How to automate and secure your mobile dev pipeline with CircleCI and NowSecure
Chief Mobility Officer at NowSecure
Mobile apps are different than web apps and require tooling specifically designed to meet the needs of development, security and DevOps teams. Organizations can speed mobile appdev by optimizing flow and baking in security, which can be achieved by using CircleCI and NowSecure. A long-term collaborator with CircleCI, NowSecure is pleased to be a CircleCI Technology Partner with our own orb in the registry.
CircleCI provides many key mobile-specific features for the mobile app DevOps team starting with cross-platform execution environment support to run multiple platforms under the same configuration and commit (for building desktop, Android, and/or iOS apps). For iOS mobile app developers, CircleCI includes code signing via Fastlane Match, iOS certificates and provisioning profiles management, iOS dependency management with Homebrew and iTunes Connect deployment and management along with services integrations with Hockey App, Beta by Crashlytics and TestFairy.
NowSecure AUTO is purpose-built for mobile app security testing starting with cross-platform security testing of iOS and Android app binaries written in any language or development environment. NowSecure tests the compiled mobile app binary for data at rest, data in motion, and code functionality to ensure complete app coverage with highly accurate results. For fast flow in your pipeline, NowSecure delivers fast automated post-build test runs that complete in 7-15 minutes and automatically feed issues into ticketing systems such as Jira. Comprehensive security test results with CVSS-scored findings, developer remediation instructions, detailed artifacts and more, including break-the-build thresholds. And NowSecure now offers direct integration with CircleCI via our NowSecure AUTO CircleCI Orb.
Let’s examine how the new NowSecure AUTO Orb for CircleCI integrates directly into CircleCI software and ticketing systems such as Jira to deliver fast, closed-loop dev cycles for building and deploying secure mobile apps.
Inside the CircleCI and NowSecure integration
Because mobile apps are fundamentally different than web apps, they require targeted tools that can accurately and thoroughly test the behavior of a mobile app under attack. The NowSecure automated mobile appsec testing engine can fully exercise an app during the build process and auto-generate results downstream.
As shown in the graphic above, The NowSecure AUTO CircleCI Orb plugs into the CircleCI platform post-build and runs rapid security tests in parallel or serially with unit testing, functional testing and UX testing solutions.
NowSecure AUTO can automatically test every CircleCI build and feed tickets into the cycle for developers to resolve. Unlike other security testing approaches, this NowSecure + CircleCI integration has zero impact on the dev workflow because there is no new IDE plug-in to learn, no static source code testing false positives to chase down, and no release delays caused by security bugs found too late in the testing cycle.
Connecting the NowSecure AUTO CircleCI Orb to your project is simple with step by step details outlined here in the Github repo README.md. Note that you also need a license of the NowSecure AUTO mobile app security test engine software. To summarize the process:
- Generate a NowSecure AUTO token via your NowSecure Admin screen here.
- Create a CircleCI project by visiting https://circleci.com and selecting “ADD PROJECTS” from left tab.
- Create a context in CircleCI by selecting “SETTINGS” from left tab, and then selecting “Context” from left navigation.
- Configure environment variables. Here are most commonly configured items:
auto_token
: mandatory parameter for the API token. We recommend using environment variableAUTO_TOKEN
to define this parameter instead of using a job parameter. The value of this token is equal to the output from step 1.auto_url
: optional parameter for NowSecure AUTO API URL with default value of https://lab-api.nowsecure.com.auto_group
: if you are using NowSecure Group access control, then configure the optional parameter for group-id. You can also use environment variableAUTO_GROUP
to specify this.
- Add the orb to the
.circleci/config.yml
.
Sample usage:
version: 2.1
orbs:
auto_ci: nowsecure/ci-auto-orb@1.0.5
jobs:
build:
docker:
- image: circleci/openjdk:8-jdk
steps:
- attach_workspace:
at: /tmp/myworkspace
- checkout
- run: cp apkpure_app_887.apk /tmp/myworkspace/test.apk
- auto_ci/mobile_security_test:
auto_file: /tmp/myworkspace/test.apk
auto_wait: "30"
auto_score: "50"
auto_show_status_messages: "true"
After checking in changes, the CircleCI build should kick off and you can see the output as it’s running as shown in the screenshot below.
Once the build completes, as shown in the second screenshot below, CircleCI automatically launches the NowSecure AUTO mobile app security test of the app binary. In this example, the full test run was completed in just under 13 minutes.
In this third screenshot below, we can see the JSON test results and artifacts that were generated. Individual tickets for each security finding are auto-fed into issue tracking systems like Jira.
Throughout this process, no human intervention is required. In fact, numerous customers run NowSecure “headless” in a fully automated integration mode at all times and never need to log into the NowSecure platform itself.
NowSecure Delivers Full Security Testing Coverage
Under the hood, NowSecure AUTO delivers automated dynamic appsec testing with an integrated behavioral attack tool. This works to ensure full security testing coverage with a high degree of accuracy for near zero false positives. NowSecure automatically pinpoints the security issues developers and security analysts want to prevent, such as:
- Sensitive data leakage over the air, in log files or system files
- Improper/inconsistent input validation
- Weak/improper encryption
- Vulnerabilities to man-in-the-middle attacks or remote code execution
- Certificate validation issues
NowSecure automatically delivers accurate, validated test results with straightforward issue descriptions, detailed remediation instructions and all relevant artifacts to speed resolution (for devs) and industry-standard CVSS scores, risk and compliance info (for security analysts).
Often, devs don’t even need to look at the security reports because they consume automatically-fed Jira tickets. The screenshot below shows the report interface that provides dev and security teams with deeper understanding.
NowSecure AUTO provides a rich dashboard for a comprehensive view of all metrics, trendlines and critical areas of concern. As shown in the orange/red heatmap in the screenshot below, the highest impact security issues to focus on include unencrypted data over HTTP, keysize, a slew of sensitive data issues, “allow data backups” issues, plus one app runs as root.
Powering Secure DevOps with CircleCI and NowSecure
Like CircleCI, NowSecure AUTO is available in cloud or on-premises. Based on your team’s use cases, NowSecure AUTO can run on-demand with devs and security teams uploading binaries or fully automated plugged into CircleCI and other tools.
CircleCI delivers a comprehensive CI/CD environment tuned specifically for the mobile app development lifecycle. Integrate NowSecure directly with your dev toolchain to free up time to focus on building and delivering the secure, innovative mobile app experience that your users demand.
Learn more about CircleCI and NowSecure by watching our webinar, CircleCI and NowSecure: Automating and Securing Your Mobile Dev Pipeline.
Read more on continuous integration for mobile application development.
Brian Reed, Chief Mobility Officer at NowSecure, brings brings over 15 years experience in mobile apps, security and operations including NowSecure, Good Technology, BlackBerry, ZeroFOX, BoxTone and MicroFocus/INTERSOLV securely mobilizing Fortune 2000 global customers and government agencies.