SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
NowSecure announces new GitHub integration for mobile apps
Tue, 12th Jul 2022
FYI, this story is more than a year old

NowSecure has unveiled the GitHub Action for Mobile Software Bill of Materials (SBOM), an offering integrated into GitHub Action Dependency Graph.

The offering is the first automated dynamic mobile app SBOM integrated into the platform and enables iOS and Android mobile app developers to have visibility into the components, third-party libraries and frameworks they use and ensure their proper version, security and privacy as they build them.

NowSecure notes that doing so will allow developers to provide high-quality, secure mobile apps faster.

Github provides a software development platform for over 83 million developers and has released new extensions for dependency information in the GitHub Dependency Graph with new Github Actions.

“The software supply chain starts with the developer,” GitHub business partnerships director Jose Palafox says.

“Extending automated visibility into your SBOM means developers can significantly reduce their usage of vulnerable software dependencies as well as be confident in shipping new mobile features and products with security built in by design.

NowSecure's newest offering is available in early access through the GitHub Marketplace, and the NowSecure Platform can also be purchased through Microsoft Azure Marketplace.

Further, all GitHub mobile developers are able to request a free scan for dynamic SBOM generation into GitHub Dependency Graph as part of the early access program.

The companies note that the increase in major incidents is an underlying factor in the urgency for developers to be able to manage software dependencies, with software-chain attacks growing by 650% in 2021, including significant incidents from SolarWinds, Microsoft, Kasaya, log4j and others.

In addition, the White House Cybersecurity Orders in 2021 identified critical risks in the global software supply chain and laid out requirements for government agencies to put in place standards and policies that would secure the software supply chain.

“Developers want to deliver innovative, high-quality mobile applications fast,” NowSecure CEO Alan Snyder says.

“This means they need a developer-first, easy-to-use and accurate mobile security solution embedded directly in their dev workflows.

“While mobile developers depend on third-party code for innovative experiences, complex functionality and time to market, they must ensure the code they use is up to date and secure.

“We are excited to extend our partnership with GitHub and the community by adding dynamic SBOM generation into GitHub Dependency Graph to help developers protect their software supply chain.”
NowSecure also has two GitHub Actions for automated mobile app analysis and mobile app SBOMs.

The first NowSecure GitHub Action offers automated static and dynamic security analysis of iOS and Android mobile apps built in any language or framework, including Swift, Objective-C, Java, Kotlin, Dart and React-Native.

Moreover, the NowSecure GitHub Action for Mobile SBOMs creates component detail for visibility into the libraries and frameworks included in all mobile apps.

This identifies transitive dependencies, pinpointing libraries and frameworks that are using older versions, identifying components that remain but may have previously specified to be removed, and uncovering component license details.

“The NowSecure GitHub Action for Mobile SBOM populates the GitHub Dependency Graph with mobile data so that in the future GitHub Dependabot alerts can update dependencies to the latest and more secure versions of libraries in mobile apps,” NowSecure CTO David Weinstein says.

“Furthermore, comparing SBOMs and dependencies from different versions of a mobile app provides insight into changes made by the developer over time that may require further analysis or help identify technical debt.

“Overall, we've been very impressed with GitHub's implementation, enabling third-parties to extend the Dependency Graph and Dependabot to support new ecosystems like mobile.