Mobile Pen Testing’s Secret Weapon: Continuous & Automated Scanning
This is the first of a two part series examining the different audiences benefiting from Zimperium’s zScan. This blog looks at pen testers. The second blog looks at enterprises developing mobile apps themselves or by third-party developers.
Companies providing mobile penetration testing or “pen testing” are keeping busy these days. More than two-thirds of enterprises say mobility is a top IT priority for 2020, with most expecting to deploy as many as five mobile apps. For that matter, 42% of small businesses report they also have their own mobile app.
Among the best security practices in development – including app development – pen testing is fundamental. Globally, the pen testing market is projected to grow from $1.7B in 2020 to $4.5B in 2025 and $5.6B in 2027 – with mobile pen testing as the fastest growing segment. Hence the abundance of work for mobile pen testing companies.
The good news is pen testing companies have access to a secret weapon – – established pen testing businesses can use it as a force multiplier and start-ups can use it to accelerate growth.
The secret weapon?
Challenges in mobile app security and compliance
Mobile pen testing is significantly different from traditional pen testing, requiring a different set of skills, tools and expertise. This is – in part – because the final destination for mobile apps is a mobile device, which is typically administered by the user instead of by IT and is mostly used outside the corporate firewall. It is also – in part – because mobile apps have a larger attack surface, since they often reside on untrusted devices connecting to unknown and unsecured networks.
These factors mean mobile apps require even more robust security than other enterprise apps.
But mobile app development is in a relatively early stage of evolution and often does not yet have the extensive set of security and compliance-focused processes and best practices in place, compared to traditional development.
Mobile pen testing companies help mobile app developers mitigate this situation by providing third-party analysis, showing whether mobile apps are hitting the mark for security, privacy and compliance.
Pen testers may use several available open source automated scanning tools. However these tools can be out of date and only focus on the security aspect of the app scanning without the coverage of increasing privacy-centric regulations and compliances such as National Information Assurance Partnership (NIAP), General Data Protection Regulation (GDPR), Payment Card Industry Data Security Standard (PCI-DSS), Health Insurance Portability and Accountability Act (HIPAA), and others.
This is where zScan comes in.
zScan promotes security, privacy and compliance in mobile app development
From a security, privacy and compliance perspective, manual pen testing can be vital – and for businesses subject to regulation, it can even be required – but it is not sufficient to ensure a mobile app is consistently secure and compliant. Pen testing companies have a unique opportunity to add value by using zScan as part of their pen testing process:
- For established pen testers, the perennial challenge is that testing procedures tend to be intermittent. There are specific times – usually at the end of the development cycle – assigned to pen testing. So how does a pen testing company continue to deliver value to their customers during the in-between time? By providing the customer with insights delivered by zScan, a logical extension of the secure development orientation that pen testing companies bring to the table.
- For new pen testing companies, the goal is to build the business while maintaining high quality standards. zScan automates a variety of tasks to make pen testing pros more productive by documenting security, privacy and compliance risks within mobile apps. zScan identifies issues such as hardware-specific usage, insecure API calls, sensitive data handling, and data privacy – which is typically not covered in traditional pen testing – allowing for broader “air coverage” while not overextending the staff. This allows start-ups to do much more with less and accelerates time to market (TTM)..
In both instances, zScan provides pen testers with a tangible report to provide its customers – – proof showing what was tested, found and why it matters for your industry.
By introducing zScan, pen testing companies increase the value they deliver to their mobile app development customers, help their customers enhance the security of the apps they develop, and reduce their own workload by ensuring that the mobile apps they test have fewer issues. If you’d like to learn more about the ways zScan can benefit your mobile pen testing company, please don’t hesitate to contact us.