SlideShare une entreprise Scribd logo

Security Testing Mobile Applications

T
TechWell

Due to the sensitive nature of the personal information often stored on mobile phones, security testing is vital when building mobile applications. Jeff Payne discusses some of the characteristics that make testing mobile applications unique and challenging. These characteristics include how mobile devices store data, fluid trust boundaries due to untrusted applications installed on the device, different and unique aspects of device security models, and differences in the types of threats one must be concerned with. Jeff shares hints and tips for effectively testing mobile applications. Tips include how to test for data privacy, secure session management, the presence of malicious applications, and traditional application security vulnerabilities. Leave with an understanding of what it takes to security test your mobile applications.

Technologie
1  sur  11
Télécharger pour lire hors ligne
      nt Session    Presented by:  Jeff Payne  C       Brought to you by:      340 Corporate Way, Suite   Orange Park, FL 32073  888‐2 W6  Concurre 4/9/2014    12:45 PM          “Security Testing Mobile Applications”      overos, Inc.             300, 68‐8770 ∙ 904‐278‐0524 ∙ sqeinfo@sqe.com ∙ www.sqe.com 
Jeff Payne Coveros, Inc   Jeff Payne is CEO and founder of Coveros, Inc., a software company that builds secure software applications using agile methods. Since its inception in 2008, Coveros has become a market leader in secure agile principles and has been recognized by Inc. magazine as one of the fastest growing private US companies. Prior to founding Coveros, Jeff was chairman of the board, CEO, and cofounder of Cigital, Inc., a market leader in software security consulting. Jeff has published more than thirty papers on software development and testing, and testified before Congress on issues of national importance, including intellectual property rights, cyber terrorism, and software quality.
2/24/2014 1 Security Testing Mobile Applications Jeffery Payne Chief Executive Officer Coveros, Inc. jeff.payne@coveros.com www.coveros.com 1© Copyright 2013 Coveros, Inc.. All rights reserved. Bio Jeffery Payne Jeffery Payne is CEO and founder of Coveros, Inc., a software company that helps organizations accelerate the delivery of secure, reliable software. Coveros uses agile development methods and a proven software assurance framework to build security and quality into software from the ground up. Prior to founding Coveros, Jeffery was Chairman of the Board, CEO, and co-founder of Cigital, Inc. Under his direction, Cigital became a leader in software security and software quality solutions, helping clients mitigate the risk of software failure. Jeffery is a i d ft t d l k t b th b i d t h l 2© Copyright 2013 Coveros, Inc.. All rights reserved. recognized software expert and popular speaker at both business and technology conferences on a variety of software quality, security, and agile development topics. He has also testified before Congress on issues of national importance, including intellectual property rights, cyber-terrorism, software research funding, and software quality.
2/24/2014 2 Coveros helps organizations accelerate the delivery of secure, reliable software About Coveros Our consulting services: – Agile software development – Application security – Software quality assurance Agile services Areas of Expertise 3© Copyright 2013 Coveros, Inc.. All rights reserved. Agile services – Agility assessments – Process improvement – Hands-on agile software development – Agile project management – Agile testing and automation – Agile training by role Wh t thi t lk iWhat this talk is NOT about 4© Copyright 2013 Coveros, Inc.. All rights reserved. Penetration testing Testing tools Test cases
2/24/2014 3 Wh t thi t lkWhat this talk IS about 5© Copyright 2013 Coveros, Inc.. All rights reserved. Mobile threats Mobile risks Test strategy based on these Agenda Mobile applications: the perfect security stormMobile applications: the perfect security storm – Typical architecture(s) – A changing threat model Mobile risks and test strategies – Local storage – Session management – Untrusted clients 6© Copyright 2013 Coveros, Inc.. All rights reserved. – Native code – Mobile platforms – Traditional risks Getting more help
2/24/2014 4 Mobile Apps: The Perfect Security Storm Fat client concerns Traditional sw security concernsconcerns 7© Copyright 2013 Coveros, Inc.. All rights reserved. Untrusted apps Untrusted users Traditional web security concerns A Changing Threat Model New Attack Profiles Mobile Apps: The Perfect Security Storm New Attack Profiles – Increased access by malicious users – Malicious 3rd party applications – Increased information for attacking application back-ends Fluid Trust Boundaries – Level of trust necessary to use 3rd party applications 8© Copyright 2013 Coveros, Inc.. All rights reserved. – Local access to sensitive data Nuances of Mobile Platforms – Differing security models – Different vulnerabilities due to programming languages
2/24/2014 5 Mobile Risks Local storage – Storage of data (implicitly or explicitly) on a device Mobile App Security g g ( p y p y) Session management – Managing the on-going interactions between a mobile app user and the rest of a distributed environment Untrusted clients – Client requests might not be legitimate Nati e Code Nati e code is still pre alent in mobile applications 9© Copyright 2013 Coveros, Inc.. All rights reserved. Native Code – Native code is still prevalent in mobile applications Mobile Platforms – How the device (and OS) configures and controls apps Traditional Risks – Other risks we already know about Do Not Allow Storage of Sensitive Data on Devices Why? Devices use flash memory for local storage Mobile App Security: Best Practices – Devices use flash memory for local storage – External devices have global data permissions – Data encryption libraries and key management functions are often misused by developers – UI screens are captured and stored in “temporary” storage What to test/check for 10© Copyright 2013 Coveros, Inc.. All rights reserved. – Sensitive data is properly stored on back-end servers behind a firewall – Sensitive data is replaced on UI with replacement tokens or partial data when it doesn’t need to be fully viewable – Encryption routines for any local data uses a computational key derivation function for keys
2/24/2014 6 Make Sure Sessions are Managed Carefully Why? – Mobile application sessions tend to be left open longer on mobile Mobile App Security: Best Practices pp p g devices to support mobile app use cases – Untrusted applications that are malicious can compromise your applications if session management isn’t secure – People often leave their phones laying around … What to test/check for – Idle sessions after automatically terminated after no more than 5 11© Copyright 2013 Coveros, Inc.. All rights reserved. y minutes – Device identifier / MEID is not used as a session token – Token revocation is supported and works remotely – Session keys are temporary (to thwart ‘replay attacks’) Assume No Client (or App) is Trustworthy Why? – The increased threat of mobile device compromise means no client Mobile App Security: Best Practices p / App requesting information can be trusted – Trusted apps may have been misconfigured to allow easy compromise What to test/check for – Lower levels of encryption (export grade) have been disabled on the backend servers 12© Copyright 2013 Coveros, Inc.. All rights reserved. – Test the integrity of all data received from a client or other application – Test that all data received from a user or client has been sanitized – Test that only the minimum amount of info is returned to clients when there is an error – Move all default directories on all servers
2/24/2014 7 Test Native Code for Known Vulnerabilities Why? – Mobile platforms often support the development of native code Mobile App Security: Best Practices p pp p applications that are vulnerable to traditional attacks – Software written for Apple devices are written in Objective-C, Java can call native code – VM’s often include vulnerabilities! What to test/check for – Check that Address Space Layout Randomization (ASLR) is being 13© Copyright 2013 Coveros, Inc.. All rights reserved. p y ( ) g used to combat overflow attacks – Perform traditional secure code scanning on all native code – Recommend avoiding native code if possible Understand Your Mobile Platform Why? – Each platform uses a different security model Mobile App Security: Best Practices p y – Each platform manages applications differently What to understand – Learn how applications store data, protect it from access, and when data is physically deleted from the device – Understand the default configurations for applications, browsers, and communication protocols 14© Copyright 2013 Coveros, Inc.. All rights reserved. p – Learn how and when information is cached, keyboard keys are logged, and screenshots are saved – Understand how libraries are loaded and run (and in what order)
2/24/2014 8 Don’t Forget About Traditional Risks Why? – Mobile applications are often just mobile front-ends for our Mobile App Security: Best Practices pp j traditional systems (banking, e-commerce, etc.) – Mysql often ships with devices and are susceptible to SQL injection – Web vulnerabilities exist in thin client mobile apps What to test/check for – SQL injections Web application security issues (XSS CRSF etc ) 15© Copyright 2013 Coveros, Inc.. All rights reserved. – Web application security issues (XSS, CRSF, etc.) Getting Smarter OWASP Mobile Security Project – https://www.owasp.org/index.php/OWASP Mobile Security Project Mobile App Security https://www.owasp.org/index.php/OWASP_Mobile_Security_Project Coveros Labs – R&D in: – Secure mobile development – Malicious code analysis – Cloud security http://www coveros com/content/coveros labs 16© Copyright 2013 Coveros, Inc.. All rights reserved. – http://www.coveros.com/content/coveros-labs
2/24/2014 9 Questions? Thank You 17© Copyright 2013 Coveros, Inc.. All rights reserved. Contact Information: Jeffery Payne jeff.payne@coveros.com 703.431.2920

Recommandé

What's Next in Growth? 2016
What's Next in Growth? 2016What's Next in Growth? 2016
What's Next in Growth? 2016
Andrew Chen
 
The Six Highest Performing B2B Blog Post Formats
The Six Highest Performing B2B Blog Post FormatsThe Six Highest Performing B2B Blog Post Formats
The Six Highest Performing B2B Blog Post Formats
Barry Feldman
 
The Outcome Economy
The Outcome EconomyThe Outcome Economy
The Outcome Economy
Helge Tennø
 
32 Ways a Digital Marketing Consultant Can Help Grow Your Business
32 Ways a Digital Marketing Consultant Can Help Grow Your Business32 Ways a Digital Marketing Consultant Can Help Grow Your Business
32 Ways a Digital Marketing Consultant Can Help Grow Your Business
Barry Feldman
 
Failing and Recovering
Failing and RecoveringFailing and Recovering
Failing and Recovering
TechWell
 
Instill a DevOps Testing Culture in Your Team and Organization
Instill a DevOps Testing Culture in Your Team and Organization Instill a DevOps Testing Culture in Your Team and Organization
Instill a DevOps Testing Culture in Your Team and Organization
TechWell
 
Test Design for Fully Automated Build Architecture
Test Design for Fully Automated Build ArchitectureTest Design for Fully Automated Build Architecture
Test Design for Fully Automated Build Architecture
TechWell
 
System-Level Test Automation: Ensuring a Good Start
System-Level Test Automation: Ensuring a Good StartSystem-Level Test Automation: Ensuring a Good Start
System-Level Test Automation: Ensuring a Good Start
TechWell
 

Recommandé

What's Next in Growth? 2016
What's Next in Growth? 2016What's Next in Growth? 2016
What's Next in Growth? 2016
Andrew Chen
 
The Six Highest Performing B2B Blog Post Formats
The Six Highest Performing B2B Blog Post FormatsThe Six Highest Performing B2B Blog Post Formats
The Six Highest Performing B2B Blog Post Formats
Barry Feldman
 
The Outcome Economy
The Outcome EconomyThe Outcome Economy
The Outcome Economy
Helge Tennø
 
32 Ways a Digital Marketing Consultant Can Help Grow Your Business
32 Ways a Digital Marketing Consultant Can Help Grow Your Business32 Ways a Digital Marketing Consultant Can Help Grow Your Business
32 Ways a Digital Marketing Consultant Can Help Grow Your Business
Barry Feldman
 
Failing and Recovering
Failing and RecoveringFailing and Recovering
Failing and Recovering
TechWell
 
Instill a DevOps Testing Culture in Your Team and Organization
Instill a DevOps Testing Culture in Your Team and Organization Instill a DevOps Testing Culture in Your Team and Organization
Instill a DevOps Testing Culture in Your Team and Organization
TechWell
 
Test Design for Fully Automated Build Architecture
Test Design for Fully Automated Build ArchitectureTest Design for Fully Automated Build Architecture
Test Design for Fully Automated Build Architecture
TechWell
 
System-Level Test Automation: Ensuring a Good Start
System-Level Test Automation: Ensuring a Good StartSystem-Level Test Automation: Ensuring a Good Start
System-Level Test Automation: Ensuring a Good Start
TechWell
 
Build Your Mobile App Quality and Test Strategy
Build Your Mobile App Quality and Test StrategyBuild Your Mobile App Quality and Test Strategy
Build Your Mobile App Quality and Test Strategy
TechWell
 
Testing Transformation: The Art and Science for Success
Testing Transformation: The Art and Science for SuccessTesting Transformation: The Art and Science for Success
Testing Transformation: The Art and Science for Success
TechWell
 
Implement BDD with Cucumber and SpecFlow
Implement BDD with Cucumber and SpecFlowImplement BDD with Cucumber and SpecFlow
Implement BDD with Cucumber and SpecFlow
TechWell
 
Develop WebDriver Automated Tests—and Keep Your Sanity
Develop WebDriver Automated Tests—and Keep Your SanityDevelop WebDriver Automated Tests—and Keep Your Sanity
Develop WebDriver Automated Tests—and Keep Your Sanity
TechWell
 
Ma 15
Ma 15Ma 15
Ma 15
TechWell
 
Eliminate Cloud Waste with a Holistic DevOps Strategy
Eliminate Cloud Waste with a Holistic DevOps StrategyEliminate Cloud Waste with a Holistic DevOps Strategy
Eliminate Cloud Waste with a Holistic DevOps Strategy
TechWell
 
Transform Test Organizations for the New World of DevOps
Transform Test Organizations for the New World of DevOpsTransform Test Organizations for the New World of DevOps
Transform Test Organizations for the New World of DevOps
TechWell
 
The Fourth Constraint in Project Delivery—Leadership
The Fourth Constraint in Project Delivery—LeadershipThe Fourth Constraint in Project Delivery—Leadership
The Fourth Constraint in Project Delivery—Leadership
TechWell
 
Resolve the Contradiction of Specialists within Agile Teams
Resolve the Contradiction of Specialists within Agile TeamsResolve the Contradiction of Specialists within Agile Teams
Resolve the Contradiction of Specialists within Agile Teams
TechWell
 
Pin the Tail on the Metric: A Field-Tested Agile Game
Pin the Tail on the Metric: A Field-Tested Agile GamePin the Tail on the Metric: A Field-Tested Agile Game
Pin the Tail on the Metric: A Field-Tested Agile Game
TechWell
 
Agile Performance Holarchy (APH)—A Model for Scaling Agile Teams
Agile Performance Holarchy (APH)—A Model for Scaling Agile TeamsAgile Performance Holarchy (APH)—A Model for Scaling Agile Teams
Agile Performance Holarchy (APH)—A Model for Scaling Agile Teams
TechWell
 
A Business-First Approach to DevOps Implementation
A Business-First Approach to DevOps ImplementationA Business-First Approach to DevOps Implementation
A Business-First Approach to DevOps Implementation
TechWell
 
Databases in a Continuous Integration/Delivery Process
Databases in a Continuous Integration/Delivery ProcessDatabases in a Continuous Integration/Delivery Process
Databases in a Continuous Integration/Delivery Process
TechWell
 
Mobile Testing: What—and What Not—to Automate
Mobile Testing: What—and What Not—to AutomateMobile Testing: What—and What Not—to Automate
Mobile Testing: What—and What Not—to Automate
TechWell
 
Cultural Intelligence: A Key Skill for Success
Cultural Intelligence: A Key Skill for SuccessCultural Intelligence: A Key Skill for Success
Cultural Intelligence: A Key Skill for Success
TechWell
 
Turn the Lights On: A Power Utility Company's Agile Transformation
Turn the Lights On: A Power Utility Company's Agile TransformationTurn the Lights On: A Power Utility Company's Agile Transformation
Turn the Lights On: A Power Utility Company's Agile Transformation
TechWell
 
Scale: The Most Hyped Term in Agile Development Today
Scale: The Most Hyped Term in Agile Development TodayScale: The Most Hyped Term in Agile Development Today
Scale: The Most Hyped Term in Agile Development Today
TechWell
 
Measure DevOps for Objective Continuous Improvement Practices
Measure DevOps for Objective Continuous Improvement PracticesMeasure DevOps for Objective Continuous Improvement Practices
Measure DevOps for Objective Continuous Improvement Practices
TechWell
 
Microservices and Docker at Scale: The PB&J of Modern Systems
Microservices and Docker at Scale: The PB&J of Modern SystemsMicroservices and Docker at Scale: The PB&J of Modern Systems
Microservices and Docker at Scale: The PB&J of Modern Systems
TechWell
 
Automation Anti-Patterns: Deal with Them
Automation Anti-Patterns: Deal with ThemAutomation Anti-Patterns: Deal with Them
Automation Anti-Patterns: Deal with Them
TechWell
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
Martijn de Jong
 

Contenu connexe

Plus de TechWell

Build Your Mobile App Quality and Test Strategy
Build Your Mobile App Quality and Test StrategyBuild Your Mobile App Quality and Test Strategy
Build Your Mobile App Quality and Test Strategy
TechWell
 
Testing Transformation: The Art and Science for Success
Testing Transformation: The Art and Science for SuccessTesting Transformation: The Art and Science for Success
Testing Transformation: The Art and Science for Success
TechWell
 
Implement BDD with Cucumber and SpecFlow
Implement BDD with Cucumber and SpecFlowImplement BDD with Cucumber and SpecFlow
Implement BDD with Cucumber and SpecFlow
TechWell
 
Develop WebDriver Automated Tests—and Keep Your Sanity
Develop WebDriver Automated Tests—and Keep Your SanityDevelop WebDriver Automated Tests—and Keep Your Sanity
Develop WebDriver Automated Tests—and Keep Your Sanity
TechWell
 
Ma 15
Ma 15Ma 15
Ma 15
TechWell
 
Eliminate Cloud Waste with a Holistic DevOps Strategy
Eliminate Cloud Waste with a Holistic DevOps StrategyEliminate Cloud Waste with a Holistic DevOps Strategy
Eliminate Cloud Waste with a Holistic DevOps Strategy
TechWell
 
Transform Test Organizations for the New World of DevOps
Transform Test Organizations for the New World of DevOpsTransform Test Organizations for the New World of DevOps
Transform Test Organizations for the New World of DevOps
TechWell
 
The Fourth Constraint in Project Delivery—Leadership
The Fourth Constraint in Project Delivery—LeadershipThe Fourth Constraint in Project Delivery—Leadership
The Fourth Constraint in Project Delivery—Leadership
TechWell
 
Resolve the Contradiction of Specialists within Agile Teams
Resolve the Contradiction of Specialists within Agile TeamsResolve the Contradiction of Specialists within Agile Teams
Resolve the Contradiction of Specialists within Agile Teams
TechWell
 
Pin the Tail on the Metric: A Field-Tested Agile Game
Pin the Tail on the Metric: A Field-Tested Agile GamePin the Tail on the Metric: A Field-Tested Agile Game
Pin the Tail on the Metric: A Field-Tested Agile Game
TechWell
 
Agile Performance Holarchy (APH)—A Model for Scaling Agile Teams
Agile Performance Holarchy (APH)—A Model for Scaling Agile TeamsAgile Performance Holarchy (APH)—A Model for Scaling Agile Teams
Agile Performance Holarchy (APH)—A Model for Scaling Agile Teams
TechWell
 
A Business-First Approach to DevOps Implementation
A Business-First Approach to DevOps ImplementationA Business-First Approach to DevOps Implementation
A Business-First Approach to DevOps Implementation
TechWell
 
Databases in a Continuous Integration/Delivery Process
Databases in a Continuous Integration/Delivery ProcessDatabases in a Continuous Integration/Delivery Process
Databases in a Continuous Integration/Delivery Process
TechWell
 
Mobile Testing: What—and What Not—to Automate
Mobile Testing: What—and What Not—to AutomateMobile Testing: What—and What Not—to Automate
Mobile Testing: What—and What Not—to Automate
TechWell
 
Cultural Intelligence: A Key Skill for Success
Cultural Intelligence: A Key Skill for SuccessCultural Intelligence: A Key Skill for Success
Cultural Intelligence: A Key Skill for Success
TechWell
 
Turn the Lights On: A Power Utility Company's Agile Transformation
Turn the Lights On: A Power Utility Company's Agile TransformationTurn the Lights On: A Power Utility Company's Agile Transformation
Turn the Lights On: A Power Utility Company's Agile Transformation
TechWell
 
Scale: The Most Hyped Term in Agile Development Today
Scale: The Most Hyped Term in Agile Development TodayScale: The Most Hyped Term in Agile Development Today
Scale: The Most Hyped Term in Agile Development Today
TechWell
 
Measure DevOps for Objective Continuous Improvement Practices
Measure DevOps for Objective Continuous Improvement PracticesMeasure DevOps for Objective Continuous Improvement Practices
Measure DevOps for Objective Continuous Improvement Practices
TechWell
 
Microservices and Docker at Scale: The PB&J of Modern Systems
Microservices and Docker at Scale: The PB&J of Modern SystemsMicroservices and Docker at Scale: The PB&J of Modern Systems
Microservices and Docker at Scale: The PB&J of Modern Systems
TechWell
 
Automation Anti-Patterns: Deal with Them
Automation Anti-Patterns: Deal with ThemAutomation Anti-Patterns: Deal with Them
Automation Anti-Patterns: Deal with Them
TechWell
 

Plus de TechWell (20)

Build Your Mobile App Quality and Test Strategy
Build Your Mobile App Quality and Test StrategyBuild Your Mobile App Quality and Test Strategy
Build Your Mobile App Quality and Test Strategy
 
Testing Transformation: The Art and Science for Success
Testing Transformation: The Art and Science for SuccessTesting Transformation: The Art and Science for Success
Testing Transformation: The Art and Science for Success
 
Implement BDD with Cucumber and SpecFlow
Implement BDD with Cucumber and SpecFlowImplement BDD with Cucumber and SpecFlow
Implement BDD with Cucumber and SpecFlow
 
Develop WebDriver Automated Tests—and Keep Your Sanity
Develop WebDriver Automated Tests—and Keep Your SanityDevelop WebDriver Automated Tests—and Keep Your Sanity
Develop WebDriver Automated Tests—and Keep Your Sanity
 
Ma 15
Ma 15Ma 15
Ma 15
 
Eliminate Cloud Waste with a Holistic DevOps Strategy
Eliminate Cloud Waste with a Holistic DevOps StrategyEliminate Cloud Waste with a Holistic DevOps Strategy
Eliminate Cloud Waste with a Holistic DevOps Strategy
 
Transform Test Organizations for the New World of DevOps
Transform Test Organizations for the New World of DevOpsTransform Test Organizations for the New World of DevOps
Transform Test Organizations for the New World of DevOps
 
The Fourth Constraint in Project Delivery—Leadership
The Fourth Constraint in Project Delivery—LeadershipThe Fourth Constraint in Project Delivery—Leadership
The Fourth Constraint in Project Delivery—Leadership
 
Resolve the Contradiction of Specialists within Agile Teams
Resolve the Contradiction of Specialists within Agile TeamsResolve the Contradiction of Specialists within Agile Teams
Resolve the Contradiction of Specialists within Agile Teams
 
Pin the Tail on the Metric: A Field-Tested Agile Game
Pin the Tail on the Metric: A Field-Tested Agile GamePin the Tail on the Metric: A Field-Tested Agile Game
Pin the Tail on the Metric: A Field-Tested Agile Game
 
Agile Performance Holarchy (APH)—A Model for Scaling Agile Teams
Agile Performance Holarchy (APH)—A Model for Scaling Agile TeamsAgile Performance Holarchy (APH)—A Model for Scaling Agile Teams
Agile Performance Holarchy (APH)—A Model for Scaling Agile Teams
 
A Business-First Approach to DevOps Implementation
A Business-First Approach to DevOps ImplementationA Business-First Approach to DevOps Implementation
A Business-First Approach to DevOps Implementation
 
Databases in a Continuous Integration/Delivery Process
Databases in a Continuous Integration/Delivery ProcessDatabases in a Continuous Integration/Delivery Process
Databases in a Continuous Integration/Delivery Process
 
Mobile Testing: What—and What Not—to Automate
Mobile Testing: What—and What Not—to AutomateMobile Testing: What—and What Not—to Automate
Mobile Testing: What—and What Not—to Automate
 
Cultural Intelligence: A Key Skill for Success
Cultural Intelligence: A Key Skill for SuccessCultural Intelligence: A Key Skill for Success
Cultural Intelligence: A Key Skill for Success
 
Turn the Lights On: A Power Utility Company's Agile Transformation
Turn the Lights On: A Power Utility Company's Agile TransformationTurn the Lights On: A Power Utility Company's Agile Transformation
Turn the Lights On: A Power Utility Company's Agile Transformation
 
Scale: The Most Hyped Term in Agile Development Today
Scale: The Most Hyped Term in Agile Development TodayScale: The Most Hyped Term in Agile Development Today
Scale: The Most Hyped Term in Agile Development Today
 
Measure DevOps for Objective Continuous Improvement Practices
Measure DevOps for Objective Continuous Improvement PracticesMeasure DevOps for Objective Continuous Improvement Practices
Measure DevOps for Objective Continuous Improvement Practices
 
Microservices and Docker at Scale: The PB&J of Modern Systems
Microservices and Docker at Scale: The PB&J of Modern SystemsMicroservices and Docker at Scale: The PB&J of Modern Systems
Microservices and Docker at Scale: The PB&J of Modern Systems
 
Automation Anti-Patterns: Deal with Them
Automation Anti-Patterns: Deal with ThemAutomation Anti-Patterns: Deal with Them
Automation Anti-Patterns: Deal with Them
 

Dernier

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 

Dernier (20)

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 

Security Testing Mobile Applications

  • 1.       nt Session    Presented by:  Jeff Payne  C       Brought to you by:      340 Corporate Way, Suite   Orange Park, FL 32073  888‐2 W6  Concurre 4/9/2014    12:45 PM          “Security Testing Mobile Applications”      overos, Inc.             300, 68‐8770 ∙ 904‐278‐0524 ∙ sqeinfo@sqe.com ∙ www.sqe.com 
  • 2. Jeff Payne Coveros, Inc   Jeff Payne is CEO and founder of Coveros, Inc., a software company that builds secure software applications using agile methods. Since its inception in 2008, Coveros has become a market leader in secure agile principles and has been recognized by Inc. magazine as one of the fastest growing private US companies. Prior to founding Coveros, Jeff was chairman of the board, CEO, and cofounder of Cigital, Inc., a market leader in software security consulting. Jeff has published more than thirty papers on software development and testing, and testified before Congress on issues of national importance, including intellectual property rights, cyber terrorism, and software quality.
  • 3. 2/24/2014 1 Security Testing Mobile Applications Jeffery Payne Chief Executive Officer Coveros, Inc. jeff.payne@coveros.com www.coveros.com 1© Copyright 2013 Coveros, Inc.. All rights reserved. Bio Jeffery Payne Jeffery Payne is CEO and founder of Coveros, Inc., a software company that helps organizations accelerate the delivery of secure, reliable software. Coveros uses agile development methods and a proven software assurance framework to build security and quality into software from the ground up. Prior to founding Coveros, Jeffery was Chairman of the Board, CEO, and co-founder of Cigital, Inc. Under his direction, Cigital became a leader in software security and software quality solutions, helping clients mitigate the risk of software failure. Jeffery is a i d ft t d l k t b th b i d t h l 2© Copyright 2013 Coveros, Inc.. All rights reserved. recognized software expert and popular speaker at both business and technology conferences on a variety of software quality, security, and agile development topics. He has also testified before Congress on issues of national importance, including intellectual property rights, cyber-terrorism, software research funding, and software quality.
  • 4. 2/24/2014 2 Coveros helps organizations accelerate the delivery of secure, reliable software About Coveros Our consulting services: – Agile software development – Application security – Software quality assurance Agile services Areas of Expertise 3© Copyright 2013 Coveros, Inc.. All rights reserved. Agile services – Agility assessments – Process improvement – Hands-on agile software development – Agile project management – Agile testing and automation – Agile training by role Wh t thi t lk iWhat this talk is NOT about 4© Copyright 2013 Coveros, Inc.. All rights reserved. Penetration testing Testing tools Test cases
  • 5. 2/24/2014 3 Wh t thi t lkWhat this talk IS about 5© Copyright 2013 Coveros, Inc.. All rights reserved. Mobile threats Mobile risks Test strategy based on these Agenda Mobile applications: the perfect security stormMobile applications: the perfect security storm – Typical architecture(s) – A changing threat model Mobile risks and test strategies – Local storage – Session management – Untrusted clients 6© Copyright 2013 Coveros, Inc.. All rights reserved. – Native code – Mobile platforms – Traditional risks Getting more help
  • 6. 2/24/2014 4 Mobile Apps: The Perfect Security Storm Fat client concerns Traditional sw security concernsconcerns 7© Copyright 2013 Coveros, Inc.. All rights reserved. Untrusted apps Untrusted users Traditional web security concerns A Changing Threat Model New Attack Profiles Mobile Apps: The Perfect Security Storm New Attack Profiles – Increased access by malicious users – Malicious 3rd party applications – Increased information for attacking application back-ends Fluid Trust Boundaries – Level of trust necessary to use 3rd party applications 8© Copyright 2013 Coveros, Inc.. All rights reserved. – Local access to sensitive data Nuances of Mobile Platforms – Differing security models – Different vulnerabilities due to programming languages
  • 7. 2/24/2014 5 Mobile Risks Local storage – Storage of data (implicitly or explicitly) on a device Mobile App Security g g ( p y p y) Session management – Managing the on-going interactions between a mobile app user and the rest of a distributed environment Untrusted clients – Client requests might not be legitimate Nati e Code Nati e code is still pre alent in mobile applications 9© Copyright 2013 Coveros, Inc.. All rights reserved. Native Code – Native code is still prevalent in mobile applications Mobile Platforms – How the device (and OS) configures and controls apps Traditional Risks – Other risks we already know about Do Not Allow Storage of Sensitive Data on Devices Why? Devices use flash memory for local storage Mobile App Security: Best Practices – Devices use flash memory for local storage – External devices have global data permissions – Data encryption libraries and key management functions are often misused by developers – UI screens are captured and stored in “temporary” storage What to test/check for 10© Copyright 2013 Coveros, Inc.. All rights reserved. – Sensitive data is properly stored on back-end servers behind a firewall – Sensitive data is replaced on UI with replacement tokens or partial data when it doesn’t need to be fully viewable – Encryption routines for any local data uses a computational key derivation function for keys
  • 8. 2/24/2014 6 Make Sure Sessions are Managed Carefully Why? – Mobile application sessions tend to be left open longer on mobile Mobile App Security: Best Practices pp p g devices to support mobile app use cases – Untrusted applications that are malicious can compromise your applications if session management isn’t secure – People often leave their phones laying around … What to test/check for – Idle sessions after automatically terminated after no more than 5 11© Copyright 2013 Coveros, Inc.. All rights reserved. y minutes – Device identifier / MEID is not used as a session token – Token revocation is supported and works remotely – Session keys are temporary (to thwart ‘replay attacks’) Assume No Client (or App) is Trustworthy Why? – The increased threat of mobile device compromise means no client Mobile App Security: Best Practices p / App requesting information can be trusted – Trusted apps may have been misconfigured to allow easy compromise What to test/check for – Lower levels of encryption (export grade) have been disabled on the backend servers 12© Copyright 2013 Coveros, Inc.. All rights reserved. – Test the integrity of all data received from a client or other application – Test that all data received from a user or client has been sanitized – Test that only the minimum amount of info is returned to clients when there is an error – Move all default directories on all servers
  • 9. 2/24/2014 7 Test Native Code for Known Vulnerabilities Why? – Mobile platforms often support the development of native code Mobile App Security: Best Practices p pp p applications that are vulnerable to traditional attacks – Software written for Apple devices are written in Objective-C, Java can call native code – VM’s often include vulnerabilities! What to test/check for – Check that Address Space Layout Randomization (ASLR) is being 13© Copyright 2013 Coveros, Inc.. All rights reserved. p y ( ) g used to combat overflow attacks – Perform traditional secure code scanning on all native code – Recommend avoiding native code if possible Understand Your Mobile Platform Why? – Each platform uses a different security model Mobile App Security: Best Practices p y – Each platform manages applications differently What to understand – Learn how applications store data, protect it from access, and when data is physically deleted from the device – Understand the default configurations for applications, browsers, and communication protocols 14© Copyright 2013 Coveros, Inc.. All rights reserved. p – Learn how and when information is cached, keyboard keys are logged, and screenshots are saved – Understand how libraries are loaded and run (and in what order)
  • 10. 2/24/2014 8 Don’t Forget About Traditional Risks Why? – Mobile applications are often just mobile front-ends for our Mobile App Security: Best Practices pp j traditional systems (banking, e-commerce, etc.) – Mysql often ships with devices and are susceptible to SQL injection – Web vulnerabilities exist in thin client mobile apps What to test/check for – SQL injections Web application security issues (XSS CRSF etc ) 15© Copyright 2013 Coveros, Inc.. All rights reserved. – Web application security issues (XSS, CRSF, etc.) Getting Smarter OWASP Mobile Security Project – https://www.owasp.org/index.php/OWASP Mobile Security Project Mobile App Security https://www.owasp.org/index.php/OWASP_Mobile_Security_Project Coveros Labs – R&D in: – Secure mobile development – Malicious code analysis – Cloud security http://www coveros com/content/coveros labs 16© Copyright 2013 Coveros, Inc.. All rights reserved. – http://www.coveros.com/content/coveros-labs
  • 11. 2/24/2014 9 Questions? Thank You 17© Copyright 2013 Coveros, Inc.. All rights reserved. Contact Information: Jeffery Payne jeff.payne@coveros.com 703.431.2920