Interview with Suphi Cankurt, the AppSec Santa

I had the privilege to discuss with Suphi Cankurt, founder of AppSec Santa.

A few weeks ago, Suphi interviewed Hugues Thiebeauld, eShard's CEO to present our vision of the MAST market. You can access the esChecker's page on AppSec Santa's website or direct on esChecker.

It's now our turn to get Suphi's point of view.

Suphi, who are you, and what is the genesis of AppSec Santa?

The cybersecurity teams are struggling to keep up with the speed of agile development. There is a 100:1 developer/cybersecurity engineer ratio, so you have to work smarter and faster, and It starts with having the right tools.

At AppSec Santa, I am helping companies to test fast and choose “the right” application security tools. You can find the list of DAST tools on my website.

In the AppSec Testing world, we feel that Mobile Apps are late and less mature. What is your opinion on this?

In 2014, Gartner was saying that more than 75% of mobile applications failed basic security tests, and I think the situation is way better now. Mobile security testing started to popular in 2017, and It usually takes 5-7 years to be mainstream, and now we are here.

With your experience, what problems should the ideal MAST tool solve? How?

Mobile security testing requires a specific domain experience which is not common, and an ideal MAST tool should bring this to the team.

It should be able to execute the app in a real-device state and run attacks as a hacker does to cover certain situations on jailbreak/rooted devices. It is not possible to find those issues with source code scanning.

Mobile App Sec is a place where Security Experts and Mobile Engineers meet. Do you have an anecdote to be shared about this relationship, which can be harsh sometimes?

I believe the dance between the engineering and security team is more of a collaboration and strategy issue than a technical one. When the security team positions itself as the guardian of the company and dictates rules/policies to the engineering team without having their involvement in the reasoning/decision process.

What happens is that the development team will see these processes as a bottleneck and look for ways to bypass them. We all know “looks good to me” comments to management-enforced code reviews.

Pentesters tend to not like MAST tools. Do you see these tools as a threat or an opportunity for them?

I think this frustration comes from having experiences with half-baked technologies. It is like calling your bank and getting stuck in call centre automation and wasting 5 min before reaching a real person to get it done.

If your tool delivers what it promises without causing you extra hassle with false positives, I think no pentester will battle with this.

Could you share some resources (blogs, YouTube channels, events, books, etc.), other than AppSecSanta, about Mobile App Security Testing?

There is Wojciech Reguła ’s blog, and I am a big fan of academic papers, for example, Comparative analysis of Android and iOS from a security viewpoint.