TechTalk: Best Practices for Keeping Your App Safe with Majid Hajian (Microsoft)

The Talsec Mobile App Security Conference in Prague was a two-day, invite-only event on fraud, malware, and API abuse in modern mobile apps, held at Chateau St. Havel on November 3–4, 2025, and hosted by Talsec, freeRASP, and partners. It brought together leading experts and practitioners to strengthen the mobile AppSec community, connect engineers with attackers and defenders, and share practical techniques for high‑stakes sectors like banking, fintech, and e‑government.

In the modern technological era, mobile application security is no longer a static goal but a continuous organizational effort. As Majid Hajian, a Solution Engineer at Microsoft, emphasizes, the rapid evolution of threat landscapes—marked by a 29% increase in mobile attacks in the first half of 2025 and a staggering 2,000% surge in AI-driven mobile threats—demands a fundamental shift in how we build and defend applications. This new paradigm moves away from traditional "castle and moat" perimeter defenses toward a model of constant vigilance and automation throughout the entire software development lifecycle (SDLC).

The Core Pillars of Modern App Defense

One of the primary strategies for securing modern mobile applications is the adoption of a Zero Trust architecture. This approach operates on the principle of "always verify," assuming that no device, user, or network is inherently safe. In the mobile context, this translates to runtime protections like Runtime Application Self-Protection (RASP), which can detect real-time threats such as jailbreaking or debugger attachments. It also requires continuous identity verification, ensuring that every server request is validated rather than relying on long-lived sessions. Furthermore, data protection must be absolute; all information should be encrypted and stored in platform-trusted secure storage rather than plain text.

To manage the complexities of the "invisible supply chain," where approximately 80% of an application's code is composed of external dependencies, organizations must implement a Software Bill of Materials (SBOM). An SBOM acts as an automated "ingredient list" for software, detailing every component, version, and vendor used. By analyzing these reports on every build, development teams can instantly identify and reject code containing compromised or outdated dependencies, ensuring both security and regulatory compliance.

Shifting Left and Defending with AI

A critical component of modern security is the concept of "shifting left," which means integrating security checks as early as possible in the development process. Implementing DevSecOps ensures that security is a shared responsibility across every phase of the SDLC. For example, using pre-commit hooks can automatically strip out secrets or personal data before code is ever committed to a repository. Finding and remediating vulnerabilities during development is significantly less costly than addressing them after an application has reached production.

As attackers increasingly use AI for sophisticated maneuvers like deepfakes and voice cloning, defenders must adopt Defensive AI to fight back. This involves using AI-driven tools to analyze traffic patterns for suspicious activity and implementing advanced liveness detection. Traditional biometrics, such as blinking an eye, can now be deepfaked; therefore, modern apps may need to monitor human behavioral gestures( such as how a user uniquely holds their device) to ensure identity.

Cultivating a Security-First Culture

Ultimately, robust technology must be supported by a strong organizational culture. Security is not the task of a single team but the responsibility of every individual in the company. Organizations should foster a "no-blame" environment where security issues can be reported and addressed proactively without fear of retribution. Furthermore, companies should track meaningful metrics, such as "time to remediation," rather than vanity metrics like lines of code, to ensure that vulnerabilities are addressed with the necessary urgency.

Building this foundation can be managed through a structured 30-60-90 day plan, starting with establishing baseline security foundations and gradually moving toward fully automated security pipelines. Security is an ongoing journey, not a final destination, requiring constant adaptation to stay ahead of an ever-changing threat landscape.

Thank you Majid Hajian for your insightful presentation on best practices for app security. Your discussion on shifting the security mindset towards continuous verification and the importance of a "security above all" culture was especially impactful. We appreciate you sharing your expertise and strategies like Zero Trust and DevSecOps with the community.