Embedding Security into the Mobile Development Lifecycle with Ostorlab
RSA Security embeds security testing into every step of mobile development through its Secure Development Lifecycle. Security starts at design, continues through development and release, and stays active after the app goes live. Ostorlab continuously runs SAST, DAST, and API analysis on every iOS and Android release as part of RSA’s formal security sign-off, and Threat Center helps RSA spot new vulnerabilities as soon as they affect its mobile apps.
As RSA’s mobile apps grew, the team needed a clear view of security risks on every release. They also needed a way to know when new vulnerabilities affected their apps without waiting for the next scan. Point-in-time testing could miss issues between releases, and new CVEs could stay unnoticed for too long.
Shifting security testing left with Ostorlab
Instead of testing only at release time, RSA uses Ostorlab to find and fix mobile security issues earlier in the development process. This helps the team catch problems before they reach users and keeps release cycles smoother.
“Shifting security testing left and using Ostorlab throughout development helps us find and fix mobile security issues early. It reduces last-minute surprises and gives us steady visibility into new risks.”
— RSA Security
RSA runs SAST and DAST with Ostorlab on every iOS and Android release before shipping. Security sign-off is required before any release moves forward, so every build gets the same check.
- RSA's findings went from 145 total findings historically to no active findings over the last month.
RSA uses Ostorlab Threat Center to get alerts when new CVEs affect its mobile apps. This gives the team early warning without waiting for the next scheduled scan.
Early CVE visibility
Out of 89 CVEs disclosed in the past 30 days, Ostorlab Threat Center identified all 89 as potentially affecting RSA's mobile assets, allowing them be resolved promptly.
Reduced exposure window
RSA's went from an all-time average of 342 exposure days for high-priority issues to a perfect zero days over the last 30 days.
Proactive alerts from Ostorlab are highly valuable, as they enable us to quickly understand when newly disclosed vulnerabilities impact our mobile assets without waiting for the next testing cycle. This early visibility allows us to prioritize remediation, reduce exposure time, and maintain strong security posture with minimal disruption to delivery velocity.
— RSA Security
RSA’s mobile security testing is still manual at release today. The next step is to add automated mobile security testing into CI/CD so coverage happens on every build, not just at release.
For RSA, that means:
- Clear mobile findings that developers can act on easily
- Continuous coverage across every build
- Low noise so teams are not overwhelmed by false positives
- Fast feedback so issues can be fixed early
The goal is for MAST to behave the way SAST and SCA already do at RSA, running automatically on every build, consistently, without manual intervention.
Security requirements and threat modeling embedded at the feature design stage
SAST and SCA run on every pull request throughout development
DAST via Ostorlab executed during release testing
Security sign-off required as a formal release gate
Post-release monitoring maintained through RSA's vulnerability disclosure process
Proactive Ostorlab Threat Center alerts surface newly disclosed vulnerabilities affecting production assets immediately
RSA's approach shows how a mature SDL framework and continuous mobile security testing can work together. With Ostorlab embedded into the release process and CI/CD integration on the roadmap, the team gains a consistent, scalable way to maintain security posture across every release.
Get Started
Learn how RSA embeds security across mobile delivery
Request a demo to see how Ostorlab can be embedded into your mobile release process for stronger security confidence.
Book a Demo