SlideShare une entreprise Scribd logo

Pactera - App Security Assessment - Mobile, Web App, IoT - v2

Kyle Lai
Kyle Lai
1  sur  20
Télécharger pour lire hors ligne
Application Security Services Provided by Pactera Cybersecurity Consulting 2016
©Pactera.SECCOEConfidential.AllRightsReserved. 2 Why Pactera Cybersecurity Consulting Services? Why Pactera Cybersecurity Services? Industry’s Top Security Professionals Security Software Partner Elite U.S & Asia Based Teams BFSI, Govt., & Healthcare Regulatory Experience Extensive Privacy Experience Application Security Training Provider
Cybersecurity Services Capabilities ©Pactera.SECCOEConfidential.AllRightsReserved. 3 • Improving Threat Prevention, Detection, & Response Capability • Establishing Governance – People, Process, and Technologies Cybersecurity Program Consulting • Reducing Risk by Finding and Remediating Threats – by Top Security Consultants • SecDevOps (Improving Security in DevOps) Application Vulnerability / Penetration Testing • Reducing Vulnerabilities via Secure Coding Practice (CBT & Instructor Lead) Application Secure Coding Practice Training • Managing Security Risks Posed by Suppliers • Use a Proven Assessment and Management Solution Based on ISO 27001 Third-party Supplier Security Risk Management
Why Perform Application Security Assessment? ©Pactera.SECCOEConfidential.AllRightsReserved. 4 Applications leads a number of vulnerabilities Most successful malicious attacks came through applications (mobile, web) Know how secure third-party hosted (i.e. cloud) applications Most applications assembled with third-party code components (i.e. framework, libraries). • Developers only develop about 10% – 20% of the code • Third-party code vulnerabilities may exist but not been addressed • Third-party code vulnerabilities may not yet been patched
Application Security Testing ©Pactera.SECCOEConfidential.AllRightsReserved. 5  We cover:  Mobile apps  IoT apps  Web Applications  Thick-client Applications  API (REST API, SOAP)  Our capabilities on application security testing:  Blackbox and Whitebox security testing  Front-end (mobile app, IoT, web app client, client apps)  REST API supporting Micro Services  Back-end Web Services (i.e. REST API, Soap)  Reverse Engineering on binaries (.exe, .java, DLL, traditional applications)
Application Secure Code Review Services ©Pactera.SECCOEConfidential.AllRightsReserved. 6 Utilize industry leading automated code review software – HP Fortify Supplement with manual reviews to reduce false positives Provide “make sense” recommendation for remediation
Application Vulnerability / Penetration Testing ©Pactera.SECCOEConfidential.AllRightsReserved. 7 Blackbox or Whitebox testing (Mobile, IoT, Web Applications) Combines automated tools and manual testing • Industry leading automated open-source and commercial tools • World class penetration testers – have performed hundreds of penetration tests • Industry recognized penetration testing methodology • Covers OWASP Top 10 Mobile and Web Application vulnerabilities and beyond Reverse engineer applications (if in-scope) to uncover hidden security flaws Identify business logic flaws that cannot be easily identified through automated testing
Vulnerability / Penetration Testing Methodology ©Pactera.Confidential.AllRightsReserved. 8 Information Gathering •Review Application •Review REST API •Get Configuration Info •Gather Architecture Info Threat Modeling •Identify attack surface •Identify methods of attacks Security Test Planning •Design an attack plan •Select tools to utilize for the assessment Vulnerability Assessment •Automated assessment •Manual assessment •Custom test scripts Exploitation •Manual exploit the identified vulnerabilities Reporting •Summary •Findings •Recommendations Re-testing •Validate remediation of vulnerabilities •Re-test after new changes
Mobile / IoT Vulnerability / Penetration Testing Overview ©Pactera.Confidential.AllRightsReserved. 9 Mobile App (Android, iOS) Back-end Server REST API Communication Data Access Mobile App: • Automated Testing • Manual Testing • Secure Code Review via Fortify SCA • Test against OWASP Mobile Top 10: 1. Improper Platform Usage 2. Insecure Data Storage 3. Insecure Communication 4. Insecure Authentication 5. Insufficient Cryptography 6. Insecure Authorization 7. Client Code Quality 8. Code Tampering 9. Reverse Engineering 10. Extraneous Functionality REST API, Web Application: • Automated Testing • Manual Testing • Test against OWASP Web App Top 10 1. Injection 2. Broken Authentication and Session Management 3. Cross-Site Scripting (XSS) 4. Insecure Direct Object References 5. Security Misconfiguration 6. Sensitive Data Exposure 7. Missing Function Level Access Control 8. Cross-Site Request Forgery (CSRF) 9. Using Components with Known Vulnerabilities 10. Unvalidated Redirects and Forwards Mobile & Web Tools: • Commercial and Open Source Tools • HP Fortify Secure Code Analyzer (SCA) • Acunetix • Kali Linux • Rapid 7 - NeXpose & Metasploit • Burp Suite Pro • SoapUI • ApkAnalyser • BEEF • Mobile Emulator • Geo-Location Emulation • Custom Developed Tools and Scripts
Mobile Application Security Tools (Android) ©Pactera.Confidential.AllRightsReserved. 10 Source: OWASP
Mobile Application Security Tools (iOS) ©Pactera.Confidential.AllRightsReserved. 11 Source: OWASP
Mobile Application Security – Code Components Analysis Analyze Mobile Application to ensure any security vulnerabilities or malicious contents in the code components is detected through the following security testing: ©Pactera.Confidential.AllRightsReserved. 12 Inspect the APK installation Process • Detect suspicious activities during the installation process Inspect the APK communication behavior • Detect suspicious communication behaviors between mobile app and back-end server Inspect the code through Secure Code Review Process • Detect any code components with known malware • Remove vulnerabilities
Mobile / IoT Secure Code Analysis We utilize HP Fortify Secure Code Analyzer (SCA) tool to scan for mobile code vulnerabilities – Including but not limited to the following: ©Pactera.Confidential.AllRightsReserved. 13 Access Control: Android Provider Access Control: Database Android Bad Practices: Missing Broadcaster Permission Android Bad Practices: Missing Receiver Permission Android Bad Practices: Sticky Broadcast Cross Site Scripting: Persistent Cross Site Scripting: Poor Validation Cross Site Scripting: Reflected Header Manipulation: Cookies Insecure Storage: Android External Storage Log Forging Path Manipulation Privacy Violation Password Management Password Management: Empty Password Password Management: Hardcoded Password Password Management: Null Password Password Management: Weak Cryptography Privilege Management: Android Location Privilege Management: Android Messaging Privilege Management: Android Telephony Privilege Management: Missing API Permission Privilege Management: Missing Intent Permission Query String Injection: Android Provider Resource Injection SQL Injection System Information Leak
Web Application Vulnerability / Penetration Testing Overview ©Pactera.Confidential.AllRightsReserved. 14 Internet User (Web Client) Back-end Server REST API Communication Data Access Client Side (Web Browser): • Automated Testing • Manual Testing • Review client side scripts / code • Client Side Script Testing • DOM based Cross Site Scripting • Authentication • Authorization • Local Storage • Client Side URL Redirect • Web Messaging • Clickjacking • HTML Injection REST API, Web Application: • Automated Testing • Manual Testing • Network & Architecture Config Review • Test against OWASP Web App Top 10 1. Injection 2. Broken Authentication and Session Management 3. Cross-Site Scripting (XSS) 4. Insecure Direct Object References 5. Security Misconfiguration 6. Sensitive Data Exposure 7. Missing Function Level Access Control 8. Cross-Site Request Forgery (CSRF) 9. Using Components with Known Vulnerabilities 10. Unvalidated Redirects and Forwards Security Testing Tools: • Commercial and Open Source Tools • HP Fortify Secure Code Analyzer (SCA) • Acunetix • Kali Linux • Rapid 7 – Nexpose • Rapid 7 – Metasploit • Burp Suite Pro • SoapUI • BEEF • Geo-Location Emulation • Custom Developed Tools and Scripts
Web Application Secure Code Analysis We utilize HP Fortify Secure Code Analyzer (SCA) tool to scan for mobile code vulnerabilities – Including but not limited to the following: ©Pactera.Confidential.AllRightsReserved. 15 Map the Application’s Content Analyze the Application Test Client-side Controls Test Application Logic Test the Authentication Mechanism Test the Session Management Mechanism Test Access Controls Test for Input-based Vulnerabilities Test for Function-specific Vulnerabilities Test for Logic Flaws Test for Shared Hosting Vulnerabilities Test for Web Server Vulnerabilities Miscellaneous Checks
Our Experience ©Pactera.SECCOEConfidential.AllRightsReserved. 16 • For major financial institutions - – Performed third-party security assessments, helped suppliers to enhance security and reduce client third-party risk exposure – Performed application security assessments, provided recommendations for remediation to enhance protection – Conducted security vulnerability assessments – Participated in Cybersecurity Incident Response and root cause analysis • For a Fortune 50 software firm - – Perform information security consulting – Application vulnerability assessment and management, regulatory compliance – Ensuring Security Compliance for over 2000 applications • For a major international airline - – Perform application vulnerability assessments – Conduct mobile application penetration testing • Ensure security weaknesses are identified and remediated • Prevent leak of sensitive information • For a major member loyalty program management firm – – Perform Data Privacy Governance and ISO 27001 Certification program development – Conduct security assessment, penetration testing / vulnerability assessment – Help the client to attain ISO 27001 certification
Cybersecurity Team Member Profiles ©Pactera.SECCOEConfidential.AllRightsReserved. 17 Kyle has more than 21 years experience in providing a combination of security and privacy services to Fortune 500 and other large organizations. Prior to joining Pactera, Kyle served as senior cybersecurity consultant for such esteemed organizations as Microsoft, ExxonMobil, Boeing, Akamai, Fidelity Investments, PriceWaterhouseCoopers and HP. He also served as security operations manager for the U.S. Defense Information Systems Agency (DISA) and as interim Chief Information Security Officer (CISO) for Brandeis University’s Heller School. In addition, Kyle is the author of the well-known network security and privacy tool known as ‘SMAC’ with over 2.5 million users worldwide. Kyle’s expertise includes vulnerability assessment and program management, data privacy, security tools development, third-party supplier risk assessment and management, penetration testing, web application, thick client application, API, SOAP, security architecture design and implementation, eGRC, and security advisory. Kyle possesses security and privacy certifications including Certified Information Systems Security Professional (CISSP), Certified Information Privacy Professional for U.S. and Government (CIPP/US, CIPP/G), Certified Secure Software Lifecycle Professional (CSSLP), Certified Information Systems Auditor (CISA), and is certified as a ISO 27001 Lead Auditor. Kyle is based in U.S. Kyle Lai Head of Security Services CISSP, CSSLP, CIPP/US, CIPP/G, CISA, ISO 27001 Lead Auditor William is one of the world’s top penetration testers and vulnerability assessors with over 20 years of professional experience. He has conducted numerous penetration tests against large organizations including U.S. Government Agencies, Department of Defense (DoD), Fortune 500 firms in financial, healthcare, oil and energy, high tech industries. William’s expertise includes cybersecurity offense and defense strategy and tactics in networking, web application, thick client application, API, SOAP, threat analysis, exploit development, penetration testing, security tools development, phishing testing, security architecture design and implementation, security lab building, cybersecurity attack simulation and security advisory. He also conducts social engineering and physical security assessment which includes identifying physical security weaknesses. William is the author of Filibuster Network Exfiltration Security Testing tool – try to test the firewall rule effectiveness. He debuted this tool at the Blackhat Security Conference in 2014. He has also trained hundreds of security engineers for DoD and large firms on attacking and protecting network and applications. He possessed security certifications including Offensive Security Certified Engineer (OSCE), Offensive Security Certified Professional (OSCP), Offensive Security Wireless Professional (OSWP), SANS GIAC Certified Penetration tester (GPEN), and a licensed private investigator. William is based in U.S. William Coppola Senior Security Consultant OSCE, OSCP, OSWP, GIAC GPEN Private Investigator
Cybersecurity Team Member Profiles ©Pactera.SECCOEConfidential.AllRightsReserved. 18 Tom has more than 20 years of experience technical and cybersecurity experience in providing a combination of security, regulatory compliance (HIPAA, PCI) and privacy services to Fortune 500 and other large organizations. Prior to Pactera, Tom held senior management and principal security architect roles within several consulting and corporate institutions, across financial, government, retail and technology verticals. He has designed and overseen the implementation of many large scale security initiatives such as incident response, network security, security architecture design and implementation, regulatory compliance, vulnerability assessment, PII data privacy eDiscovery and assessments (Mass CMR 201 17, FTC consumer data oversight and PCI e-discovery), Secure SDL and security assessments. Tom is a published author contributing to a popular security architecture book published by RSA press and the complete guide to firewalls published by Osborne McGraw-Hill. Tom possessed security certifications including Certified Information Systems Security Professional (CISSP). Tom based in U.S. Tom DeFelice Principal Security Consultant CISSP Henry is an information security and technology executive with over 10 years’ experience, and possesses a robust history of professional service delivery. Prior to joining Pactera, Henry held the position of Security Team Lead for offensive security and Senior Managing Consultant roles with Japanese owned consulting firms. He has delivered various projects across financial, government, telecommunications, retail, logistics and transportation industries, including security risk assessment, penetration testing, privacy impact assessment, compliance audit, IT governance, managed security services, system hardening and security solution implementation. Henry is also an experienced trainer in delivering security trainings (including in-house tailor-made security awareness trainings) for general staff, IT professionals, and for CISA focused classroom instruction. He holds a Bachelor’s degree in Information Technology and is certified as CISSP, CISA, CEH, CCSK, PCI QSA (PCI SSC), PCIP (PCI SSC), CPM, ISO 31000 Lead Trainer, ISO 20000 Auditor, ISO 27001 Lead Auditor, ITIL, MCSA and CCNA. Henry is based in Hong Kong. Henry Hon Principal Security Consultant CISSP, CISA, CEH, CCSK, PCIP, ISO 20000 Auditor, ISO 27001 Lead Auditor
Cybersecurity Team Member Profiles ©Pactera.SECCOEConfidential.AllRightsReserved. 19 Johnson has more than 5 years of experience in information security consultancy. Prior to joining Pactera, Johnson served as a security consultant within several consulting institutions, delivering professional services for clients across Asia-Pac, in various industrial sectors including banking, insurance, telecom, retail, e-commerce, hospitality, charity, etc. Johnson’s expertise includes application, network, and system vulnerability assessment, security and regulatory compliance audit, penetration testing, IT governance and security advisory. He holds a Master’s degree in Telecommunications, a Bachelor’s degree in Electronic & Communications Engineering, as well as industry certifications including CISM, CEH, ECSA, MCP, SCSA and CCNA. Johnson is based in Hong Kong Johnson Zhang Senior Security Consultant CISM, CEH, ESCA Josh is one of the world’s recognized cybersecurity expert with over 17+ years hands-on experience, covering all vertical markets from financial, federal government, state government, aerospace, defense, and public sectors performing red-team penetration testing, network and application vulnerability assessment, ethical hacking, threat/Intel, and covert entry, RFID, wireless security assessment, phishing assessment, cloud security review. For a Fortune 10 financial institution, Bank of America, Josh has create an insider threat program, external penetration testing exercise, lead security incident response and analysis, and coordination with law enforcement. Josh has served major BFSI and technology clients in the U.S., ASEAN region, and Australia, including Bank of America, Commonwealth Bank of Australia, and Bank of Japan. He is also an author of a distributed phishing framework that is frequently utilized in global enterprises. Josh is also a frequent speaker at the international cybersecurity conferences such as BlackHat, Defcon, BSides, DerbyCon, RuxCon, NOLACon, and InfraGard. He is certified as CEH, OPST, OPSA, OSSTMM Trainer. Josh is based in U.S. Joshua Perrymon Senior Security Consultant CEH, OPST, OPSA, OSSTMM Trainer
Thank You Contact: Kyle Lai, CISSP, CSSLP, CISA, CIPP/US/G CISO, Head of Cybersecurity Services Kyle.Lai@Pactera.com @KyleOnCyber www.pactera.com Pactera Cybersecurity Services

Recommandé

we45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Studywe45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Studywe45
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...Kevin Fealey
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?Cigital
 
Secure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green MethodSecure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green MethodSalil Kumar Subramony
 
AppsSec In a DevOps World
AppsSec In a DevOps WorldAppsSec In a DevOps World
AppsSec In a DevOps WorldParasoft
 
Web Application Security: Beyond PEN Testing
Web Application Security: Beyond PEN TestingWeb Application Security: Beyond PEN Testing
Web Application Security: Beyond PEN TestingRobert Grupe, CSSLP CISSP PE PMP
 
Agile AppSec DevOps
Agile AppSec DevOpsAgile AppSec DevOps
Agile AppSec DevOpsRobert Grupe, CSSLP CISSP PE PMP
 
Application Security Logging with Splunk using Java
Application Security Logging with Splunk using JavaApplication Security Logging with Splunk using Java
Application Security Logging with Splunk using JavaRobert Grupe, CSSLP CISSP PE PMP
 

Recommandé

we45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Studywe45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Studywe45
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...Kevin Fealey
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?Cigital
 
Secure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green MethodSecure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green MethodSalil Kumar Subramony
 
AppsSec In a DevOps World
AppsSec In a DevOps WorldAppsSec In a DevOps World
AppsSec In a DevOps WorldParasoft
 
Web Application Security: Beyond PEN Testing
Web Application Security: Beyond PEN TestingWeb Application Security: Beyond PEN Testing
Web Application Security: Beyond PEN TestingRobert Grupe, CSSLP CISSP PE PMP
 
Agile AppSec DevOps
Agile AppSec DevOpsAgile AppSec DevOps
Agile AppSec DevOpsRobert Grupe, CSSLP CISSP PE PMP
 
Application Security Logging with Splunk using Java
Application Security Logging with Splunk using JavaApplication Security Logging with Splunk using Java
Application Security Logging with Splunk using JavaRobert Grupe, CSSLP CISSP PE PMP
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris WysopalThreat Stack
 
Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...Kevin Fealey
 
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeCrafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeDigital Defense Inc
 
Managing Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development LifecycleManaging Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development LifecycleBlack Duck by Synopsys
 
No Devops Without Continuous Testing
No Devops Without Continuous TestingNo Devops Without Continuous Testing
No Devops Without Continuous TestingParasoft
 
Red7 SSDLC Introduction: Building Secure Web and Mobile Applications
Red7 SSDLC Introduction: Building Secure Web and Mobile ApplicationsRed7 SSDLC Introduction: Building Secure Web and Mobile Applications
Red7 SSDLC Introduction: Building Secure Web and Mobile ApplicationsRobert Grupe, CSSLP CISSP PE PMP
 
DAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & Limitations
DAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & LimitationsDAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & Limitations
DAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & LimitationsiAppSecure Solutions
 
FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Componen...
FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Componen...FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Componen...
FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Componen...Black Duck by Synopsys
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCSuman Sourav
 
Unit testing : what are you missing for security
Unit testing : what are you missing for securityUnit testing : what are you missing for security
Unit testing : what are you missing for securitySuman Sourav
 
[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architectureOWASP
 
Veracode - Overview
Veracode - OverviewVeracode - Overview
Veracode - OverviewStephen Durrant
 
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Jeff Williams
 
Mobile security recipes for xamarin
Mobile security recipes for xamarinMobile security recipes for xamarin
Mobile security recipes for xamarinNicolas Milcoff
 
The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...
The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...
The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...Parasoft
 
Continuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-SecurityContinuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-SecurityStephen de Vries
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Rogue Wave Software
 
Open Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesOpen Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesBlack Duck by Synopsys
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouKevin Fealey
 
IBM Rational AppScan Product Overview
IBM Rational AppScan Product OverviewIBM Rational AppScan Product Overview
IBM Rational AppScan Product OverviewAshish Patel
 
Tixi segundo
Tixi segundoTixi segundo
Tixi segundodragoncito2
 
IS Risk Assessment example
IS Risk Assessment exampleIS Risk Assessment example
IS Risk Assessment exampleRamiro Cid
 

Contenu connexe

Tendances

8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris WysopalThreat Stack
 
Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...Kevin Fealey
 
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeCrafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeDigital Defense Inc
 
Managing Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development LifecycleManaging Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development LifecycleBlack Duck by Synopsys
 
No Devops Without Continuous Testing
No Devops Without Continuous TestingNo Devops Without Continuous Testing
No Devops Without Continuous TestingParasoft
 
Red7 SSDLC Introduction: Building Secure Web and Mobile Applications
Red7 SSDLC Introduction: Building Secure Web and Mobile ApplicationsRed7 SSDLC Introduction: Building Secure Web and Mobile Applications
Red7 SSDLC Introduction: Building Secure Web and Mobile ApplicationsRobert Grupe, CSSLP CISSP PE PMP
 
DAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & Limitations
DAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & LimitationsDAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & Limitations
DAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & LimitationsiAppSecure Solutions
 
FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Componen...
FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Componen...FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Componen...
FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Componen...Black Duck by Synopsys
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCSuman Sourav
 
Unit testing : what are you missing for security
Unit testing : what are you missing for securityUnit testing : what are you missing for security
Unit testing : what are you missing for securitySuman Sourav
 
[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architectureOWASP
 
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Jeff Williams
 
Mobile security recipes for xamarin
Mobile security recipes for xamarinMobile security recipes for xamarin
Mobile security recipes for xamarinNicolas Milcoff
 
The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...
The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...
The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...Parasoft
 
Continuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-SecurityContinuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-SecurityStephen de Vries
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Rogue Wave Software
 
Open Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesOpen Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesBlack Duck by Synopsys
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouKevin Fealey
 
IBM Rational AppScan Product Overview
IBM Rational AppScan Product OverviewIBM Rational AppScan Product Overview
IBM Rational AppScan Product OverviewAshish Patel
 

Tendances (20)

8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
 
Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...
 
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeCrafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
 
Managing Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development LifecycleManaging Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development Lifecycle
 
No Devops Without Continuous Testing
No Devops Without Continuous TestingNo Devops Without Continuous Testing
No Devops Without Continuous Testing
 
Red7 SSDLC Introduction: Building Secure Web and Mobile Applications
Red7 SSDLC Introduction: Building Secure Web and Mobile ApplicationsRed7 SSDLC Introduction: Building Secure Web and Mobile Applications
Red7 SSDLC Introduction: Building Secure Web and Mobile Applications
 
DAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & Limitations
DAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & LimitationsDAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & Limitations
DAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & Limitations
 
FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Componen...
FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Componen...FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Componen...
FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Componen...
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLC
 
Unit testing : what are you missing for security
Unit testing : what are you missing for securityUnit testing : what are you missing for security
Unit testing : what are you missing for security
 
[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture
 
Veracode - Overview
Veracode - OverviewVeracode - Overview
Veracode - Overview
 
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
 
Mobile security recipes for xamarin
Mobile security recipes for xamarinMobile security recipes for xamarin
Mobile security recipes for xamarin
 
The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...
The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...
The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...
 
Continuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-SecurityContinuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-Security
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization
 
Open Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesOpen Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best Practices
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
 
IBM Rational AppScan Product Overview
IBM Rational AppScan Product OverviewIBM Rational AppScan Product Overview
IBM Rational AppScan Product Overview
 

En vedette

IS Risk Assessment example
IS Risk Assessment exampleIS Risk Assessment example
IS Risk Assessment exampleRamiro Cid
 
Risk assessment presentation
Risk assessment presentationRisk assessment presentation
Risk assessment presentationmmagario
 
Cloud Assessment - iPad App
Cloud Assessment - iPad AppCloud Assessment - iPad App
Cloud Assessment - iPad AppCoe Marlabs
 
The curious case of mobile app security.pptx
The curious case of mobile app security.pptxThe curious case of mobile app security.pptx
The curious case of mobile app security.pptxAnkit Giri
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Securitycclark_isec
 
Iso27001 Risk Assessment Approach
Iso27001 Risk Assessment ApproachIso27001 Risk Assessment Approach
Iso27001 Risk Assessment Approachtschraider
 
Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30timmcguinness
 
The importance of information security risk management
The importance of information security risk managementThe importance of information security risk management
The importance of information security risk managementMichael Francis
 
Risk assessment principles and guidelines
Risk assessment principles and guidelinesRisk assessment principles and guidelines
Risk assessment principles and guidelinesHaris Tahir
 
OHSAS Hazard identification & Risk assessment
OHSAS Hazard identification & Risk assessmentOHSAS Hazard identification & Risk assessment
OHSAS Hazard identification & Risk assessmentTechnoSysCon
 
Powerpoint Risk Assessment
Powerpoint Risk AssessmentPowerpoint Risk Assessment
Powerpoint Risk AssessmentSteve Bishop
 

En vedette (15)

Tixi segundo
Tixi segundoTixi segundo
Tixi segundo
 
IS Risk Assessment example
IS Risk Assessment exampleIS Risk Assessment example
IS Risk Assessment example
 
Risk assessment presentation
Risk assessment presentationRisk assessment presentation
Risk assessment presentation
 
Cloud Assessment - iPad App
Cloud Assessment - iPad AppCloud Assessment - iPad App
Cloud Assessment - iPad App
 
The curious case of mobile app security.pptx
The curious case of mobile app security.pptxThe curious case of mobile app security.pptx
The curious case of mobile app security.pptx
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
Iso27001 Risk Assessment Approach
Iso27001 Risk Assessment ApproachIso27001 Risk Assessment Approach
Iso27001 Risk Assessment Approach
 
TOGAF 9 - Security Architecture Ver1 0
TOGAF 9 - Security Architecture Ver1 0TOGAF 9 - Security Architecture Ver1 0
TOGAF 9 - Security Architecture Ver1 0
 
risk assessment
risk assessment risk assessment
risk assessment
 
Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30
 
The importance of information security risk management
The importance of information security risk managementThe importance of information security risk management
The importance of information security risk management
 
ISO 27005 Risk Assessment
ISO 27005 Risk AssessmentISO 27005 Risk Assessment
ISO 27005 Risk Assessment
 
Risk assessment principles and guidelines
Risk assessment principles and guidelinesRisk assessment principles and guidelines
Risk assessment principles and guidelines
 
OHSAS Hazard identification & Risk assessment
OHSAS Hazard identification & Risk assessmentOHSAS Hazard identification & Risk assessment
OHSAS Hazard identification & Risk assessment
 
Powerpoint Risk Assessment
Powerpoint Risk AssessmentPowerpoint Risk Assessment
Powerpoint Risk Assessment
 

Similaire à Pactera - App Security Assessment - Mobile, Web App, IoT - v2

IBM AppScan - the total software security solution
IBM AppScan - the total software security solutionIBM AppScan - the total software security solution
IBM AppScan - the total software security solutionhearme limited company
 
ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...
ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...
ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...Agile Testing Alliance
 
Datasheet app vulnerability_assess
Datasheet app vulnerability_assessDatasheet app vulnerability_assess
Datasheet app vulnerability_assessBirodh Rijal
 
Appmotives - Software Testing As Service
Appmotives - Software Testing As ServiceAppmotives - Software Testing As Service
Appmotives - Software Testing As ServiceKalyan Paluri
 
Building an API Security Strategy
Building an API Security StrategyBuilding an API Security Strategy
Building an API Security StrategySmartBear
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Mykhailo Antonishyn
 
Deliver Flawless Mobile Apps Faster with CI/CD & CT
Deliver Flawless Mobile Apps Faster with CI/CD & CTDeliver Flawless Mobile Apps Faster with CI/CD & CT
Deliver Flawless Mobile Apps Faster with CI/CD & CTPerfecto by Perforce
 
Enterprise QA and Application Testing Services
Enterprise QA and Application Testing ServicesEnterprise QA and Application Testing Services
Enterprise QA and Application Testing ServicesHemang Rindani
 
Enterprise QA and Application Testing Services
Enterprise QA and Application Testing ServicesEnterprise QA and Application Testing Services
Enterprise QA and Application Testing ServicesCygnet Infotech
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineDevOps.com
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security Rogue Wave Software
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product SecuritySoftServe
 
apidays LIVE Australia 2020 - Evaluating the usability of security APIs by Dr...
apidays LIVE Australia 2020 - Evaluating the usability of security APIs by Dr...apidays LIVE Australia 2020 - Evaluating the usability of security APIs by Dr...
apidays LIVE Australia 2020 - Evaluating the usability of security APIs by Dr...apidays
 
Cyber security series Application Security
Cyber security series Application SecurityCyber security series Application Security
Cyber security series Application SecurityJim Kaplan CIA CFE
 
Geekit_Testing_Services-3
Geekit_Testing_Services-3Geekit_Testing_Services-3
Geekit_Testing_Services-3Sally Mohamed
 
Attacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsAttacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsJerod Brennen
 
클라우드 환경에서의 SIEMLESS 통합 보안 서비스, Alert Logic - 채현주 보안기술본부장, Openbase :: AWS Sum...
클라우드 환경에서의 SIEMLESS 통합 보안 서비스, Alert Logic - 채현주 보안기술본부장, Openbase :: AWS Sum...클라우드 환경에서의 SIEMLESS 통합 보안 서비스, Alert Logic - 채현주 보안기술본부장, Openbase :: AWS Sum...
클라우드 환경에서의 SIEMLESS 통합 보안 서비스, Alert Logic - 채현주 보안기술본부장, Openbase :: AWS Sum...Amazon Web Services Korea
 

Similaire à Pactera - App Security Assessment - Mobile, Web App, IoT - v2 (20)

IBM AppScan - the total software security solution
IBM AppScan - the total software security solutionIBM AppScan - the total software security solution
IBM AppScan - the total software security solution
 
ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...
ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...
ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...
 
Datasheet app vulnerability_assess
Datasheet app vulnerability_assessDatasheet app vulnerability_assess
Datasheet app vulnerability_assess
 
Appmotives - Software Testing As Service
Appmotives - Software Testing As ServiceAppmotives - Software Testing As Service
Appmotives - Software Testing As Service
 
Owasp masvs spain 17
Owasp masvs spain 17Owasp masvs spain 17
Owasp masvs spain 17
 
Building an API Security Strategy
Building an API Security StrategyBuilding an API Security Strategy
Building an API Security Strategy
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.
 
Deliver Flawless Mobile Apps Faster with CI/CD & CT
Deliver Flawless Mobile Apps Faster with CI/CD & CTDeliver Flawless Mobile Apps Faster with CI/CD & CT
Deliver Flawless Mobile Apps Faster with CI/CD & CT
 
Enterprise QA and Application Testing Services
Enterprise QA and Application Testing ServicesEnterprise QA and Application Testing Services
Enterprise QA and Application Testing Services
 
Enterprise QA and Application Testing Services
Enterprise QA and Application Testing ServicesEnterprise QA and Application Testing Services
Enterprise QA and Application Testing Services
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD Pipeline
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security
 
Rayudu_Grandhi
Rayudu_GrandhiRayudu_Grandhi
Rayudu_Grandhi
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
 
How to Achieve Agile API Security
How to Achieve Agile API SecurityHow to Achieve Agile API Security
How to Achieve Agile API Security
 
apidays LIVE Australia 2020 - Evaluating the usability of security APIs by Dr...
apidays LIVE Australia 2020 - Evaluating the usability of security APIs by Dr...apidays LIVE Australia 2020 - Evaluating the usability of security APIs by Dr...
apidays LIVE Australia 2020 - Evaluating the usability of security APIs by Dr...
 
Cyber security series Application Security
Cyber security series Application SecurityCyber security series Application Security
Cyber security series Application Security
 
Geekit_Testing_Services-3
Geekit_Testing_Services-3Geekit_Testing_Services-3
Geekit_Testing_Services-3
 
Attacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsAttacking and Defending Mobile Applications
Attacking and Defending Mobile Applications
 
클라우드 환경에서의 SIEMLESS 통합 보안 서비스, Alert Logic - 채현주 보안기술본부장, Openbase :: AWS Sum...
클라우드 환경에서의 SIEMLESS 통합 보안 서비스, Alert Logic - 채현주 보안기술본부장, Openbase :: AWS Sum...클라우드 환경에서의 SIEMLESS 통합 보안 서비스, Alert Logic - 채현주 보안기술본부장, Openbase :: AWS Sum...
클라우드 환경에서의 SIEMLESS 통합 보안 서비스, Alert Logic - 채현주 보안기술본부장, Openbase :: AWS Sum...
 

Plus de Kyle Lai

Isaca app sec presentation - v3
Isaca app sec presentation - v3Isaca app sec presentation - v3
Isaca app sec presentation - v3Kyle Lai
 
ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2
ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2
ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2Kyle Lai
 
Whitepaper - Cybersecurity Threats for Treasure and Payment Mgmt Systems
Whitepaper - Cybersecurity Threats for Treasure and Payment Mgmt SystemsWhitepaper - Cybersecurity Threats for Treasure and Payment Mgmt Systems
Whitepaper - Cybersecurity Threats for Treasure and Payment Mgmt SystemsKyle Lai
 
Pactera - Cloud, Application, Cyber Security Trend 2016
Pactera - Cloud, Application, Cyber Security Trend 2016Pactera - Cloud, Application, Cyber Security Trend 2016
Pactera - Cloud, Application, Cyber Security Trend 2016Kyle Lai
 
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...Kyle Lai
 
Cyber Hacking & Security - IEEE - Univ of Houston 2015-04
Cyber Hacking & Security - IEEE - Univ of Houston 2015-04Cyber Hacking & Security - IEEE - Univ of Houston 2015-04
Cyber Hacking & Security - IEEE - Univ of Houston 2015-04Kyle Lai
 
CyberSecurity - UH IEEE Presentation 2015-04
CyberSecurity - UH IEEE Presentation 2015-04CyberSecurity - UH IEEE Presentation 2015-04
CyberSecurity - UH IEEE Presentation 2015-04Kyle Lai
 

Plus de Kyle Lai (7)

Isaca app sec presentation - v3
Isaca app sec presentation - v3Isaca app sec presentation - v3
Isaca app sec presentation - v3
 
ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2
ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2
ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2
 
Whitepaper - Cybersecurity Threats for Treasure and Payment Mgmt Systems
Whitepaper - Cybersecurity Threats for Treasure and Payment Mgmt SystemsWhitepaper - Cybersecurity Threats for Treasure and Payment Mgmt Systems
Whitepaper - Cybersecurity Threats for Treasure and Payment Mgmt Systems
 
Pactera - Cloud, Application, Cyber Security Trend 2016
Pactera - Cloud, Application, Cyber Security Trend 2016Pactera - Cloud, Application, Cyber Security Trend 2016
Pactera - Cloud, Application, Cyber Security Trend 2016
 
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
 
Cyber Hacking & Security - IEEE - Univ of Houston 2015-04
Cyber Hacking & Security - IEEE - Univ of Houston 2015-04Cyber Hacking & Security - IEEE - Univ of Houston 2015-04
Cyber Hacking & Security - IEEE - Univ of Houston 2015-04
 
CyberSecurity - UH IEEE Presentation 2015-04
CyberSecurity - UH IEEE Presentation 2015-04CyberSecurity - UH IEEE Presentation 2015-04
CyberSecurity - UH IEEE Presentation 2015-04
 

Pactera - App Security Assessment - Mobile, Web App, IoT - v2

  • 1. Application Security Services Provided by Pactera Cybersecurity Consulting 2016
  • 2. ©Pactera.SECCOEConfidential.AllRightsReserved. 2 Why Pactera Cybersecurity Consulting Services? Why Pactera Cybersecurity Services? Industry’s Top Security Professionals Security Software Partner Elite U.S & Asia Based Teams BFSI, Govt., & Healthcare Regulatory Experience Extensive Privacy Experience Application Security Training Provider
  • 3. Cybersecurity Services Capabilities ©Pactera.SECCOEConfidential.AllRightsReserved. 3 • Improving Threat Prevention, Detection, & Response Capability • Establishing Governance – People, Process, and Technologies Cybersecurity Program Consulting • Reducing Risk by Finding and Remediating Threats – by Top Security Consultants • SecDevOps (Improving Security in DevOps) Application Vulnerability / Penetration Testing • Reducing Vulnerabilities via Secure Coding Practice (CBT & Instructor Lead) Application Secure Coding Practice Training • Managing Security Risks Posed by Suppliers • Use a Proven Assessment and Management Solution Based on ISO 27001 Third-party Supplier Security Risk Management
  • 4. Why Perform Application Security Assessment? ©Pactera.SECCOEConfidential.AllRightsReserved. 4 Applications leads a number of vulnerabilities Most successful malicious attacks came through applications (mobile, web) Know how secure third-party hosted (i.e. cloud) applications Most applications assembled with third-party code components (i.e. framework, libraries). • Developers only develop about 10% – 20% of the code • Third-party code vulnerabilities may exist but not been addressed • Third-party code vulnerabilities may not yet been patched
  • 5. Application Security Testing ©Pactera.SECCOEConfidential.AllRightsReserved. 5  We cover:  Mobile apps  IoT apps  Web Applications  Thick-client Applications  API (REST API, SOAP)  Our capabilities on application security testing:  Blackbox and Whitebox security testing  Front-end (mobile app, IoT, web app client, client apps)  REST API supporting Micro Services  Back-end Web Services (i.e. REST API, Soap)  Reverse Engineering on binaries (.exe, .java, DLL, traditional applications)
  • 6. Application Secure Code Review Services ©Pactera.SECCOEConfidential.AllRightsReserved. 6 Utilize industry leading automated code review software – HP Fortify Supplement with manual reviews to reduce false positives Provide “make sense” recommendation for remediation
  • 7. Application Vulnerability / Penetration Testing ©Pactera.SECCOEConfidential.AllRightsReserved. 7 Blackbox or Whitebox testing (Mobile, IoT, Web Applications) Combines automated tools and manual testing • Industry leading automated open-source and commercial tools • World class penetration testers – have performed hundreds of penetration tests • Industry recognized penetration testing methodology • Covers OWASP Top 10 Mobile and Web Application vulnerabilities and beyond Reverse engineer applications (if in-scope) to uncover hidden security flaws Identify business logic flaws that cannot be easily identified through automated testing
  • 8. Vulnerability / Penetration Testing Methodology ©Pactera.Confidential.AllRightsReserved. 8 Information Gathering •Review Application •Review REST API •Get Configuration Info •Gather Architecture Info Threat Modeling •Identify attack surface •Identify methods of attacks Security Test Planning •Design an attack plan •Select tools to utilize for the assessment Vulnerability Assessment •Automated assessment •Manual assessment •Custom test scripts Exploitation •Manual exploit the identified vulnerabilities Reporting •Summary •Findings •Recommendations Re-testing •Validate remediation of vulnerabilities •Re-test after new changes
  • 9. Mobile / IoT Vulnerability / Penetration Testing Overview ©Pactera.Confidential.AllRightsReserved. 9 Mobile App (Android, iOS) Back-end Server REST API Communication Data Access Mobile App: • Automated Testing • Manual Testing • Secure Code Review via Fortify SCA • Test against OWASP Mobile Top 10: 1. Improper Platform Usage 2. Insecure Data Storage 3. Insecure Communication 4. Insecure Authentication 5. Insufficient Cryptography 6. Insecure Authorization 7. Client Code Quality 8. Code Tampering 9. Reverse Engineering 10. Extraneous Functionality REST API, Web Application: • Automated Testing • Manual Testing • Test against OWASP Web App Top 10 1. Injection 2. Broken Authentication and Session Management 3. Cross-Site Scripting (XSS) 4. Insecure Direct Object References 5. Security Misconfiguration 6. Sensitive Data Exposure 7. Missing Function Level Access Control 8. Cross-Site Request Forgery (CSRF) 9. Using Components with Known Vulnerabilities 10. Unvalidated Redirects and Forwards Mobile & Web Tools: • Commercial and Open Source Tools • HP Fortify Secure Code Analyzer (SCA) • Acunetix • Kali Linux • Rapid 7 - NeXpose & Metasploit • Burp Suite Pro • SoapUI • ApkAnalyser • BEEF • Mobile Emulator • Geo-Location Emulation • Custom Developed Tools and Scripts
  • 10. Mobile Application Security Tools (Android) ©Pactera.Confidential.AllRightsReserved. 10 Source: OWASP
  • 11. Mobile Application Security Tools (iOS) ©Pactera.Confidential.AllRightsReserved. 11 Source: OWASP
  • 12. Mobile Application Security – Code Components Analysis Analyze Mobile Application to ensure any security vulnerabilities or malicious contents in the code components is detected through the following security testing: ©Pactera.Confidential.AllRightsReserved. 12 Inspect the APK installation Process • Detect suspicious activities during the installation process Inspect the APK communication behavior • Detect suspicious communication behaviors between mobile app and back-end server Inspect the code through Secure Code Review Process • Detect any code components with known malware • Remove vulnerabilities
  • 13. Mobile / IoT Secure Code Analysis We utilize HP Fortify Secure Code Analyzer (SCA) tool to scan for mobile code vulnerabilities – Including but not limited to the following: ©Pactera.Confidential.AllRightsReserved. 13 Access Control: Android Provider Access Control: Database Android Bad Practices: Missing Broadcaster Permission Android Bad Practices: Missing Receiver Permission Android Bad Practices: Sticky Broadcast Cross Site Scripting: Persistent Cross Site Scripting: Poor Validation Cross Site Scripting: Reflected Header Manipulation: Cookies Insecure Storage: Android External Storage Log Forging Path Manipulation Privacy Violation Password Management Password Management: Empty Password Password Management: Hardcoded Password Password Management: Null Password Password Management: Weak Cryptography Privilege Management: Android Location Privilege Management: Android Messaging Privilege Management: Android Telephony Privilege Management: Missing API Permission Privilege Management: Missing Intent Permission Query String Injection: Android Provider Resource Injection SQL Injection System Information Leak
  • 14. Web Application Vulnerability / Penetration Testing Overview ©Pactera.Confidential.AllRightsReserved. 14 Internet User (Web Client) Back-end Server REST API Communication Data Access Client Side (Web Browser): • Automated Testing • Manual Testing • Review client side scripts / code • Client Side Script Testing • DOM based Cross Site Scripting • Authentication • Authorization • Local Storage • Client Side URL Redirect • Web Messaging • Clickjacking • HTML Injection REST API, Web Application: • Automated Testing • Manual Testing • Network & Architecture Config Review • Test against OWASP Web App Top 10 1. Injection 2. Broken Authentication and Session Management 3. Cross-Site Scripting (XSS) 4. Insecure Direct Object References 5. Security Misconfiguration 6. Sensitive Data Exposure 7. Missing Function Level Access Control 8. Cross-Site Request Forgery (CSRF) 9. Using Components with Known Vulnerabilities 10. Unvalidated Redirects and Forwards Security Testing Tools: • Commercial and Open Source Tools • HP Fortify Secure Code Analyzer (SCA) • Acunetix • Kali Linux • Rapid 7 – Nexpose • Rapid 7 – Metasploit • Burp Suite Pro • SoapUI • BEEF • Geo-Location Emulation • Custom Developed Tools and Scripts
  • 15. Web Application Secure Code Analysis We utilize HP Fortify Secure Code Analyzer (SCA) tool to scan for mobile code vulnerabilities – Including but not limited to the following: ©Pactera.Confidential.AllRightsReserved. 15 Map the Application’s Content Analyze the Application Test Client-side Controls Test Application Logic Test the Authentication Mechanism Test the Session Management Mechanism Test Access Controls Test for Input-based Vulnerabilities Test for Function-specific Vulnerabilities Test for Logic Flaws Test for Shared Hosting Vulnerabilities Test for Web Server Vulnerabilities Miscellaneous Checks
  • 16. Our Experience ©Pactera.SECCOEConfidential.AllRightsReserved. 16 • For major financial institutions - – Performed third-party security assessments, helped suppliers to enhance security and reduce client third-party risk exposure – Performed application security assessments, provided recommendations for remediation to enhance protection – Conducted security vulnerability assessments – Participated in Cybersecurity Incident Response and root cause analysis • For a Fortune 50 software firm - – Perform information security consulting – Application vulnerability assessment and management, regulatory compliance – Ensuring Security Compliance for over 2000 applications • For a major international airline - – Perform application vulnerability assessments – Conduct mobile application penetration testing • Ensure security weaknesses are identified and remediated • Prevent leak of sensitive information • For a major member loyalty program management firm – – Perform Data Privacy Governance and ISO 27001 Certification program development – Conduct security assessment, penetration testing / vulnerability assessment – Help the client to attain ISO 27001 certification
  • 17. Cybersecurity Team Member Profiles ©Pactera.SECCOEConfidential.AllRightsReserved. 17 Kyle has more than 21 years experience in providing a combination of security and privacy services to Fortune 500 and other large organizations. Prior to joining Pactera, Kyle served as senior cybersecurity consultant for such esteemed organizations as Microsoft, ExxonMobil, Boeing, Akamai, Fidelity Investments, PriceWaterhouseCoopers and HP. He also served as security operations manager for the U.S. Defense Information Systems Agency (DISA) and as interim Chief Information Security Officer (CISO) for Brandeis University’s Heller School. In addition, Kyle is the author of the well-known network security and privacy tool known as ‘SMAC’ with over 2.5 million users worldwide. Kyle’s expertise includes vulnerability assessment and program management, data privacy, security tools development, third-party supplier risk assessment and management, penetration testing, web application, thick client application, API, SOAP, security architecture design and implementation, eGRC, and security advisory. Kyle possesses security and privacy certifications including Certified Information Systems Security Professional (CISSP), Certified Information Privacy Professional for U.S. and Government (CIPP/US, CIPP/G), Certified Secure Software Lifecycle Professional (CSSLP), Certified Information Systems Auditor (CISA), and is certified as a ISO 27001 Lead Auditor. Kyle is based in U.S. Kyle Lai Head of Security Services CISSP, CSSLP, CIPP/US, CIPP/G, CISA, ISO 27001 Lead Auditor William is one of the world’s top penetration testers and vulnerability assessors with over 20 years of professional experience. He has conducted numerous penetration tests against large organizations including U.S. Government Agencies, Department of Defense (DoD), Fortune 500 firms in financial, healthcare, oil and energy, high tech industries. William’s expertise includes cybersecurity offense and defense strategy and tactics in networking, web application, thick client application, API, SOAP, threat analysis, exploit development, penetration testing, security tools development, phishing testing, security architecture design and implementation, security lab building, cybersecurity attack simulation and security advisory. He also conducts social engineering and physical security assessment which includes identifying physical security weaknesses. William is the author of Filibuster Network Exfiltration Security Testing tool – try to test the firewall rule effectiveness. He debuted this tool at the Blackhat Security Conference in 2014. He has also trained hundreds of security engineers for DoD and large firms on attacking and protecting network and applications. He possessed security certifications including Offensive Security Certified Engineer (OSCE), Offensive Security Certified Professional (OSCP), Offensive Security Wireless Professional (OSWP), SANS GIAC Certified Penetration tester (GPEN), and a licensed private investigator. William is based in U.S. William Coppola Senior Security Consultant OSCE, OSCP, OSWP, GIAC GPEN Private Investigator
  • 18. Cybersecurity Team Member Profiles ©Pactera.SECCOEConfidential.AllRightsReserved. 18 Tom has more than 20 years of experience technical and cybersecurity experience in providing a combination of security, regulatory compliance (HIPAA, PCI) and privacy services to Fortune 500 and other large organizations. Prior to Pactera, Tom held senior management and principal security architect roles within several consulting and corporate institutions, across financial, government, retail and technology verticals. He has designed and overseen the implementation of many large scale security initiatives such as incident response, network security, security architecture design and implementation, regulatory compliance, vulnerability assessment, PII data privacy eDiscovery and assessments (Mass CMR 201 17, FTC consumer data oversight and PCI e-discovery), Secure SDL and security assessments. Tom is a published author contributing to a popular security architecture book published by RSA press and the complete guide to firewalls published by Osborne McGraw-Hill. Tom possessed security certifications including Certified Information Systems Security Professional (CISSP). Tom based in U.S. Tom DeFelice Principal Security Consultant CISSP Henry is an information security and technology executive with over 10 years’ experience, and possesses a robust history of professional service delivery. Prior to joining Pactera, Henry held the position of Security Team Lead for offensive security and Senior Managing Consultant roles with Japanese owned consulting firms. He has delivered various projects across financial, government, telecommunications, retail, logistics and transportation industries, including security risk assessment, penetration testing, privacy impact assessment, compliance audit, IT governance, managed security services, system hardening and security solution implementation. Henry is also an experienced trainer in delivering security trainings (including in-house tailor-made security awareness trainings) for general staff, IT professionals, and for CISA focused classroom instruction. He holds a Bachelor’s degree in Information Technology and is certified as CISSP, CISA, CEH, CCSK, PCI QSA (PCI SSC), PCIP (PCI SSC), CPM, ISO 31000 Lead Trainer, ISO 20000 Auditor, ISO 27001 Lead Auditor, ITIL, MCSA and CCNA. Henry is based in Hong Kong. Henry Hon Principal Security Consultant CISSP, CISA, CEH, CCSK, PCIP, ISO 20000 Auditor, ISO 27001 Lead Auditor
  • 19. Cybersecurity Team Member Profiles ©Pactera.SECCOEConfidential.AllRightsReserved. 19 Johnson has more than 5 years of experience in information security consultancy. Prior to joining Pactera, Johnson served as a security consultant within several consulting institutions, delivering professional services for clients across Asia-Pac, in various industrial sectors including banking, insurance, telecom, retail, e-commerce, hospitality, charity, etc. Johnson’s expertise includes application, network, and system vulnerability assessment, security and regulatory compliance audit, penetration testing, IT governance and security advisory. He holds a Master’s degree in Telecommunications, a Bachelor’s degree in Electronic & Communications Engineering, as well as industry certifications including CISM, CEH, ECSA, MCP, SCSA and CCNA. Johnson is based in Hong Kong Johnson Zhang Senior Security Consultant CISM, CEH, ESCA Josh is one of the world’s recognized cybersecurity expert with over 17+ years hands-on experience, covering all vertical markets from financial, federal government, state government, aerospace, defense, and public sectors performing red-team penetration testing, network and application vulnerability assessment, ethical hacking, threat/Intel, and covert entry, RFID, wireless security assessment, phishing assessment, cloud security review. For a Fortune 10 financial institution, Bank of America, Josh has create an insider threat program, external penetration testing exercise, lead security incident response and analysis, and coordination with law enforcement. Josh has served major BFSI and technology clients in the U.S., ASEAN region, and Australia, including Bank of America, Commonwealth Bank of Australia, and Bank of Japan. He is also an author of a distributed phishing framework that is frequently utilized in global enterprises. Josh is also a frequent speaker at the international cybersecurity conferences such as BlackHat, Defcon, BSides, DerbyCon, RuxCon, NOLACon, and InfraGard. He is certified as CEH, OPST, OPSA, OSSTMM Trainer. Josh is based in U.S. Joshua Perrymon Senior Security Consultant CEH, OPST, OPSA, OSSTMM Trainer
  • 20. Thank You Contact: Kyle Lai, CISSP, CSSLP, CISA, CIPP/US/G CISO, Head of Cybersecurity Services Kyle.Lai@Pactera.com @KyleOnCyber www.pactera.com Pactera Cybersecurity Services