipelines, and GitLab—and the list really only scratches the surface.

The mobile app market is evolving so quickly that automation is the only way mobile DevOps teams can keep up with their competitors and rapidly changing customer expectations. Iterate and release quickly – the more often a publisher releases new features, the more customers rate their app. In GitLab 2022 Global DevSecOps Survey70% of respondents said their teams release code every day or every few days.

Unfortunately, there is one major component of mobile app development that is left out of these automated processes in most mobile DevOps teams: security. Developers still mostly implement security manually, and the process of ensuring application security mostly relies on code review and penetration testing. According to GitLab’s survey, 53% of developers run static application security testing (SAST), but unfortunately the data from these tests is often not fed back into developer workflows. Fewer than three in 10 teams (29%) report test results to developers.

Also, there is still a lot of communication between the security and development teams. Nearly half (47%) of security professionals said they miss more than three-quarters of developers Leaving bugs in code up to security teams to find, and more than half (56%) said it was difficult to get developers to prioritize fixing vulnerabilities in their code. In fact, prioritizing security vulnerabilities has been the biggest challenge for security professionals. Also, it’s interesting that when it comes to security on the left, the focus seems to be on early code review rather than building security into applications earlier in the process.

Data-driven decisions and security automation

First, DevOps teams need to integrate data about their mobile app security early in the process to make informed decisions about what protections to include in the next build. Scan information and penetration test results clearly need to get back to the development team as quickly as possible – there’s no point in doing these tests if the information is still unavailable and no action is taken.

However, mobile devices can collect and send much richer data about the security threats that applications actually face in the field. By gathering data, DevOps teams can make data-driven decisions about which threats are most important to combat.

However, as noted earlier, it does no good to collect data if it is never used. And the slow pace of manual security implementation doesn’t allow DevOps teams to deploy protections quickly or nimbly enough to keep up with the rapidly changing threat landscape. DevOps teams must automate the building, testing, release, monitoring, and management of security as much as any other aspect of application development. Specifically, they need the following:

• A system that can provide storage, versioning, and audit security across all releases
• An automated system that can build the desired protection into your application within your organization’s existing CI/CD processes
• Automatic verification that the protections planned for implementation are actually included in the release
• Feedback system from data collected in the field, including data on the effectiveness of already implemented protections. This proves that security measures are working and reinforces the value of the DevSecOps process.