Contenu connexe
Similaire à Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Similaire à Pactera - App Security Assessment - Mobile, Web App, IoT - v2 (20)
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
- 3. Cybersecurity Services Capabilities
©Pactera.SECCOEConfidential.AllRightsReserved.
3
• Improving Threat Prevention, Detection, & Response Capability
• Establishing Governance – People, Process, and Technologies
Cybersecurity Program Consulting
• Reducing Risk by Finding and Remediating Threats – by Top Security Consultants
• SecDevOps (Improving Security in DevOps)
Application Vulnerability / Penetration Testing
• Reducing Vulnerabilities via Secure Coding Practice (CBT & Instructor Lead)
Application Secure Coding Practice Training
• Managing Security Risks Posed by Suppliers
• Use a Proven Assessment and Management Solution Based on ISO 27001
Third-party Supplier Security Risk Management
- 4. Why Perform Application Security Assessment?
©Pactera.SECCOEConfidential.AllRightsReserved.
4
Applications leads a number of vulnerabilities
Most successful malicious attacks came through applications (mobile,
web)
Know how secure third-party hosted (i.e. cloud) applications
Most applications assembled with third-party code components
(i.e. framework, libraries).
• Developers only develop about 10% – 20% of the code
• Third-party code vulnerabilities may exist but not been addressed
• Third-party code vulnerabilities may not yet been patched
- 5. Application Security Testing
©Pactera.SECCOEConfidential.AllRightsReserved.
5
We cover:
Mobile apps
IoT apps
Web Applications
Thick-client Applications
API (REST API, SOAP)
Our capabilities on application security testing:
Blackbox and Whitebox security testing
Front-end (mobile app, IoT, web app client, client apps)
REST API supporting Micro Services
Back-end Web Services (i.e. REST API, Soap)
Reverse Engineering on binaries (.exe, .java, DLL, traditional
applications)
- 6. Application Secure Code Review Services
©Pactera.SECCOEConfidential.AllRightsReserved.
6
Utilize industry
leading automated
code review software
– HP Fortify
Supplement with
manual reviews to
reduce false positives
Provide “make sense”
recommendation for
remediation
- 7. Application Vulnerability / Penetration Testing
©Pactera.SECCOEConfidential.AllRightsReserved.
7
Blackbox or Whitebox testing (Mobile, IoT, Web Applications)
Combines automated tools and manual testing
• Industry leading automated open-source and commercial tools
• World class penetration testers – have performed hundreds of penetration tests
• Industry recognized penetration testing methodology
• Covers OWASP Top 10 Mobile and Web Application vulnerabilities and beyond
Reverse engineer applications (if in-scope) to uncover hidden
security flaws
Identify business logic flaws that cannot be easily identified through
automated testing
- 8. Vulnerability / Penetration Testing Methodology
©Pactera.Confidential.AllRightsReserved.
8
Information Gathering
•Review Application
•Review REST API
•Get Configuration Info
•Gather Architecture Info
Threat Modeling
•Identify attack surface
•Identify methods of attacks
Security Test Planning
•Design an attack plan
•Select tools to utilize for
the assessment
Vulnerability
Assessment
•Automated assessment
•Manual assessment
•Custom test scripts
Exploitation
•Manual exploit the
identified vulnerabilities
Reporting
•Summary
•Findings
•Recommendations
Re-testing
•Validate remediation of
vulnerabilities
•Re-test after new changes
- 9. Mobile / IoT Vulnerability / Penetration Testing Overview
©Pactera.Confidential.AllRightsReserved.
9
Mobile App
(Android, iOS) Back-end Server
REST API
Communication
Data Access
Mobile App:
• Automated Testing
• Manual Testing
• Secure Code Review via Fortify SCA
• Test against OWASP Mobile Top 10:
1. Improper Platform Usage
2. Insecure Data Storage
3. Insecure Communication
4. Insecure Authentication
5. Insufficient Cryptography
6. Insecure Authorization
7. Client Code Quality
8. Code Tampering
9. Reverse Engineering
10. Extraneous Functionality
REST API, Web Application:
• Automated Testing
• Manual Testing
• Test against OWASP Web App Top 10
1. Injection
2. Broken Authentication and Session
Management
3. Cross-Site Scripting (XSS)
4. Insecure Direct Object References
5. Security Misconfiguration
6. Sensitive Data Exposure
7. Missing Function Level Access Control
8. Cross-Site Request Forgery (CSRF)
9. Using Components with Known
Vulnerabilities
10. Unvalidated Redirects and Forwards
Mobile & Web Tools:
• Commercial and Open
Source Tools
• HP Fortify Secure Code
Analyzer (SCA)
• Acunetix
• Kali Linux
• Rapid 7 - NeXpose &
Metasploit
• Burp Suite Pro
• SoapUI
• ApkAnalyser
• BEEF
• Mobile Emulator
• Geo-Location Emulation
• Custom Developed Tools
and Scripts
- 12. Mobile Application Security – Code Components Analysis
Analyze Mobile Application to ensure any security vulnerabilities
or malicious contents in the code components is detected
through the following security testing:
©Pactera.Confidential.AllRightsReserved.
12
Inspect the APK
installation Process
• Detect suspicious
activities during the
installation process
Inspect the APK
communication
behavior
• Detect suspicious
communication
behaviors between
mobile app and
back-end server
Inspect the code
through Secure Code
Review Process
• Detect any code
components with
known malware
• Remove
vulnerabilities
- 13. Mobile / IoT Secure Code Analysis
We utilize HP Fortify Secure Code Analyzer (SCA) tool to scan for mobile code
vulnerabilities – Including but not limited to the following:
©Pactera.Confidential.AllRightsReserved.
13
Access Control: Android Provider
Access Control: Database
Android Bad Practices: Missing Broadcaster Permission
Android Bad Practices: Missing Receiver Permission
Android Bad Practices: Sticky Broadcast
Cross Site Scripting: Persistent
Cross Site Scripting: Poor Validation
Cross Site Scripting: Reflected
Header Manipulation: Cookies
Insecure Storage: Android External Storage
Log Forging
Path Manipulation
Privacy Violation
Password Management
Password Management: Empty Password
Password Management: Hardcoded Password
Password Management: Null Password
Password Management: Weak Cryptography
Privilege Management: Android Location
Privilege Management: Android Messaging
Privilege Management: Android Telephony
Privilege Management: Missing API Permission
Privilege Management: Missing Intent Permission
Query String Injection: Android Provider
Resource Injection
SQL Injection
System Information Leak
- 14. Web Application Vulnerability / Penetration Testing Overview
©Pactera.Confidential.AllRightsReserved.
14
Internet User
(Web Client) Back-end Server
REST API
Communication
Data Access
Client Side (Web Browser):
• Automated Testing
• Manual Testing
• Review client side scripts / code
• Client Side Script Testing
• DOM based Cross Site Scripting
• Authentication
• Authorization
• Local Storage
• Client Side URL Redirect
• Web Messaging
• Clickjacking
• HTML Injection
REST API, Web Application:
• Automated Testing
• Manual Testing
• Network & Architecture Config Review
• Test against OWASP Web App Top 10
1. Injection
2. Broken Authentication and Session
Management
3. Cross-Site Scripting (XSS)
4. Insecure Direct Object References
5. Security Misconfiguration
6. Sensitive Data Exposure
7. Missing Function Level Access Control
8. Cross-Site Request Forgery (CSRF)
9. Using Components with Known
Vulnerabilities
10. Unvalidated Redirects and Forwards
Security Testing Tools:
• Commercial and Open
Source Tools
• HP Fortify Secure Code
Analyzer (SCA)
• Acunetix
• Kali Linux
• Rapid 7 – Nexpose
• Rapid 7 – Metasploit
• Burp Suite Pro
• SoapUI
• BEEF
• Geo-Location Emulation
• Custom Developed Tools
and Scripts
- 15. Web Application Secure Code Analysis
We utilize HP Fortify Secure Code Analyzer (SCA) tool to scan for mobile
code vulnerabilities – Including but not limited to the following:
©Pactera.Confidential.AllRightsReserved.
15
Map the Application’s Content
Analyze the Application
Test Client-side Controls
Test Application Logic
Test the Authentication Mechanism
Test the Session Management
Mechanism
Test Access Controls
Test for Input-based Vulnerabilities
Test for Function-specific
Vulnerabilities
Test for Logic Flaws
Test for Shared Hosting
Vulnerabilities
Test for Web Server Vulnerabilities
Miscellaneous Checks
- 16. Our Experience
©Pactera.SECCOEConfidential.AllRightsReserved.
16
• For major financial institutions -
– Performed third-party security assessments, helped suppliers to enhance security and reduce client third-party risk exposure
– Performed application security assessments, provided recommendations for remediation to enhance protection
– Conducted security vulnerability assessments
– Participated in Cybersecurity Incident Response and root cause analysis
• For a Fortune 50 software firm -
– Perform information security consulting
– Application vulnerability assessment and management, regulatory compliance
– Ensuring Security Compliance for over 2000 applications
• For a major international airline -
– Perform application vulnerability assessments
– Conduct mobile application penetration testing
• Ensure security weaknesses are identified and remediated
• Prevent leak of sensitive information
• For a major member loyalty program management firm –
– Perform Data Privacy Governance and ISO 27001 Certification program development
– Conduct security assessment, penetration testing / vulnerability assessment
– Help the client to attain ISO 27001 certification
- 17. Cybersecurity Team Member Profiles
©Pactera.SECCOEConfidential.AllRightsReserved.
17
Kyle has more than 21 years experience in providing a combination of security and privacy services to Fortune 500 and
other large organizations. Prior to joining Pactera, Kyle served as senior cybersecurity consultant for such esteemed
organizations as Microsoft, ExxonMobil, Boeing, Akamai, Fidelity Investments, PriceWaterhouseCoopers and HP. He also
served as security operations manager for the U.S. Defense Information Systems Agency (DISA) and as interim Chief
Information Security Officer (CISO) for Brandeis University’s Heller School. In addition, Kyle is the author of the well-known
network security and privacy tool known as ‘SMAC’ with over 2.5 million users worldwide.
Kyle’s expertise includes vulnerability assessment and program management, data privacy, security tools development,
third-party supplier risk assessment and management, penetration testing, web application, thick client application, API,
SOAP, security architecture design and implementation, eGRC, and security advisory.
Kyle possesses security and privacy certifications including Certified Information Systems Security Professional (CISSP),
Certified Information Privacy Professional for U.S. and Government (CIPP/US, CIPP/G), Certified Secure Software Lifecycle
Professional (CSSLP), Certified Information Systems Auditor (CISA), and is certified as a ISO 27001 Lead Auditor.
Kyle is based in U.S.
Kyle Lai
Head of Security Services
CISSP, CSSLP, CIPP/US, CIPP/G,
CISA, ISO 27001 Lead Auditor
William is one of the world’s top penetration testers and vulnerability assessors with over 20 years of professional
experience. He has conducted numerous penetration tests against large organizations including U.S. Government Agencies,
Department of Defense (DoD), Fortune 500 firms in financial, healthcare, oil and energy, high tech industries. William’s
expertise includes cybersecurity offense and defense strategy and tactics in networking, web application, thick client
application, API, SOAP, threat analysis, exploit development, penetration testing, security tools development, phishing
testing, security architecture design and implementation, security lab building, cybersecurity attack simulation and security
advisory. He also conducts social engineering and physical security assessment which includes identifying physical security
weaknesses.
William is the author of Filibuster Network Exfiltration Security Testing tool – try to test the firewall rule effectiveness. He
debuted this tool at the Blackhat Security Conference in 2014. He has also trained hundreds of security engineers for DoD
and large firms on attacking and protecting network and applications. He possessed security certifications including
Offensive Security Certified Engineer (OSCE), Offensive Security Certified Professional (OSCP), Offensive Security Wireless
Professional (OSWP), SANS GIAC Certified Penetration tester (GPEN), and a licensed private investigator.
William is based in U.S.
William Coppola
Senior Security Consultant
OSCE, OSCP, OSWP, GIAC GPEN
Private Investigator
- 18. Cybersecurity Team Member Profiles
©Pactera.SECCOEConfidential.AllRightsReserved.
18
Tom has more than 20 years of experience technical and cybersecurity experience in providing a combination of security,
regulatory compliance (HIPAA, PCI) and privacy services to Fortune 500 and other large organizations. Prior to Pactera, Tom
held senior management and principal security architect roles within several consulting and corporate institutions, across
financial, government, retail and technology verticals. He has designed and overseen the implementation of many large
scale security initiatives such as incident response, network security, security architecture design and implementation,
regulatory compliance, vulnerability assessment, PII data privacy eDiscovery and assessments (Mass CMR 201 17, FTC
consumer data oversight and PCI e-discovery), Secure SDL and security assessments.
Tom is a published author contributing to a popular security architecture book published by RSA press and the complete
guide to firewalls published by Osborne McGraw-Hill. Tom possessed security certifications including Certified Information
Systems Security Professional (CISSP).
Tom based in U.S.
Tom DeFelice
Principal Security Consultant
CISSP
Henry is an information security and technology executive with over 10 years’ experience, and possesses a robust history of
professional service delivery. Prior to joining Pactera, Henry held the position of Security Team Lead for offensive security
and Senior Managing Consultant roles with Japanese owned consulting firms. He has delivered various projects across
financial, government, telecommunications, retail, logistics and transportation industries, including security risk assessment,
penetration testing, privacy impact assessment, compliance audit, IT governance, managed security services, system
hardening and security solution implementation. Henry is also an experienced trainer in delivering security trainings
(including in-house tailor-made security awareness trainings) for general staff, IT professionals, and for CISA focused
classroom instruction. He holds a Bachelor’s degree in Information Technology and is certified as CISSP, CISA, CEH, CCSK, PCI
QSA (PCI SSC), PCIP (PCI SSC), CPM, ISO 31000 Lead Trainer, ISO 20000 Auditor, ISO 27001 Lead Auditor, ITIL, MCSA and
CCNA.
Henry is based in Hong Kong.
Henry Hon
Principal Security Consultant
CISSP, CISA, CEH, CCSK, PCIP,
ISO 20000 Auditor, ISO 27001
Lead Auditor
- 19. Cybersecurity Team Member Profiles
©Pactera.SECCOEConfidential.AllRightsReserved.
19
Johnson has more than 5 years of experience in information security consultancy. Prior to joining Pactera, Johnson served
as a security consultant within several consulting institutions, delivering professional services for clients across Asia-Pac, in
various industrial sectors including banking, insurance, telecom, retail, e-commerce, hospitality, charity, etc.
Johnson’s expertise includes application, network, and system vulnerability assessment, security and regulatory compliance
audit, penetration testing, IT governance and security advisory. He holds a Master’s degree in Telecommunications, a
Bachelor’s degree in Electronic & Communications Engineering, as well as industry certifications including CISM, CEH, ECSA,
MCP, SCSA and CCNA.
Johnson is based in Hong Kong
Johnson Zhang
Senior Security Consultant
CISM, CEH, ESCA
Josh is one of the world’s recognized cybersecurity expert with over 17+ years hands-on experience, covering all vertical
markets from financial, federal government, state government, aerospace, defense, and public sectors performing red-team
penetration testing, network and application vulnerability assessment, ethical hacking, threat/Intel, and covert entry, RFID,
wireless security assessment, phishing assessment, cloud security review. For a Fortune 10 financial institution, Bank of
America, Josh has create an insider threat program, external penetration testing exercise, lead security incident response
and analysis, and coordination with law enforcement.
Josh has served major BFSI and technology clients in the U.S., ASEAN region, and Australia, including Bank of America,
Commonwealth Bank of Australia, and Bank of Japan. He is also an author of a distributed phishing framework that is
frequently utilized in global enterprises. Josh is also a frequent speaker at the international cybersecurity conferences such
as BlackHat, Defcon, BSides, DerbyCon, RuxCon, NOLACon, and InfraGard. He is certified as CEH, OPST, OPSA, OSSTMM
Trainer.
Josh is based in U.S.
Joshua Perrymon
Senior Security Consultant
CEH, OPST, OPSA, OSSTMM
Trainer
- 20. Thank You
Contact:
Kyle Lai, CISSP, CSSLP, CISA, CIPP/US/G
CISO, Head of Cybersecurity Services
Kyle.Lai@Pactera.com
@KyleOnCyber
www.pactera.com
Pactera Cybersecurity Services