Black Duck recently introduced static application security testing (SAST) support for the Dart programming language and the Flutter application framework to expand our coverage for mobile development teams that are tasked with delivering secure apps on multiple platforms. This builds on our support of more than 20 programming languages and 200 frameworks, and complements our existing Kotlin, Swift, and React Native support with another option for those focused on secure mobile app development.
Mobile applications have become a requirement for any business that wants to provide a modern user experience for their customers. However, despite frequent reports of high-profile cyberattacks and the availability of frameworks that help businesses produce more secure software, many mobile apps still contain critical vulnerabilities that could be exploited at any minute.
According to NowSecure’s Mobile Risk Tracker, 85% of mobile applications in public app stores include at least one high-risk vulnerability or violate one or more OWASP mobile application security standard.
Despite the clear risk of mobile apps being exploited, many development teams struggle to prioritize secure coding practices due to the number of other demands for their time and attention. The Flutter framework has gained popularity in recent years because of its ability to alleviate at least some of these demands by helping teams build apps that run across both iOS and Android devices as well as web browsers. This cross-platform capability means a single codebase can address 99% of the mobile device market.
Of course, leveraging a cross-platform framework helps reduce the burden on development teams, but ensuring that your code is secure can be difficult whether you’re building mobile apps or any other software. To truly optimize your development efforts, developers need tools that let them focus on delivering business value and securely testing mobile apps without slowing them down. Unfortunately, many SAST tools force developers to waste time triaging false positives or lack the in-depth analysis to uncover anything beyond the most basic security issues. This leads to frustration among development teams while still not ensuring that their code is free of critical defects.
To consistently produce secure code on time and without causing frustration, developers need mobile app security testing tools that help them focus on the most important vulnerabilities, within the tools and workflows that they’re already using. Our new Dart language support maps vulnerabilities to the OWASP Mobile Top 10 to help teams test, identify, and prioritize the most critical threats to their mobile apps. Scans can be run early in the development process to help identify these issues, when they’re easiest to resolve and before they impact other teams.
Code Sight™ is an IDE plug-in that scans source code automatically within the IDE, so issues are identified as the code is being written. Actionable remediation guidance helps developers fix these issues before the code is even committed.
Policy-driven scans can be triggered on every commit or pull request to prevent critical issues from being merged into the main branch. Security testing details are provided right within popular SCM and CI/CD tools, so teams can quickly collaborate and prioritize issues without needing to switch tools. More in-depth scans can also be run later in the SDLC to uncover any remaining vulnerabilities that may be hidden anywhere in the application.
Issue details and actionable remediation advice are provided right within preferred developer workflows.
Today’s modern applications present several potential avenues for attack that developers and security teams didn’t need to worry about a decade ago. In addition to mobile app security testing, these teams need to contend with potentially dangerous misconfigurations in infrastructure-as-code (IaC) templates, hard-coded secrets being mistakenly pushed into public repositories, and the potential of AI-tools producing large volumes of code with no guarantee that it’s not introducing new vulnerabilities into your apps.
SAST solutions can ease these concerns by identifying and helping to remediate code defects and vulnerabilities across any application. By automating mobile app security testing and scans throughout the early stages of the SDLC and providing issue details and remediation guidance right within key developer workflows, Black Duck helps eliminate critical vulnerabilities while enabling developers to work at the speed your business requires. And since all our SAST offerings leverage the same scan engine, your applications will receive this best-in-class SAST coverage no matter which solution you choose: Black Duck Polaris™ Platform, Software Risk Manager, Coverity®, or Code Sight.