Thank you for Subscribing to CIO Applications Weekly Brief
Thank you for Subscribing to CIO Applications Weekly Brief
NowSecure enables its customers to choose automated security and privacy testing software in the cloud or workstation on-premises, expert professional penetration testing, and managed services, or a combination of all as needed. Following is the conversation that CIO Applications had with Brian Reed, the Chief Mobility Officer of NowSecure, to understand how his company delivers the simplest, fastest path to continuous mobile app security.
Please elaborate on the vision that spurred the inception of NowSecure.
A decade ago, as Android and iOS mobile devices started gaining traction, the NowSecure founders started by writing the book on mobile forensics, and over the next few years, built successful mobile forensics and mobile app penetration testing business. With time, we realized that there is a critical need for tools necessary to carry out mobile app penetration testing efficiently. To that end, we developed the required tools and solutions, which we could sell as commercial software—we called it NowSecure Workstation. Today, NowSecure leads the mobile app security software space by serving hundreds of customers with robust automated mobile application security and privacy testing services and solutions.
We deliver maximum customer value through the speed, accuracy, and efficiency of the NowSecure Platform in the cloud, necessary for Agile and DevSecOps environments. We help CIOs and CISOs to manage the risk of the mobile apps they build, buy and use—be it building security and privacy testing into the mobile app development cycle as part of “shifting left” or monitoring production mobile apps downloaded from the app stores or delivered by outsourced mobile app development teams. We equip organizations with advanced solutions to continuously test and monitor their mobile app portfolio. This ensures that they meet the security and privacy requirements of their business and are compliant with industry regulations.
What are the challenges that organizations face today in the software testing space, and how can NowSecure help?
The mission of the CIOs is to enable and power the business through technology. At the same time, CISOs and the Chief Risk Officers (CROs) are focused on securing the enterprise and mitigating risks as the business grows. Now, when we add the other C-suite leaders into the mix, such as the head of sales, the CEO, the COO, or other lines of business executives, they are looking to innovate and often drive digital transformation through mobile. As such, they are bringing in mobile apps to empower employees, both in organizations and out in the field, and building mobile apps for customers, partners, or employees. While mobile forms a major part of their business, data shows that most organizations are falling behind from mobile security, privacy, and risk perspective. If we look at the benchmark data in the industry, about 95 percent of security expenses, time, and effort are spent on web apps. Yet, about 63 percent of all internet traffic is from mobile applications. Over the last 15 years, we have seen an interesting dichotomy, wherein CIOs and CISOs have built out web and web application security testing infrastructure, and then new innovations in mobile, but have not similarly built out security testing infrastructure to go with massive investments in mobile apps.
NowSecure leads the mobile app security software space by serving hundreds of customers with robust automated mobile application security and privacy testing software and services.
Please elaborate on the approach NowSecure undertakes to assess the needs of a client and deliver a testing solution accordingly.
Typically, we'll start with a baseline analysis. On receiving the inventory of apps used by employees from our clients, be it internally developed or downloaded from app stores, we utilize our automated testing tools to provide them with a quick risk analysis of their mobile app portfolio. We have a database of millions of assessments already run on public App Store apps, and a new analysis for an internal or public app takes just 15 minutes so we can do this quickly. This enables the clients to proactively identify, triage, and address security and compliance issues.
Next, we work with them to develop a security risk model that segregates the mobile apps into tiers according to the different risk and business continuity parameters and then implement relevant solutions. For the highest risk apps, we implement automated continuous testing and recommend including our expert pen test service twice per year as well.
To further reinforce app security, NowSecure supports clients with additional product training, processing through the backlog, and setting up integrations with third-party tools like CI/CD systems, vulnerability management, compliance tracking, and more. Further, we offer secure mobile app development best practices documentation and training to ensure secure mobile app development coding and processes.
Could you tell us about the different types of clients you cater to?
There are three types of clients that we generally deal with. The first category is what we call “breached businesses,” comprising customers who approach us after they have encountered a breach or identified vulnerabilities in their mobile apps. As they come to us seeking help, we immediately run an expert pen test and determine the issues that led to the breach and help guide the customer to remediate them—the classic incident response fire-fighting. Next, we provide them our automated continuous security testing software and offer secure developer training to ensure that their mobile apps have security built in.
The second category centres around the risk inventory on the operational side. Mobility with BYOD and BYOA is everywhere, and as a result, we see a large portfolio of mobile devices on the network and numerous mobile applications used in workplaces. We obtain the application inventory from all mobile devices connected to the business via MDM, MEM, or other mobility management tools and then quickly deliver a comprehensive mobile app risk analysis of the entire mobile app portfolio. This enables our clients to take the steps required in managing risks throughout the mobile app supply chain, from threat analysis of existing deployments to identifying and eliminating security loopholes with the automated testing software.
Finally, on the DevSecOps side, we collaborate with the clients that build mobile apps as part of their core business. Traditionally, as we have seen, the mobile application teams evolve and innovate fast and often outpace the ability of security teams to keep up. With our software integrated into their DevOps toolchain, we automatically test the security and privacy of every build every day so clients can find and fix any bugs introduced in the development cycle immediately, accelerating app releases and reducing their overall security testing costs.
What does the future hold for NowSecure?
On the mobile application portfolio side, we have now expanded from SAST and DAST to add IAST (interactive application security testing). As a long-time innovator of automated mobile AppSec testing software and services, NowSecure continues to embrace emerging technology by delivering the world’s first IAST technology purpose-built for mobile apps. This IAST advancement provides security analysts and app developers with greater visibility into app vulnerabilities and privacy issues by testing mobile apps from the “inside out" while DAST tests the mobile apps from the “outside in.”
The next area of evolution pivots around privacy. We already certify for GDPR and CCPA and are looking at more ways we can add value around mitigating risk by ensuring privacy and compliance for mobile apps.
The third area we are focusing on is global expansion. We work in close collaboration with global multinational brands, and as we continue to grow our business, we look to establish our footprint in more countries around the world.