DEVOPSdigest

The conventional wisdom in security, and mobile app protection in particular, was that consumers care about features, not security. At mobile brands across the globe, a healthy internal debate exists over this dichotomy. Mobile developers say features are more important. Cyber security teams say security is more important. Operations teams serve as the tie breaker, often choosing whatever will get the app out the door the fastest.

Enlightened mobile brands might concede that consumers do care about security but care about features first. In our second year of conducting a global survey of 25,000 consumers the data tells a different story. Far from caring about features "only" or "first," 62% of global consumers said that protecting them against security, fraud and malware threats is as important as new features. Approximately 24% said protecting consumers is more important.

Why Is the Consumer Voice Important to DevSecOps?

The current DevSecOps ecosystem was built to serve internal or regulatory compliance objectives, not the customer voice. These days, most consumers use mobile apps before and more than any other digital channel. Likewise, most consumers have become increasingly cyber, fraud and malware aware. This combination makes the customers' voice fully capable of driving DevSecOps objectives.

Imagine a world in which DevSecOps objectives were agile and informed by the same class of real-time feedback and KYC systems used by other parts of the mobile DevOps pipeline. Imagine building consumer voice and feedback into DevSecOps lifecycles to improve business metrics like customer acquisition costs, retention, and NPS. Internal and regulatory requirements could still be met. And, the value of DevSecOps to the organization, brand, consumer-customer and economy would rise as well.

What Is Customer-Centric DevSecOps?

Customer-centric DevSecOps is a culture and set of technologies designed to leverage and address the consumer voice in cyber, anti-fraud and other defense priorities as an equal part of the DevOps CI/CD pipeline. With customer-centric DevSecOps, brands have a big opportunity to match cyber defense spend to business need, differentiate themselves, increase customer loyalty and even harness that loyalty to grow.

For example, 23.8% of global consumers openly express fear of mobile developers that don't protect their app's users and use. Not surprising, consumers were clear what happens when brands fail to keep their mobile apps secure. When this happens, more than 66% of consumers said they'd abandon a mobile app, and more than 4 in 10 (44%) would tell their friends to do likewise.

Simply knowing that mobile consumers value protection against synthetic fraud (55.7%), hacking (50.1%) and on-device malware (28.5%) is enough to guide cyber, anti-fraud and other defense priorities. It is thrilling to see that 93.8% of global consumers said that they would promote a brand if the brand's mobile app protected their use and their data from hackers, fraud, malware and other threats.

What's the Biggest Difference Between Customer-Centric DevSecOps and Traditional DevSecOps?

There are three big differences between customer centric DevSecOps and traditional DevSecOps. Traditional DevSecOps focuses on code scans, DAST/SAST and pen testing to measure protection against a target list of cyber objectives. Customer-centric DevSecOps leverages data and technology to incorporate and use (1) voice of the customer, (2) automation, and (3) live, real-time data and threat intelligence from in-production mobile apps.

Where traditional DevSecOps zeroes in on discovering vulnerabilities, customer centric DevSecOps emphasizes delivery of mobile app security, anti-fraud, anti-malware and other relevant protections as most important (and most impactful) to the mobile app, consumer and business. We've covered the voice of the customer above. Now let's turn to using automation and live, real-time data and intelligence to deliver the required protections directly inside mobile apps based upon the actual threats and attacks that those apps and the mobile consumers using those apps are facing in the real world.

There's a thriving, fast-growing "exploit economy" that enables entrepreneurial hackers to monetize vulnerabilities, malware, and other tools and make these creations available to a broader ecosystem of cybercriminals. Moreover, these exploit creators leverage automation to create attacks at increasing scale and sophistication. These exploits are often extremely capable of masking or hiding their malicious purpose. On top of this, tons of tools and methods inside frameworks like Magisk, Frida, Flex, Objection and others enable attackers to go deep into apps and execute exploits fast.

Against this backdrop, mobile app defenders need automation systems to deliver protections into mobile apps as fast as attackers can release exploits. Done right, cyber defense automation empowers the mobile development and/or cyber security team to deliver on any cyber objective on-demand, with full agility and speed needed in DevOps CI/CD pipelines.

At the core of customer-centric DevSecOps is using live, real-time attack and threat intelligence to provide the hard evidence that the mobile app security, anti-fraud, anti-malware and other protections released in the mobile app are successfully defending against attacks. The data, in this context, serves two purposes: (1) makes it easy to prove the value of the mobile app security, anti-fraud and other protections deployed in the app, and (2) allows the mobile app to be threat-aware, opening the door to new user experiences (UX) that inform and delight users. In other words, real-time attack and threat data serves both an organizational purpose and an end-user purpose, allowing the mobile consumer to see protections working in the app and on their behalf, and showcasing the protections throughout the mobile app lifecycle for all stakeholders.

So, there it is. No doubt, mobile threats and the consumer expectations around mobile app security, anti-fraud, anti-malware and other protections are rising. Customer-centric DevSecOps promises to help organizations match their cyber spending to the protections that matter most (and are the most impactful) to mobile consumer. More than that, customer centric DevSecOps offers the promise that Dev, Sec and Ops teams have the data to collaborate more effectively and a cyber defense automation platform to rapidly deliver the protections needed in their mobile apps efficiently and effectively. In the end, customer centric DevSecOps elevates DevSecOps from compliance tooling to systems that create trust, add business value, and set the stage for long-term customer-consumer loyalty.