In this podcast episode, we talked to cybersecurity expert Anastasiia Voitova about all things related to mobile app security: from the first and most important steps teams should take to prevent potential attacks to reaching a high level of DevSecOps maturity.
You can listen to the episode here:
Early on in her career, Anastasiia saw that as a developer, she had way too much access to users’ data: real names and emails in production databases, device logs, and so on. Back then GDPR was not a thing yet, but even with GDPR, many modern systems still store PII in plaintext.
She then realized that these apps were not as secure and didn’t respect users’ privacy as much as they should have — this marked the beginning of her journey from being an apps developer to a security engineer.
Besides working at Cossack Labs as Head of Customer Solutions — where she builds data security tools that help companies protect sensitive data — Anastasiia also regularly talks about security & cryptography at conferences and is a community leader of WomenWhoCode Kyiv.
In this episode
In this episode, we talked about all aspects of app security: the benefits of integrating end-to-end security checks, zero knowledge and zero trust architectures, and cryptography best practices. We’ve seen in the past few years that DevSecOps is on the rise and sophisticated mobile teams take app security very seriously. However, there’s still a large gap between these teams and those who take it less seriously, and often see security as the necessary evil.
We also discussed how mobile teams getting started with app security should approach the implementation of these practices, such as data encryption, authentication, dependency management, secure coding, and so on. There are plenty of low-effort, high-reward steps teams can take to proactively prevent security incidents. We also asked for Anastasiia's opinion on what the future holds when it comes to app security and how she expects these practices to evolve in the coming years.
About this podcast
In Mobile DevOps is a thing! we showcase developers and their processes and learn about the ways in which mobile development processes differ and overlap, through the lens of Mobile DevOps. The aim? Learning how to be more productive and build better apps, whatever technology you might be using. For this, however, we need your help as well — if you have any questions or topics in mind that you would love to hear about in our upcoming podcasts, let us know on Twitter, or through email.
The podcast is also available on these platforms:
Show notes & resources
- OWASP MASVS https://github.com/OWASP/owasp-masvs
- OWASP ASVS https://github.com/OWASP/ASVS
- OWASP SAMM https://owaspsamm.org/model/
Useful tools for mobile developers:
Maintaining cryptographic libraries:
- Security Engineering: A Guide to Building Dependable Distributed Systems, by Ross Anderson