Here’s a stat that should scare just about everyone – from developers to marketers to everyday app consumers: Market Research Firm Gartner says more than three-quarters of mobile-apps would fail basic security testing.
Notice the word “would” in the above sentence. That implies that most apps are actually not even tested for security. Those which have been, well, they fail three out of four times.
Obviously, with an increase of critical application breaches on a global scale, the demand for efficient and accurate security testing is more important than ever.
AST technology is designed to analyze and test for security holes, yet many AST industry leaders fall short of spotting all vulnerabilities. The following is a 6-point list of what a well-rounded, mature mobile app testing service should offer its users.
#1. Provide AST as a service and a tool.
AST can come in the form of a cloud service or a tool. The report suggests a reputable mobile app testing service will offer both.
To supplement the AST tool, the testing service should use a single management console and an enterprise-class reporting framework that supports multiple users, groups and roles.
#2. Provide Static AST (SAST)
Static AST is the testing for vulnerabilities at the programming and/or testing software life cycle phases. For example, testing for byte or binary code, application source, and design.
#3. Provide Dynamic AST (DAST)
Dynamic AST mimics cyber attacks against applications and analyzes the reaction. This occurs during operation or testing phases, and analyzes applications in real time (or close to it).
#4. Provide Interactive AST (IAST)
Interactive AST is essentially the combination of SAST and DAST. It is implemented as an agent within test runtime and is capable of producing a sequence of instructions to solve problems, while observing possible attacks.
#5. Test for conflict of policies
Occasionally, mobile apps will contain functions that conflict with an organizations security policies. For example, an app that can access and transmit corporate data to outside sources, access a corporate calendar or contact list is a big security threat that should not be overlooked.
#6. Packing and deployment conditions
It’s important to manage and package applications in a way that’s sure to run smoothly on cloud based environments and mobile devices. A good AST will test for ways that help organizations reduce time and cut cost of application migration. They will also simplify mobile application management and self-service delivery models for the user’s satisfaction.
On top of these 6 core requirements for mobile app testing, behavioral analysis, proactive testing, integration and commercial app reputation ratings should also be incorporated into comprehensive security analysis. If there’s anything we missed, leave comment below!