SlideShare une entreprise Scribd logo

Mobile Application Security

Dirk Nicol
Dirk Nicol

Mobile Application Security presentation at IBM Innovate Conference with Raj Balasubramanian

Technologie
1  sur  36
Télécharger pour lire hors ligne
IBM Innovate 2012 Mobile Application Security Foundation & Directions Raj Balasubramanian Dirk Nicol Product Architect, IBM Mobile Foundation Product Manager, IBM Mobile Foundation raj_balasubramanian@us.ibm.com nicold@us.ibm.com IPI2478
The Premier Event for Software and Systems Innovation Please note IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole discretion. Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision. The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion. Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user’s job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here. 2 © 2012 IBM Corporation
The Premier Event for Software and Systems Innovation Mobile is transformational 10 Billion devices by 2020 61% of CIOs put mobile as priority 45% increased productivity with mobile apps 3 © 2012 IBM Corporation
The Premier Event for Software and Systems Innovation IBM strategy addresses client mobile initiatives Extend & Transform Build & Connect Extend existing business Build mobile applications capabilities to mobile devices Connect to, and run Transform the business by backend systems in support creating new opportunities of mobile Manage & Secure Manage mobile devices, services and applications Secure my mobile business 4 © 2012 IBM Corporation
The Premier Event for Software and Systems Innovation A deeper look at Manage & Secure capabilities Extend & Transform Build & Connect Manage & Secure Manage mobile devices, services Key Capabilities and applications • Mobile lifecycle management Secure my mobile business • Device analytics and control • Secure network communications & management 5 © 2012 IBM Corporation
The Premier Event for Software and Systems Innovation Mobile Devices: Unique Management & Security Challenges Mobile Mobile devices Mobile Mobile Mobile devices are have multiple devices are devices are devices shared more personas diverse used in more prioritize the . often locations user  Personal phones  Work tool  OS immaturity for  A single location  Conflicts with user and tablets  Entertainment enterprise mgmt could offer public, experience not shared with family device  BYOD dictates private, and cell tolerated  Enterprise tablet multiple OSs connections  OS architecture  Personal shared with co- organization  Vendor / carrier  Anywhere, puts the user in workers control dictates anytime control  Security profile  Social norms of multiple OS  Increasing  Difficult to enforce per persona? mobile apps vs. versions reliance on policy, app lists file systems enterprise WiFi 6 © 2012 IBM Corporation
The Premier Event for Software and Systems Innovation Mobile Risks Top 10 Mobile Risks 1. Insecure Data Storage 2. Weak Server Side Controls 3. Insufficient Transport Layer Protection 4. Client Side Injection 5. Poor Authorization and Authentication 6. Improper Session Handling 7. Security Decisions Via Untrusted Inputs 8. Side Channel Data Leakage 9. Broken Cryptography 10. Sensitive Information Disclosure 7 Source: OWASP Mobile Security Project © 2012 IBM Corporation
The Premier Event for Software and Systems Innovation Challenges of Enterprise Mobility Data separation: personal vs corporate Achieving Data Separation & Data leakage into and out of the enterprise Partial wipe vs. device wipe vs legally defensible wipe Providing Data Protection Data policies Multiple device platforms and variants Multiple providers Adapting to the BYOD/ Managed devices (B2E) Unmanaged devices (B2B,B2E, B2C) Consumerization of IT Trend Endpoint policies Threat protection Identity of user and devices Providing secure access to Authentication, Authorization and Federation User policies enterprise applications & Secure Connectivity data Application life-cycle Developing Secure Vulnerability & Penetration testing Application Management Applications Application policies Designing & Instituting an Policy Management: Location, Geo, Roles, Response, Time policies Security Intelligence Adaptive Security Posture Reporting 8 © 2012 IBM Corporation
The Premier Event for Software and Systems Innovation So How do I Protect My Mobile Initiatives? Begin by taking a holistic view of Mobile Security WiFi Mobile apps Develop, test and deliver safe applications Web sites Internet Telecom Provider Secure Security Corporate endpoint Gateway Intranet & device and Systems data Achieve Visibility and Enable Adaptive Security Posture Secure access to enterprise applications and data 9 © 2012 IBM Corporation
The Premier Event for Software and Systems Innovation Spectrum of Mobile Security Requirements Mobile devices are not only computing platforms but also communication devices, hence mobile security is multi-faceted, driven by customers’ operational priorities Mobile Security Intelligence Mobile Device Data, Network & Access Security App/Test Management Development Mobile Device Mobile Device Mobile Threat Mobile Mobile Network Mobile Identity& Secure Mobile Management Security Management Information Protection Access Management Application Management Protection Development  Acquire/Deploy  Identity  Register  Device wipe &  Anti-malware  Data encryption  Secure Management lockdown  Authorize &  Vulnerability  Activation  Anti-spyware (device,file & Communications  Password  Anti-spam app) (VPN) Authenticate testing  Content Mgmt Management  Firewall/IPS  Mobile data loss  Edge Protection  Certificate  Mobile app  Manage/Monitor  Configuration  Web filtering prevention Management testing  Self Service Policy  Web Reputation  Multi-factor  Enforced by tools  Reporting  Compliance  Enterprise  Retire policies  De-provision Mobile Applications i.e. Native, Hybrid, Web Application Mobile Application Platforms & Containers Device Platforms 30 device Manufacturers, 10 operating platforms i.e. iOS, Android, Windows Mobile, Symbian, etc 10 © 2012 IBM Corporation
The Premier Event for Software and Systems Innovation Mobile App Security: Defending the Software  Consistently apply and enforce best practices during Development  Provide or employ a secure channel for  Perform vulnerability delivering apps analysis during Testing  Employ a secure runtime environment to safeguard app data  As threats evolve recognize required updates and establish a  Perform checks to validate process for pushing them to users the integrity of apps 11 © 2012 IBM Corporation
The Premier Event for Software and Systems Innovation Mobile Security Enabled with IBM Solutions IBM QRadar Achieve Visibility & Enable System-wide Mobile Security Awareness Adaptive Security Posture • Risk Assessment • Threat Detection Build & Run Safe Mobile Apps Secure Data & the Device Protect Access to Enterprise IBM WorkLight Apps & Data Develop safe mobile apps IBM WorkLight • Direct Updates Runtime for safe mobile apps IBM Security Access • Encrypted data cache Manager for Mobile IBM AppScan for Mobile • App validation Authenticate & Authorize users and Vulnerability testing devices • Dynamic & Static analysis of Hybrid IBM Endpoint • Standards Support: OAuth, and Mobile web apps SAML, OpenID Manager for Mobile • Single Sign-On & Identity Configure, Provision, Monitor Mediation IBM DataPower • Set appropriate security Protect enterprise applications policies • XML security & message • Enable endpoint access IBM Mobile Connect protection • Ensure compliance Secure Connectivity • Protocol Transformation & • App level VPN Mediation Internet 12 © 2012 IBM Corporation
The Premier Event for Software and Systems Innovation The Difference Between Secure Apps and Device Management Mobile Device Application-Level Management Security Device-level control: App takes care of itself: • Password protection • Authentication • File-system encryption • File encryption • Managed apps • Remote administration • Jailbreak detection • Adaptive functionality Requires consent of user to have Applicable in all scenarios, enterprise manage entire device including BYOD and consumer- facing contexts 13 © 2012 IBM Corporation
The Premier Event for Software and Systems Innovation Worklight Runtime Architecture Worklight Server Device Runtime Application Code Server-side Client-side Application Code App Resources Stats Aggregation Cross Platform Technology JSON Translation Direct Update Mobile Authentication Web Apps Security and Authentication Back-end Data Integration Post-deployment control Unified Push Adapter Library Diagnostics Notifications 14 © 2012 IBM Corporation
The Premier Event for Software and Systems Innovation Mobile Application Security Objectives Protect data on Enforce security the device updates • Malware, Jailbreaking • Be proactive: can’t rely • Offline access on users getting the • Device theft latest software update on their own • Phishing, repackaging Streamline Provide robust Protect from the Corporate authentication “classic” threats security approval and authorization to the application processes • Existing authentication security • Complex infrastructure • Hacking • Time-consuming • Passwords are more • Eavesdropping vulnerable • Man-in-the-middle 15 © 2012 IBM Corporation
The Premier Event for Software and Systems Innovation IBM WorkLight: Security By Design Protecting data on the Enforcing security device and in transit updates App Jailbreak and Encrypted Offline Secure Remote authenticity malware Direct update offline cache authentication connectivity disable testing detection SSL with Mobile Authentication Coupling Data Proven server Code platform as a integration device id with protection platform identity obfuscation trust factor framework user id realms security verification Streamlining Providing robust Application Corporate security authentication and Security processes authorization 16 © 2012 IBM Corporation
The Premier Event for Software and Systems Innovation IBM WorkLight: Security By Design Protecting data on the Enforcing security device and in transit updates App Jailbreak and Encrypted Offline Secure Remote authenticity malware Direct update offline cache authentication connectivity disable testing detection SSL with Mobile Authentication Coupling Data Proven server Code platform as a integration device id with protection platform identity obfuscation trust factor framework user id realms security verification Streamlining Providing robust Application Corporate security authentication and Security processes authorization Integration point with VPN solutions (i.e. IBM Mobile Connect) Integration point with User Security solutions (i.e. IBM Security Access Manager for Integration point with MDM solutions (i.e. IBM Endpoint Manager for Mobile) Mobile) 17 © 2012 IBM Corporation
Protecting data on the device The Premier Event for Software and Systems Innovation Malware, Jailbreaking Protecting data Device theft on the device Offline access Phishing, repackaging Secure Encrypted App Compatibility Offline challenge- offline authenticity with jailbreak authentication response on cache testing detection libs startup Encrypted offline cache Offline authentication using password Extended authentication with server using secure challenge response App authenticity testing: server-side verification mechanism to mitigate risk of Phishing through repackaging or app forgery Compatibility with various jailbreak and malware detection libraries 18 © 2012 IBM Corporation
The Premier Event for Software and Systems Innovation Enforcing security updates Can’t rely on users Remote Disable: shut down getting the latest software update on specific versions of a their own downloadable app, providing users with link to update Enforcing security updates Direct Update: automatically send new versions of the Remote Direct locally-cached HTML/JS disable update resources to installed apps 19 © 2012 IBM Corporation
The Premier Event for Software and Systems Innovation Authentication and Authorization Authentication Data Device integration framework protection realms Provisioning Very flexible framework for simplifying integration of apps with existing authentication infrastructure Providing robust authentication and Manages authenticated sessions with authorization configurable expiration Open: e.g., custom OTP as anti-keylogger mechanism Need to integrate with existing Server-side services grouped into authentication infrastructure separate protection realms for different authentication levels Authenticate users when offline Secure device ID generated as part of extensible provisioning process Mobile passwords are more vulnerable (keyboard more difficult to use, typed text is visible) 20 © 2012 IBM Corporation
The Premier Event for Software and Systems Innovation Session Authentication Management Step 1 – Unauthenticated Session 1. Call protected Procedure Worklight Server Access denied because session is unauthenticated or expired 2. Request Authentication Session: • Created on first access from client • Identified using session cookie • Associated data is stored on the server 21 © 2012 IBM Corporation
The Premier Event for Software and Systems Innovation Session Authentication Management Step 2 – Authentication 1. Obtain credentials from user and device Worklight Server 2. Forward credentials Process authentication data 3. If necessary: • Consult with authentication servers • Perform device provisioning • Receive authentication token • Associate token with session 22 © 2012 IBM Corporation
The Premier Event for Software and Systems Innovation Session Authentication Management Step 3 – Authenticated Session 1. Procedure call on Worklight Server authenticated session Authenticated token associated with session 3. Procedure result Session ID Auth Tokens/State 2bd4296a3f29 Realm 1: 25487 Realm 2: ------ 2. Access back-end service -- using authentication 25617ff82a90 Realm 1: ------ --- token Realm 2: a6c9a 89a77921b02 Realm 1: 7b8df Realm 2: 6a8a0 23 © 2012 IBM Corporation
The Premier Event for Software and Systems Innovation Worklight Studio simplifies the reuse of custom containers across the organization One team creates a custom container (“Shell Component”) for extensive security certification Other teams create HTML-only “inner apps” wrapped in that container 24 © 2012 IBM Corporation
The Premier Event for Software and Systems Innovation Mobile Security Enabled with IBM Solutions IBM brings together a broad portfolio of technologies and services to meet the mobile security needs of customers across multiple industries •Application security •Worklight •IBM Rational AppScan •Mobile device management •IBM Endpoint Manager for Mobile devices •IBM Hosted Mobile Device Security Management •Secure enterprise access •IBM Security Access Manager •Security Intelligence •IBM QRadar 25 © 2012 IBM Corporation
The Premier Event for Software and Systems Innovation Deployment for SSO and Security Intelligence Security Intelligence Platform Hybrid Mobile Apps IBM Endpoint Based on WorkLight Manager Risk Based Access Hybrid App. SSL SSO WorkLight Server Enterprise Hybrid App. Mobile Security Applications, Gateway (WAS w/ security) Worklight Runtime Connectivity & Data Mobile Device  Security intelligence with mobile context  Intelligence around malware and advanced threats in mobile enabled enterprise  User identity and device identity correlation, leading to behavior analysis  Geo-fencing, anomaly detection based on device, user, location, and application characteristics 26 © 2012 IBM Corporation
The Premier Event for Software and Systems Innovation IBM AppScan: Bringing Vulnerability Scanning to Mobile Detection of Vulnerabilities before Apps are Delivered and Deployed  Known vulnerabilities can be addressed in software development and testing  Code vulnerable to known threat models can be identified in testing  Security designed in vs. bolted on Leverage AppScan for vulnerability testing of mobile web apps and web elements (JavaScript, HTML5) of hybrid mobile apps 27 © 2012 IBM Corporation
The Premier Event for Software and Systems Innovation IBM Security Access Manager: Authentication & Authorization of Mobile Users and their Devices Authorization Access Manager Servers (e.g., IBM Access Policy) Manager User registries (i.e. LDAP) Federated External Identity Authentication Manager Authentication Provider VPN or (i.e. userid/password, HTTPS Basic Auth, Certificate or Custom) IBM Security Access Manager for Mobile can be Application Servers used to satisfy complex authentication (i.e. WebSphere, WorkLight) requirements. A feature called the External Authentication Interface (EAI) is designed to provide flexibility in authentication. Mobile Browser Enterprise Web or Native Web Services Applications Applications Federated Identity Manager can be incorporated into the solution to provide federated identity management 28 © 2012 IBM Corporation
The Premier Event for Software and Systems Innovation IBM Endpoint Manager for Mobile: Extending Management Reach to Mobile Devices Common Advanced management for iOS, management agent Android, Symbian, and Windows and console Phone Systems Security management management Unified management automatically Near-instant enables VPN access based on deployment of security compliance new features Integration with back-end IT management systems such as service desk, CMDB, and SIEM IBM Endpoint Manager Security threat detection and automated remediation Extends IBM’s existing 500,000 endpoint deployment Desktop / laptop / Mobile Purpose-specific server endpoint endpoint endpoint 29 © 2012 IBM Corporation
The Premier Event for Software and Systems Innovation IBM Qradar: Delivering Mobile Security Intelligence Delivers Mobile Security Intelligence by monitoring data collected from other mobile security solutions – visibility, reporting and threat detection  Unified collection, aggregation and analysis  Ingest log data and events from: architecture for:  Endpoint Manager for Mobile Devices o Application logs  Access Manager for Mobile o Security events  Mobile Connect o Vulnerability data  WorkLight o Identity and Access Management data o Configuration files o Network flow telemetry  A common platform for o Searching o Filtering o Rule writing o Reporting functions  A single user interface for oLog management o Risk modeling o Vulnerability prioritization o Incident detection o Impact analysis tasks 30 © 2012 IBM Corporation
The Premier Event for Software and Systems Innovation Copyright and Trademarks © IBM Corporation 2012. All Rights Reserved. IBM, the IBM logo, ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml. 31 © 2012 IBM Corporation
The Premier Event for Software and Systems Innovation IBM Global Technology Services offers a broad set of complementary mobile capabilities Client Initiatives Build mobile Manage mobile Extend existing applications devices and business capabilities Connect to, and run applications to mobile devices backend systems in Secure my mobile Transform the support of mobile business business by creating new opportunities Services • Mobile application development • Telecom Expense • Unified Communications • Mobile Application Platform Management Services Management • Mobile Security • Mobile Application Platform • Network (e.g. wi-fi, VPN) • Mobile Device Management Management • End-user and administration • Strategy & Transformation support • Mobile Application • Procurement, staging and Management kitting • Messaging, collaboration and social 32 © 2012 IBM Corporation
The Premier Event for Software and Systems Innovation www.ibm.com/software/rational 33 © 2012 IBM Corporation
The Premier Event for Software and Systems Innovation Daily iPod Touch giveaway  Complete your session surveys online each day at a conference kiosk or on your Innovate 2012 Portal!  Each day that you complete all of that day’s session surveys, your name will be entered to win the daily IPOD touch!  On Wednesday be sure to complete your full conference evaluation to receive your free conference t-shirt! 34 © 2012 IBM Corporation
The Premier Event for Software and Systems Innovation Acknowledgements and disclaimers Availability: References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. The workshops, sessions and materials have been prepared by IBM or the session speakers and reflect their own views. They are provided for informational purposes only, and are neither intended to, nor shall have the effect of being, legal or other guidance or advice to any participant. While efforts were made to verify the completeness and accuracy of the information contained in this presentation, it is provided AS-IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this presentation or any other materials. Nothing contained in this presentation is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. All customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics may vary by customer. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results. © Copyright IBM Corporation 2012. All rights reserved. – U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. IBM, the IBM logo, ibm.com, Rational, the Rational logo, Telelogic, the Telelogic logo, Green Hat, the Green Hat logo, and other IBM products and services are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml If you have mentioned trademarks that are not from IBM, please update and add the following lines: [Insert any special third-party trademark names/attributions here] Other company, product, or service names may be trademarks or service marks of others. 35 © 2012 IBM Corporation
The Premier Event for Software and Systems Innovation www.ibm.com/software/rational © Copyright IBM Corporation 2012. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, Rational, the Rational logo, Telelogic, the Telelogic logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. 36 © 2012 IBM Corporation

Recommandé

mobile application security
mobile application securitymobile application security
mobile application security
-jyothish kumar sirigidi
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
Ishan Girdhar
 
Android Security
Android SecurityAndroid Security
Android Security
Arqum Ahmad
 
Mobile security
Mobile securityMobile security
Mobile security
dilipdubey5
 
Mobile protection
Mobile protection Mobile protection
Mobile protection
preetpatel72
 
Mobile security
Mobile securityMobile security
Mobile security
Tapan Khilar
 
Mobile security
Mobile securityMobile security
Mobile security
priyanka pandey
 
Mobile Security
Mobile SecurityMobile Security
Mobile Security
Xavier Mertens
 

Recommandé

mobile application security
mobile application securitymobile application security
mobile application security
-jyothish kumar sirigidi
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
Ishan Girdhar
 
Android Security
Android SecurityAndroid Security
Android Security
Arqum Ahmad
 
Mobile security
Mobile securityMobile security
Mobile security
dilipdubey5
 
Mobile protection
Mobile protection Mobile protection
Mobile protection
preetpatel72
 
Mobile security
Mobile securityMobile security
Mobile security
Tapan Khilar
 
Mobile security
Mobile securityMobile security
Mobile security
priyanka pandey
 
Mobile Security
Mobile SecurityMobile Security
Mobile Security
Xavier Mertens
 
Mobile security
Mobile securityMobile security
Mobile security
CyberoamAcademy
 
Mobile Security 101
Mobile Security 101Mobile Security 101
Mobile Security 101
Lookout
 
Mobile security in Cyber Security
Mobile security in Cyber SecurityMobile security in Cyber Security
Mobile security in Cyber Security
Geo Marian
 
Mobile security
Mobile securityMobile security
Mobile security
Naveen Kumar
 
Mobile Application Development
Mobile Application DevelopmentMobile Application Development
Mobile Application Development
jini james
 
Smart Phone Security
Smart Phone SecuritySmart Phone Security
Smart Phone Security
Guneet Pahwa
 
Anatomy of a cyber attack
Anatomy of a cyber attackAnatomy of a cyber attack
Anatomy of a cyber attack
Mark Silver
 
Wireless and mobile security
Wireless and mobile securityWireless and mobile security
Wireless and mobile security
Pushkar Pashupat
 
MOBILE PHONE SECURITY./ MOBILE SECURITY
MOBILE PHONE SECURITY./ MOBILE SECURITYMOBILE PHONE SECURITY./ MOBILE SECURITY
MOBILE PHONE SECURITY./ MOBILE SECURITY
JASHU JASWANTH
 
Ensuring Mobile Device Security
Ensuring Mobile Device SecurityEnsuring Mobile Device Security
Ensuring Mobile Device Security
Quick Heal Technologies Ltd.
 
Research paper on cyber security.
Research paper on cyber security.Research paper on cyber security.
Research paper on cyber security.
Hussain777
 
Computer security
Computer securityComputer security
Computer security
fiza1975
 
Mobile security
Mobile security Mobile security
Mobile security
Himmatsingh Rajpurohit
 
Mobile Security
Mobile SecurityMobile Security
Mobile Security
MarketingArrowECS_CZ
 
Mobile Device Security
Mobile Device SecurityMobile Device Security
Mobile Device Security
Nemwos
 
Smartphone security
Smartphone securitySmartphone security
Smartphone security
Manish Gupta
 
Android security
Android securityAndroid security
Android security
Mobile Rtpl
 
Pentesting Android Apps
Pentesting Android AppsPentesting Android Apps
Pentesting Android Apps
Abdelhamid Limami
 
Mobile security
Mobile securityMobile security
Mobile security
Mphasis
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
Denim Group
 
Security and Mobile Application Management with Worklight
Security and Mobile Application Management with WorklightSecurity and Mobile Application Management with Worklight
Security and Mobile Application Management with Worklight
IBM WebSphereIndia
 
14 Steps to Event Connect
14 Steps to Event Connect14 Steps to Event Connect
14 Steps to Event Connect
IBM Social Business
 

Contenu connexe

Tendances

Smart Phone Security
Smart Phone SecuritySmart Phone Security
Smart Phone Security
Guneet Pahwa
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
Denim Group
 

Tendances (20)

Mobile security
Mobile securityMobile security
Mobile security
 
Mobile Security 101
Mobile Security 101Mobile Security 101
Mobile Security 101
 
Mobile security in Cyber Security
Mobile security in Cyber SecurityMobile security in Cyber Security
Mobile security in Cyber Security
 
Mobile security
Mobile securityMobile security
Mobile security
 
Mobile Application Development
Mobile Application DevelopmentMobile Application Development
Mobile Application Development
 
Smart Phone Security
Smart Phone SecuritySmart Phone Security
Smart Phone Security
 
Anatomy of a cyber attack
Anatomy of a cyber attackAnatomy of a cyber attack
Anatomy of a cyber attack
 
Wireless and mobile security
Wireless and mobile securityWireless and mobile security
Wireless and mobile security
 
MOBILE PHONE SECURITY./ MOBILE SECURITY
MOBILE PHONE SECURITY./ MOBILE SECURITYMOBILE PHONE SECURITY./ MOBILE SECURITY
MOBILE PHONE SECURITY./ MOBILE SECURITY
 
Ensuring Mobile Device Security
Ensuring Mobile Device SecurityEnsuring Mobile Device Security
Ensuring Mobile Device Security
 
Research paper on cyber security.
Research paper on cyber security.Research paper on cyber security.
Research paper on cyber security.
 
Computer security
Computer securityComputer security
Computer security
 
Mobile security
Mobile security Mobile security
Mobile security
 
Mobile Security
Mobile SecurityMobile Security
Mobile Security
 
Mobile Device Security
Mobile Device SecurityMobile Device Security
Mobile Device Security
 
Smartphone security
Smartphone securitySmartphone security
Smartphone security
 
Android security
Android securityAndroid security
Android security
 
Pentesting Android Apps
Pentesting Android AppsPentesting Android Apps
Pentesting Android Apps
 
Mobile security
Mobile securityMobile security
Mobile security
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
 

En vedette

Driving Innovation for Application Management with WSO2 App Factory
Driving Innovation for Application Management with WSO2 App Factory Driving Innovation for Application Management with WSO2 App Factory
Driving Innovation for Application Management with WSO2 App Factory
WSO2
 
Video Surveillance
Video SurveillanceVideo Surveillance
Video Surveillance
Mihika Shah
 
Ip camera security system presentation
Ip camera security system presentationIp camera security system presentation
Ip camera security system presentation
ezlink5
 

En vedette (20)

Security and Mobile Application Management with Worklight
Security and Mobile Application Management with WorklightSecurity and Mobile Application Management with Worklight
Security and Mobile Application Management with Worklight
 
14 Steps to Event Connect
14 Steps to Event Connect14 Steps to Event Connect
14 Steps to Event Connect
 
Event Management Software | Mobile Apps for Events | Conference Manage Softwa...
Event Management Software | Mobile Apps for Events | Conference Manage Softwa...Event Management Software | Mobile Apps for Events | Conference Manage Softwa...
Event Management Software | Mobile Apps for Events | Conference Manage Softwa...
 
Tips for a successful aplication to the H2020-programme
Tips for a successful aplication to the H2020-programmeTips for a successful aplication to the H2020-programme
Tips for a successful aplication to the H2020-programme
 
Driving Innovation for Application Management with WSO2 App Factory
Driving Innovation for Application Management with WSO2 App Factory Driving Innovation for Application Management with WSO2 App Factory
Driving Innovation for Application Management with WSO2 App Factory
 
Build your own aplication
Build your own aplicationBuild your own aplication
Build your own aplication
 
Telkom 2
Telkom 2Telkom 2
Telkom 2
 
15215180 pss7-ans
15215180 pss7-ans15215180 pss7-ans
15215180 pss7-ans
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application Security
 
Surveillance Camera
Surveillance CameraSurveillance Camera
Surveillance Camera
 
Video Surveillance
Video SurveillanceVideo Surveillance
Video Surveillance
 
Manfaat dan pengaruh gadget
Manfaat dan pengaruh gadgetManfaat dan pengaruh gadget
Manfaat dan pengaruh gadget
 
GI Net 13 - Journey of Telkom CorpU | Telkom Indonesia
GI Net 13 - Journey of Telkom CorpU | Telkom IndonesiaGI Net 13 - Journey of Telkom CorpU | Telkom Indonesia
GI Net 13 - Journey of Telkom CorpU | Telkom Indonesia
 
Cybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityCybersecurity - Mobile Application Security
Cybersecurity - Mobile Application Security
 
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.comMobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.com
 
Presentasi telkom way LEADERSHIP ARCHITECTURE AND CORPORATE CULTURE TELKOM GROUP
Presentasi telkom way LEADERSHIP ARCHITECTURE AND CORPORATE CULTURE TELKOM GROUPPresentasi telkom way LEADERSHIP ARCHITECTURE AND CORPORATE CULTURE TELKOM GROUP
Presentasi telkom way LEADERSHIP ARCHITECTURE AND CORPORATE CULTURE TELKOM GROUP
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
Telkomsel presentation marketing insight
Telkomsel presentation marketing insightTelkomsel presentation marketing insight
Telkomsel presentation marketing insight
 
Ip camera security system presentation
Ip camera security system presentationIp camera security system presentation
Ip camera security system presentation
 
Gsm based home security system
Gsm based home security systemGsm based home security system
Gsm based home security system
 

Similaire à Mobile Application Security

Engaging Mobile Apps with IBM® Social Business Solutions and IBM Worklight
Engaging Mobile Apps with IBM® Social Business Solutions and IBM WorklightEngaging Mobile Apps with IBM® Social Business Solutions and IBM Worklight
Engaging Mobile Apps with IBM® Social Business Solutions and IBM Worklight
Dirk Nicol
 
Jerry Romanek series mobile development 2012 year end review
Jerry Romanek series mobile development 2012 year end reviewJerry Romanek series mobile development 2012 year end review
Jerry Romanek series mobile development 2012 year end review
Leigh Williamson
 
February 2013 IBM/DeviceAnywhere Webcast on Mobile Testing
February 2013 IBM/DeviceAnywhere Webcast on Mobile TestingFebruary 2013 IBM/DeviceAnywhere Webcast on Mobile Testing
February 2013 IBM/DeviceAnywhere Webcast on Mobile Testing
Leigh Williamson
 
Securing Mobile Apps: New Approaches for the BYOD World
Securing Mobile Apps: New Approaches for the BYOD WorldSecuring Mobile Apps: New Approaches for the BYOD World
Securing Mobile Apps: New Approaches for the BYOD World
Apperian
 
Worklight nitin nm
Worklight nitin nmWorklight nitin nm
Worklight nitin nm
Nitin Gaur
 

Similaire à Mobile Application Security (20)

Udløs potentialet i Enterprise Mobility, Vijay Dheap, IBM US
Udløs potentialet i Enterprise Mobility, Vijay Dheap, IBM USUdløs potentialet i Enterprise Mobility, Vijay Dheap, IBM US
Udløs potentialet i Enterprise Mobility, Vijay Dheap, IBM US
 
Pulse 2013 Mobile Build and Connect presentation
Pulse 2013 Mobile Build and Connect presentationPulse 2013 Mobile Build and Connect presentation
Pulse 2013 Mobile Build and Connect presentation
 
IBM Software Day 2013. A mobile strategy is essential
IBM Software Day 2013. A mobile strategy is essentialIBM Software Day 2013. A mobile strategy is essential
IBM Software Day 2013. A mobile strategy is essential
 
Engaging Mobile Apps with IBM® Social Business Solutions and IBM Worklight
Engaging Mobile Apps with IBM® Social Business Solutions and IBM WorklightEngaging Mobile Apps with IBM® Social Business Solutions and IBM Worklight
Engaging Mobile Apps with IBM® Social Business Solutions and IBM Worklight
 
Build and Connect Enterprise Mobile Applications from developerWorks Live!
Build and Connect Enterprise Mobile Applications from developerWorks Live! Build and Connect Enterprise Mobile Applications from developerWorks Live!
Build and Connect Enterprise Mobile Applications from developerWorks Live!
 
IBM Presentation for Mobile Developer Summit India
IBM Presentation for Mobile Developer Summit IndiaIBM Presentation for Mobile Developer Summit India
IBM Presentation for Mobile Developer Summit India
 
UK Innovate 2012 mobile keynote
UK Innovate 2012 mobile keynoteUK Innovate 2012 mobile keynote
UK Innovate 2012 mobile keynote
 
Five things we have learned about mobility from our clients -- IBM, Alistair ...
Five things we have learned about mobility from our clients -- IBM, Alistair ...Five things we have learned about mobility from our clients -- IBM, Alistair ...
Five things we have learned about mobility from our clients -- IBM, Alistair ...
 
Jerry Romanek series mobile development 2012 year end review
Jerry Romanek series mobile development 2012 year end reviewJerry Romanek series mobile development 2012 year end review
Jerry Romanek series mobile development 2012 year end review
 
Ibm mobile strategy may2012 mark.cesario v1.0
Ibm mobile strategy may2012 mark.cesario v1.0Ibm mobile strategy may2012 mark.cesario v1.0
Ibm mobile strategy may2012 mark.cesario v1.0
 
IBM Worklight-Overview
IBM Worklight-OverviewIBM Worklight-Overview
IBM Worklight-Overview
 
February 2013 IBM/DeviceAnywhere Webcast on Mobile Testing
February 2013 IBM/DeviceAnywhere Webcast on Mobile TestingFebruary 2013 IBM/DeviceAnywhere Webcast on Mobile Testing
February 2013 IBM/DeviceAnywhere Webcast on Mobile Testing
 
Securing Salesforce Mobile SDK Apps with Good Dynamics
Securing Salesforce Mobile SDK Apps with Good DynamicsSecuring Salesforce Mobile SDK Apps with Good Dynamics
Securing Salesforce Mobile SDK Apps with Good Dynamics
 
Ibm solutions for the mobile enterprise
Ibm solutions for the mobile enterpriseIbm solutions for the mobile enterprise
Ibm solutions for the mobile enterprise
 
Becoming a mobile enterprise: step by step
Becoming a mobile enterprise: step by stepBecoming a mobile enterprise: step by step
Becoming a mobile enterprise: step by step
 
IBM mobile strategy at Innovate 2012
IBM mobile strategy at Innovate 2012IBM mobile strategy at Innovate 2012
IBM mobile strategy at Innovate 2012
 
Collaborative lifecycle development for Mobile Software
Collaborative lifecycle development for Mobile Software Collaborative lifecycle development for Mobile Software
Collaborative lifecycle development for Mobile Software
 
Collaborative lifecycle development for Mobile Software
Collaborative lifecycle development for Mobile SoftwareCollaborative lifecycle development for Mobile Software
Collaborative lifecycle development for Mobile Software
 
Securing Mobile Apps: New Approaches for the BYOD World
Securing Mobile Apps: New Approaches for the BYOD WorldSecuring Mobile Apps: New Approaches for the BYOD World
Securing Mobile Apps: New Approaches for the BYOD World
 
Worklight nitin nm
Worklight nitin nmWorklight nitin nm
Worklight nitin nm
 

Dernier

The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 

Dernier (20)

The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 

Mobile Application Security

  • 1. IBM Innovate 2012 Mobile Application Security Foundation & Directions Raj Balasubramanian Dirk Nicol Product Architect, IBM Mobile Foundation Product Manager, IBM Mobile Foundation raj_balasubramanian@us.ibm.com nicold@us.ibm.com IPI2478
  • 2. The Premier Event for Software and Systems Innovation Please note IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole discretion. Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision. The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion. Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user’s job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here. 2 © 2012 IBM Corporation
  • 3. The Premier Event for Software and Systems Innovation Mobile is transformational 10 Billion devices by 2020 61% of CIOs put mobile as priority 45% increased productivity with mobile apps 3 © 2012 IBM Corporation
  • 4. The Premier Event for Software and Systems Innovation IBM strategy addresses client mobile initiatives Extend & Transform Build & Connect Extend existing business Build mobile applications capabilities to mobile devices Connect to, and run Transform the business by backend systems in support creating new opportunities of mobile Manage & Secure Manage mobile devices, services and applications Secure my mobile business 4 © 2012 IBM Corporation
  • 5. The Premier Event for Software and Systems Innovation A deeper look at Manage & Secure capabilities Extend & Transform Build & Connect Manage & Secure Manage mobile devices, services Key Capabilities and applications • Mobile lifecycle management Secure my mobile business • Device analytics and control • Secure network communications & management 5 © 2012 IBM Corporation
  • 6. The Premier Event for Software and Systems Innovation Mobile Devices: Unique Management & Security Challenges Mobile Mobile devices Mobile Mobile Mobile devices are have multiple devices are devices are devices shared more personas diverse used in more prioritize the . often locations user  Personal phones  Work tool  OS immaturity for  A single location  Conflicts with user and tablets  Entertainment enterprise mgmt could offer public, experience not shared with family device  BYOD dictates private, and cell tolerated  Enterprise tablet multiple OSs connections  OS architecture  Personal shared with co- organization  Vendor / carrier  Anywhere, puts the user in workers control dictates anytime control  Security profile  Social norms of multiple OS  Increasing  Difficult to enforce per persona? mobile apps vs. versions reliance on policy, app lists file systems enterprise WiFi 6 © 2012 IBM Corporation
  • 7. The Premier Event for Software and Systems Innovation Mobile Risks Top 10 Mobile Risks 1. Insecure Data Storage 2. Weak Server Side Controls 3. Insufficient Transport Layer Protection 4. Client Side Injection 5. Poor Authorization and Authentication 6. Improper Session Handling 7. Security Decisions Via Untrusted Inputs 8. Side Channel Data Leakage 9. Broken Cryptography 10. Sensitive Information Disclosure 7 Source: OWASP Mobile Security Project © 2012 IBM Corporation
  • 8. The Premier Event for Software and Systems Innovation Challenges of Enterprise Mobility Data separation: personal vs corporate Achieving Data Separation & Data leakage into and out of the enterprise Partial wipe vs. device wipe vs legally defensible wipe Providing Data Protection Data policies Multiple device platforms and variants Multiple providers Adapting to the BYOD/ Managed devices (B2E) Unmanaged devices (B2B,B2E, B2C) Consumerization of IT Trend Endpoint policies Threat protection Identity of user and devices Providing secure access to Authentication, Authorization and Federation User policies enterprise applications & Secure Connectivity data Application life-cycle Developing Secure Vulnerability & Penetration testing Application Management Applications Application policies Designing & Instituting an Policy Management: Location, Geo, Roles, Response, Time policies Security Intelligence Adaptive Security Posture Reporting 8 © 2012 IBM Corporation
  • 9. The Premier Event for Software and Systems Innovation So How do I Protect My Mobile Initiatives? Begin by taking a holistic view of Mobile Security WiFi Mobile apps Develop, test and deliver safe applications Web sites Internet Telecom Provider Secure Security Corporate endpoint Gateway Intranet & device and Systems data Achieve Visibility and Enable Adaptive Security Posture Secure access to enterprise applications and data 9 © 2012 IBM Corporation
  • 10. The Premier Event for Software and Systems Innovation Spectrum of Mobile Security Requirements Mobile devices are not only computing platforms but also communication devices, hence mobile security is multi-faceted, driven by customers’ operational priorities Mobile Security Intelligence Mobile Device Data, Network & Access Security App/Test Management Development Mobile Device Mobile Device Mobile Threat Mobile Mobile Network Mobile Identity& Secure Mobile Management Security Management Information Protection Access Management Application Management Protection Development  Acquire/Deploy  Identity  Register  Device wipe &  Anti-malware  Data encryption  Secure Management lockdown  Authorize &  Vulnerability  Activation  Anti-spyware (device,file & Communications  Password  Anti-spam app) (VPN) Authenticate testing  Content Mgmt Management  Firewall/IPS  Mobile data loss  Edge Protection  Certificate  Mobile app  Manage/Monitor  Configuration  Web filtering prevention Management testing  Self Service Policy  Web Reputation  Multi-factor  Enforced by tools  Reporting  Compliance  Enterprise  Retire policies  De-provision Mobile Applications i.e. Native, Hybrid, Web Application Mobile Application Platforms & Containers Device Platforms 30 device Manufacturers, 10 operating platforms i.e. iOS, Android, Windows Mobile, Symbian, etc 10 © 2012 IBM Corporation
  • 11. The Premier Event for Software and Systems Innovation Mobile App Security: Defending the Software  Consistently apply and enforce best practices during Development  Provide or employ a secure channel for  Perform vulnerability delivering apps analysis during Testing  Employ a secure runtime environment to safeguard app data  As threats evolve recognize required updates and establish a  Perform checks to validate process for pushing them to users the integrity of apps 11 © 2012 IBM Corporation
  • 12. The Premier Event for Software and Systems Innovation Mobile Security Enabled with IBM Solutions IBM QRadar Achieve Visibility & Enable System-wide Mobile Security Awareness Adaptive Security Posture • Risk Assessment • Threat Detection Build & Run Safe Mobile Apps Secure Data & the Device Protect Access to Enterprise IBM WorkLight Apps & Data Develop safe mobile apps IBM WorkLight • Direct Updates Runtime for safe mobile apps IBM Security Access • Encrypted data cache Manager for Mobile IBM AppScan for Mobile • App validation Authenticate & Authorize users and Vulnerability testing devices • Dynamic & Static analysis of Hybrid IBM Endpoint • Standards Support: OAuth, and Mobile web apps SAML, OpenID Manager for Mobile • Single Sign-On & Identity Configure, Provision, Monitor Mediation IBM DataPower • Set appropriate security Protect enterprise applications policies • XML security & message • Enable endpoint access IBM Mobile Connect protection • Ensure compliance Secure Connectivity • Protocol Transformation & • App level VPN Mediation Internet 12 © 2012 IBM Corporation
  • 13. The Premier Event for Software and Systems Innovation The Difference Between Secure Apps and Device Management Mobile Device Application-Level Management Security Device-level control: App takes care of itself: • Password protection • Authentication • File-system encryption • File encryption • Managed apps • Remote administration • Jailbreak detection • Adaptive functionality Requires consent of user to have Applicable in all scenarios, enterprise manage entire device including BYOD and consumer- facing contexts 13 © 2012 IBM Corporation
  • 14. The Premier Event for Software and Systems Innovation Worklight Runtime Architecture Worklight Server Device Runtime Application Code Server-side Client-side Application Code App Resources Stats Aggregation Cross Platform Technology JSON Translation Direct Update Mobile Authentication Web Apps Security and Authentication Back-end Data Integration Post-deployment control Unified Push Adapter Library Diagnostics Notifications 14 © 2012 IBM Corporation
  • 15. The Premier Event for Software and Systems Innovation Mobile Application Security Objectives Protect data on Enforce security the device updates • Malware, Jailbreaking • Be proactive: can’t rely • Offline access on users getting the • Device theft latest software update on their own • Phishing, repackaging Streamline Provide robust Protect from the Corporate authentication “classic” threats security approval and authorization to the application processes • Existing authentication security • Complex infrastructure • Hacking • Time-consuming • Passwords are more • Eavesdropping vulnerable • Man-in-the-middle 15 © 2012 IBM Corporation
  • 16. The Premier Event for Software and Systems Innovation IBM WorkLight: Security By Design Protecting data on the Enforcing security device and in transit updates App Jailbreak and Encrypted Offline Secure Remote authenticity malware Direct update offline cache authentication connectivity disable testing detection SSL with Mobile Authentication Coupling Data Proven server Code platform as a integration device id with protection platform identity obfuscation trust factor framework user id realms security verification Streamlining Providing robust Application Corporate security authentication and Security processes authorization 16 © 2012 IBM Corporation
  • 17. The Premier Event for Software and Systems Innovation IBM WorkLight: Security By Design Protecting data on the Enforcing security device and in transit updates App Jailbreak and Encrypted Offline Secure Remote authenticity malware Direct update offline cache authentication connectivity disable testing detection SSL with Mobile Authentication Coupling Data Proven server Code platform as a integration device id with protection platform identity obfuscation trust factor framework user id realms security verification Streamlining Providing robust Application Corporate security authentication and Security processes authorization Integration point with VPN solutions (i.e. IBM Mobile Connect) Integration point with User Security solutions (i.e. IBM Security Access Manager for Integration point with MDM solutions (i.e. IBM Endpoint Manager for Mobile) Mobile) 17 © 2012 IBM Corporation
  • 18. Protecting data on the device The Premier Event for Software and Systems Innovation Malware, Jailbreaking Protecting data Device theft on the device Offline access Phishing, repackaging Secure Encrypted App Compatibility Offline challenge- offline authenticity with jailbreak authentication response on cache testing detection libs startup Encrypted offline cache Offline authentication using password Extended authentication with server using secure challenge response App authenticity testing: server-side verification mechanism to mitigate risk of Phishing through repackaging or app forgery Compatibility with various jailbreak and malware detection libraries 18 © 2012 IBM Corporation
  • 19. The Premier Event for Software and Systems Innovation Enforcing security updates Can’t rely on users Remote Disable: shut down getting the latest software update on specific versions of a their own downloadable app, providing users with link to update Enforcing security updates Direct Update: automatically send new versions of the Remote Direct locally-cached HTML/JS disable update resources to installed apps 19 © 2012 IBM Corporation
  • 20. The Premier Event for Software and Systems Innovation Authentication and Authorization Authentication Data Device integration framework protection realms Provisioning Very flexible framework for simplifying integration of apps with existing authentication infrastructure Providing robust authentication and Manages authenticated sessions with authorization configurable expiration Open: e.g., custom OTP as anti-keylogger mechanism Need to integrate with existing Server-side services grouped into authentication infrastructure separate protection realms for different authentication levels Authenticate users when offline Secure device ID generated as part of extensible provisioning process Mobile passwords are more vulnerable (keyboard more difficult to use, typed text is visible) 20 © 2012 IBM Corporation
  • 21. The Premier Event for Software and Systems Innovation Session Authentication Management Step 1 – Unauthenticated Session 1. Call protected Procedure Worklight Server Access denied because session is unauthenticated or expired 2. Request Authentication Session: • Created on first access from client • Identified using session cookie • Associated data is stored on the server 21 © 2012 IBM Corporation
  • 22. The Premier Event for Software and Systems Innovation Session Authentication Management Step 2 – Authentication 1. Obtain credentials from user and device Worklight Server 2. Forward credentials Process authentication data 3. If necessary: • Consult with authentication servers • Perform device provisioning • Receive authentication token • Associate token with session 22 © 2012 IBM Corporation
  • 23. The Premier Event for Software and Systems Innovation Session Authentication Management Step 3 – Authenticated Session 1. Procedure call on Worklight Server authenticated session Authenticated token associated with session 3. Procedure result Session ID Auth Tokens/State 2bd4296a3f29 Realm 1: 25487 Realm 2: ------ 2. Access back-end service -- using authentication 25617ff82a90 Realm 1: ------ --- token Realm 2: a6c9a 89a77921b02 Realm 1: 7b8df Realm 2: 6a8a0 23 © 2012 IBM Corporation
  • 24. The Premier Event for Software and Systems Innovation Worklight Studio simplifies the reuse of custom containers across the organization One team creates a custom container (“Shell Component”) for extensive security certification Other teams create HTML-only “inner apps” wrapped in that container 24 © 2012 IBM Corporation
  • 25. The Premier Event for Software and Systems Innovation Mobile Security Enabled with IBM Solutions IBM brings together a broad portfolio of technologies and services to meet the mobile security needs of customers across multiple industries •Application security •Worklight •IBM Rational AppScan •Mobile device management •IBM Endpoint Manager for Mobile devices •IBM Hosted Mobile Device Security Management •Secure enterprise access •IBM Security Access Manager •Security Intelligence •IBM QRadar 25 © 2012 IBM Corporation
  • 26. The Premier Event for Software and Systems Innovation Deployment for SSO and Security Intelligence Security Intelligence Platform Hybrid Mobile Apps IBM Endpoint Based on WorkLight Manager Risk Based Access Hybrid App. SSL SSO WorkLight Server Enterprise Hybrid App. Mobile Security Applications, Gateway (WAS w/ security) Worklight Runtime Connectivity & Data Mobile Device  Security intelligence with mobile context  Intelligence around malware and advanced threats in mobile enabled enterprise  User identity and device identity correlation, leading to behavior analysis  Geo-fencing, anomaly detection based on device, user, location, and application characteristics 26 © 2012 IBM Corporation
  • 27. The Premier Event for Software and Systems Innovation IBM AppScan: Bringing Vulnerability Scanning to Mobile Detection of Vulnerabilities before Apps are Delivered and Deployed  Known vulnerabilities can be addressed in software development and testing  Code vulnerable to known threat models can be identified in testing  Security designed in vs. bolted on Leverage AppScan for vulnerability testing of mobile web apps and web elements (JavaScript, HTML5) of hybrid mobile apps 27 © 2012 IBM Corporation
  • 28. The Premier Event for Software and Systems Innovation IBM Security Access Manager: Authentication & Authorization of Mobile Users and their Devices Authorization Access Manager Servers (e.g., IBM Access Policy) Manager User registries (i.e. LDAP) Federated External Identity Authentication Manager Authentication Provider VPN or (i.e. userid/password, HTTPS Basic Auth, Certificate or Custom) IBM Security Access Manager for Mobile can be Application Servers used to satisfy complex authentication (i.e. WebSphere, WorkLight) requirements. A feature called the External Authentication Interface (EAI) is designed to provide flexibility in authentication. Mobile Browser Enterprise Web or Native Web Services Applications Applications Federated Identity Manager can be incorporated into the solution to provide federated identity management 28 © 2012 IBM Corporation
  • 29. The Premier Event for Software and Systems Innovation IBM Endpoint Manager for Mobile: Extending Management Reach to Mobile Devices Common Advanced management for iOS, management agent Android, Symbian, and Windows and console Phone Systems Security management management Unified management automatically Near-instant enables VPN access based on deployment of security compliance new features Integration with back-end IT management systems such as service desk, CMDB, and SIEM IBM Endpoint Manager Security threat detection and automated remediation Extends IBM’s existing 500,000 endpoint deployment Desktop / laptop / Mobile Purpose-specific server endpoint endpoint endpoint 29 © 2012 IBM Corporation
  • 30. The Premier Event for Software and Systems Innovation IBM Qradar: Delivering Mobile Security Intelligence Delivers Mobile Security Intelligence by monitoring data collected from other mobile security solutions – visibility, reporting and threat detection  Unified collection, aggregation and analysis  Ingest log data and events from: architecture for:  Endpoint Manager for Mobile Devices o Application logs  Access Manager for Mobile o Security events  Mobile Connect o Vulnerability data  WorkLight o Identity and Access Management data o Configuration files o Network flow telemetry  A common platform for o Searching o Filtering o Rule writing o Reporting functions  A single user interface for oLog management o Risk modeling o Vulnerability prioritization o Incident detection o Impact analysis tasks 30 © 2012 IBM Corporation
  • 31. The Premier Event for Software and Systems Innovation Copyright and Trademarks © IBM Corporation 2012. All Rights Reserved. IBM, the IBM logo, ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml. 31 © 2012 IBM Corporation
  • 32. The Premier Event for Software and Systems Innovation IBM Global Technology Services offers a broad set of complementary mobile capabilities Client Initiatives Build mobile Manage mobile Extend existing applications devices and business capabilities Connect to, and run applications to mobile devices backend systems in Secure my mobile Transform the support of mobile business business by creating new opportunities Services • Mobile application development • Telecom Expense • Unified Communications • Mobile Application Platform Management Services Management • Mobile Security • Mobile Application Platform • Network (e.g. wi-fi, VPN) • Mobile Device Management Management • End-user and administration • Strategy & Transformation support • Mobile Application • Procurement, staging and Management kitting • Messaging, collaboration and social 32 © 2012 IBM Corporation
  • 33. The Premier Event for Software and Systems Innovation www.ibm.com/software/rational 33 © 2012 IBM Corporation
  • 34. The Premier Event for Software and Systems Innovation Daily iPod Touch giveaway  Complete your session surveys online each day at a conference kiosk or on your Innovate 2012 Portal!  Each day that you complete all of that day’s session surveys, your name will be entered to win the daily IPOD touch!  On Wednesday be sure to complete your full conference evaluation to receive your free conference t-shirt! 34 © 2012 IBM Corporation
  • 35. The Premier Event for Software and Systems Innovation Acknowledgements and disclaimers Availability: References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. The workshops, sessions and materials have been prepared by IBM or the session speakers and reflect their own views. They are provided for informational purposes only, and are neither intended to, nor shall have the effect of being, legal or other guidance or advice to any participant. While efforts were made to verify the completeness and accuracy of the information contained in this presentation, it is provided AS-IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this presentation or any other materials. Nothing contained in this presentation is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. All customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics may vary by customer. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results. © Copyright IBM Corporation 2012. All rights reserved. – U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. IBM, the IBM logo, ibm.com, Rational, the Rational logo, Telelogic, the Telelogic logo, Green Hat, the Green Hat logo, and other IBM products and services are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml If you have mentioned trademarks that are not from IBM, please update and add the following lines: [Insert any special third-party trademark names/attributions here] Other company, product, or service names may be trademarks or service marks of others. 35 © 2012 IBM Corporation
  • 36. The Premier Event for Software and Systems Innovation www.ibm.com/software/rational © Copyright IBM Corporation 2012. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, Rational, the Rational logo, Telelogic, the Telelogic logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. 36 © 2012 IBM Corporation