Chip & System Security Testing 
Mobile & Backend Security Testing 
Our Company 
Blog
Contact us
Back to all articles
Mobile App Security

Interview with Giovana Assis, AppSec Tech Manager at Nubank

4 min read
Edit by Rémy Balangué • Oct 26, 2022
Share

The third article of our series of App Sec and DevSecOps experts is now live. 👇

After meeting with Michelle Mesquita from EY, now it's time to interview Giovana Assis, AppSec Tech Manager at Nubank.

Here's a summary of our discussions:

 

Interviews_Gio.png

💬 Hi Giovana, could you please introduce yourself?

Hi! I'm Giovana Assis, Brazilian cybersecurity professional with 12 years of experience and nowadays I work as an Application Security Tech Manager at Nubank.

 

💬 Do you feel that the market is getting more and more mature to switch from DevOps to DevSecOps?

Yes, we can notice that companies around the world are more and more aware of the cyber threats that exist and understand the importance of cybersecurity.

Considering that, they began to realize the benefits of having security integrated into the DevOps pipeline and how that can be more agile than the regular approach.

 

💬 With your experience, could you list the advantages of an automated step in the security testing, on top of all the manual tests (code review, pentest, etc.)

I think that the major gains are related to time, reduced labour effort and the coverage of 0-day vulnerabilities.

At the same time that no automated test will be able to achieve some results that manual testing can, such as business-logic-related tests.

 

💬 With all the new tools on the market, what would be the best stack?

It will depend on your company's maturity, but I would recommend the use of IAST/SAST (Interactive / Static Application Security Testing) for coding, security tools for the codebase itself (e.g. GHAS, GitHub Advanced Security), container security tools and, last but not least, use of your cloud-provider tools to improve its security.

 

💬 When running security testing on mobile apps, do you prefer the scalability of an emulator or the accuracy of a real device?

It depends on what stage of it I'm in, for the early test stages I would use an emulator, but I think is very important to test and validate the mobile app at the end stage of development in a real device.

 

💬 What do you think of the OWASP MASVS? Should it be the security standard in all organisations?

I really like OWASP projects, they're often very complete and approach important issues. Personally, I've never used MASVS, just the ASVS itself and really like it, but I think that organisations should use it as a baseline and adjust it to their business and/or reality.

 

💬 Have you followed their recent work on the OWASP MASVS refactoring?

No, I've not, but I'll take a look in it, I'm curious about it.

 

💬 What are your thoughts when it comes to SAST v. DAST? Any good practice?

I don't think that it should be a versus approach, I think that they're complimentary to each other. SAST can identify vulnerabilities and issues during the coding and the DAST can identify them after the app is already in the final stages or even in prod, simulating access that the client or the attacker would have.

The best approach, in my opinion, is to use them both and take advantage of their strengths.

 

💬 Do you think mobile app binaries are enough protected although they are publicly available in app stores and potentially subject to reverse-engineering?

I think that we'll never have enough protection, there will always be new attacks vectors, and new ways to surpass the existent protections, so the best practice, in this case, is to not expose too much info/data in the mobile app and use stronger controls/protection/validation in the backend. Sure you can use mTLS or other approaches to increase security in the communication, but it's no simple task.

 

💬 Could you recommend some security professionals that you'd like us to interview?

In mobile security subject I would definitely recommend:

Regarding AppSec/DevSecOps I would recommend:

And if you are looking for someone to talk about cryptography, I would definitely recommend Talita Rodrigues.

 

💬 Interested in eShard's solution for MAST: esChecker. Feel free to request a free trial

 

Top 120 European Mobile Banking App Benchmark

Share

Categories

All articles
(49)
Chip Security
(16)
Corporate
(5)
Mobile App Security
(21)
Vulnerability Analysis
(8)

you might also be interested in

Corporate
Vulnerability Analysis

Announcing esReven version 2023.01

9 min read
Edit by Mathieu Favréaux • Jan 12, 2023
CopyRights eShard 2023.
All rights reserved
Privacy policy | Legal Notice
SECURITY TESTING SOLUTIONS
Side Channel AnalysisLaser & EM Fault InjectionFirmware Security AnalysisSecurity Failure AnalysisVulnerability ResearchMAST: Mobile Application Security Testing