How CISOs, AppSec leaders and DevSecOps teams can secure mobile apps, safeguard privacy, reduce risk and prove compliance.
Executive Summary
Most enterprises already have risk management programs for cloud, network and web applications. However, many lack a comparable framework for mobile apps even though apps often are the primary way customers, partners and employees interact with your brand.
That’s where a Mobile App Risk Management (MARM) program comes in. “A MARM program is fundamentally just a structured way of thinking about how to organize, then continuously assess and mitigate the risk of mobile apps in your environment,” said NowSecure CEO Alan Snyder. Snyder laid out the principles of MARM in the virtual NowSecure Connect 2025 conference session, “Building a Mobile App Risk Management Program.”
The stakes are high. Mobile apps contain sensitive data, rely on third-party SDKs and carry unique risks from permissions, surveillance and AI. Without a MARM program, organizations struggle to answer two critical questions:
- How do you know when a mobile app is ready to go to production?
- How do you prove you’ve taken reasonable care?
MARM programs offer the following benefits:
- Clarity: Define what “production-ready” means for your business.
- Consistency: Apply common standards such as OWASP MAS across all apps.
- Efficiency: Focus resources where business impact is highest.
- Provability: Demonstrate reasonable care to boards, auditors and regulators.
Guide to Putting a MARM Program Into Practice
Once you understand the business case for why a MARM program is essential, the next step is to understand what it looks like in practice and how to operationalize MARM across the organization.
The following sections explore:
- What makes mobile risk unique compared to web and cloud
- How to define “production-ready” for mobile apps
- The four-step framework for building a MARM program
- Testing strategies tailored to high-, medium- and low- business impact tiers
With this deeper dive, your AppSec and DevSecOps teams can translate strategy into execution and scale mobile risk management across your enterprise.
With a MARM program, you raise the bar in terms of security, you improve efficiency through automation and you can move to production faster because everyone knows the standard.– NowSecure CEO Alan Snyder
Why Mobile Needs Its Own Framework
Many enterprises neglect mobile app security by failing to give it the attention it deserves. But mobile apps pose several distinct risks:
- Dangerous permissions: Access to location, microphone and contacts creates surveillance and privacy exposures.
- AI and data governance: New features drive data flows that raise compliance and regulatory concerns.
- Third-party components: Some 60% to 80% of mobile app code comes from external SDKs or libraries.
- User scale: Mobile apps often reach millions of customers, amplifying business impact if compromised.
Without a structured framework, enterprises face:
- Gaps and inconsistencies in testing
- Friction between development and security teams
- Increased risk of regulatory fines, data breaches or brand damage.
“It doesn’t matter who built the app,” said Snyder. “What matters is the impact to the business.”
Defining Production-Ready for Mobile
One of the biggest challenges organizations face is knowing when an app is truly secure enough to release. Snyder asked, “How do you know when a mobile app is ready to go to production? That can be a very awkward question, because realistically, most teams don’t have a clean answer.”
A MARM program sets a clear bar, ensuring both security and development teams understand the standards. This removes ambiguity, accelerates release cycles and reduces friction.
The Four Steps to Build a MARM Program
- Define Business Impact Tiers
- High-Impact Apps: Handle PII/PHI, support core business functions, carry brand risk or fall under regulatory oversight
- Medium-Impact Apps: Important but not mission-critical, limited sensitive data
- Low-Impact Apps: Minimal data, no dangerous permissions, no brand or compliance exposure
“If an app has sensitive data or dangerous permissions, we put it in a high business impact tier because if compromised, it creates significant brand and compliance risk,” explained Snyder.
- Build an App Inventory
- Include apps your organization develops, manages or authorizes (Teams, Slack, Salesforce, etc.).
- Some regulated companies also track BYOD apps that coexist with sensitive business apps on devices.
- Assign Apps to Tiers
- Use both business context and technical analysis (e.g., whether an app requests dangerous permissions or transmits sensitive data).
- Remember this is dynamic. As new versions ship, apps may move between tiers.
“Step three never stops,” Snyder said. “Yesterday, the app didn’t have access to geolocation. Today it does. That means it moves from medium to high.”
- Establish a Testing Regimen
- High-Impact Apps: Perform continuous automated mobile application security testing plus quarterly checks of MFA and critical workflows, along with an annual deep-dive pen test.
- Medium-Impact Apps: Conduct automated testing with periodic deeper checks.
- Low-Impact Apps: Run lightweight continuous analysis and possibly anonymous (non-authenticated) testing.
This ensures testing frequency and depth match business impact.
The Benefits of MARM
A structured program pays off across the enterprise:
- Faster Releases: Clear standards reduce debates and bottlenecks.
- Better Security and Privacy: Every app consistently meets minimum thresholds.
- Resource Optimization: Security teams focus on apps that matter most to the business.
- Audit Readiness: Document proof of “reasonable care” across versions, apps and business units.
“With a MARM program, you raise the bar in terms of security, you improve efficiency through automation and you can move to production faster because everyone knows the standard,” advocated Snyder.
Crawl, Walk, Run Adoption
Launching a MARM program doesn’t need to be overwhelming. “It’s crazy easy, and much more efficient than what most organizations are doing today,” said Snyder.
Many organizations begin with high-impact apps, then expand coverage over time. Mobile application security testing automation makes it possible to scale consistently while freeing up human security analysts for deeper investigations and strategic oversight.
Build Your MARM Program Today
Don’t leave mobile apps as your weakest link. Talk to NowSecure for help establishing a MARM program that protects your business, satisfies regulators and gets innovative mobile apps into the hands of users faster.
