1 / 29

Mobile Application Security Can You Trust Your Mobile Applications?

Mobile Application Security Can You Trust Your Mobile Applications?. Paras Shah Country Manager, Canada Software Security Assurance HP Enterprise Security Products. The motivation. Rise of the mobile machines. Q4: Inflection Point Smartphones + Tablets > PCs. 700,000 600,000 500,000

cherie
Télécharger la présentation

Mobile Application Security Can You Trust Your Mobile Applications?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Mobile Application SecurityCan You Trust Your Mobile Applications? Paras Shah Country Manager, Canada Software Security Assurance HP Enterprise Security Products

  2. The motivation

  3. Rise of the mobile machines Q4: Inflection Point Smartphones + Tablets > PCs 700,000 600,000 500,000 400,000 300,000 200,000 100,000 Global Shipments (MM) 2005 2006 2007 2008 2009 2010 2011 2012E 2013E Source: Morgan Stanley Research Desktop PCs Notebook PCs Smartphones Tablets

  4. The evolution of the modern enterprise 1990s 2000s 2010s Webpage era Web 2.0 Mobile era

  5. The smartphones as pocket PCs 81% Browsed the internet 77% Used a search engine 68% Used an app 48% Watch videos Smartphone activities within past week (excluding calls) Source: The Mobile Movement Study, Google, April 2011

  6. Mobile represents a huge business opportunity Please select the most important benefit that your organization ultimately expects to gain from current or future mobile solutions deployments (whether or not you are currently receiving those benefits) N = 600, Source: IDC’s mobile enterprise software survey, 2011

  7. Challenges

  8. The Swiss army knife of computing • Rolodex • Game console • Camera • Television • Calculator • Laptop • Email • Book • Internet • GPS

  9. A treasure trove of private information • Your smartphone knows you better than you know yourself • Pins & passwords • Contacts • Call history • Messages • Social networking • Visited web sites • Mobile banking • Personal videos • Family photos • Documents … and cyber attackers are after your personal records $

  10. Risks • Difficult to train and retain staff - very difficult to keep skills up-to-date • Constantly changing environment • New attacks constantly emerge • Compliance Requirements • Too many tools for various results

  11. Threats at all points • Client • Insecure storage of credentials • Improper use of configuration files • Use of insecure development libraries • Poor Cert Management • Network • Insecure data transfer during installation or execution of the application • Insecure transmission of data across the network • Server • Authentication • Session Management • Cross-site Scripting • SQL Injection • Command Injection

  12. Top 10 Mobile by Prevalence Source: HP 2012 Cyber Security RiskReport

  13. Increasing Awareness Which of the following technologies have resulted in an increase in IT security management spending at your organization within past 12 months? More than 60% of mobile apps have at least one critical vulnerability IDC Web Conference, 12 April 2012 Source: IDC Security as a Service Survey n-47

  14. Oops!

  15. The solution

  16. What is mobile? Devices Connection Servers

  17. Same old client server model Client Network Server browser

  18. Mobile application concerns • Does it work? • Does it perform? • Is it secure? • Does the application function as the business intends? • Are all features there and working? • Will the application perform for all users? • Does it meet SLAs in production? • Is the application securely coded? • Has the application been assessed for known threats?

  19. Get over yourself.The testing stick will not work.

  20. Process integration Integrating security into your established SDLC process Security Foundations – Mobile Applications Test Production Plan Requirements Architecture & Design Build Mobile Security Development Standards Application Specific Threat Modeling and Analysis Mobile Secure Coding Training Mobile Application Security Assessment (Static, Dynamic, Server, Network, Client) Mobile Secure Coding Standards Wiki Mobile Firewall Threat Modeling CBT for Developers Mobile Application Security Process Design Mobile Risk Dictionary Static Analysis Mobile Security Policies

  21. How you see your world Get Sales Data Get the username Get the password Edit my account Remember the User Generate Reports

  22. How an attacker sees your world Insufficient Data Storage SQL Injection Data Leakage Cross Site Scripting Sensitive Information Disclosure Improper Session Handling Weak Server Side Controls Client Side Injection

  23. Get over yourself.You are responsible for security.

  24. Test, test some more and then test again

  25. Testing Solution Proactive – test early and often; repeatable and automated Breadth – support for multiple platforms Depth • Research • Secure the entire stack - client, server and network • Quality analysis Compliance – enforce internal and external standards Scalability – 10, 100, 1,000 Cost effective

  26. HP Fortify on Demand • Simple • Launch your application security initiative in <1 day • No hardware or software investments • No security experts to hire, train and retain • Fast • Scale to test all applications in your organization • 1 day turn-around on application security results • Support 1000s of applications for the desktop, mobile or cloud • Flexible • Test any application from anywhere • Secure commercial, open source and 3rd party applications • Test applications on-premise or on demand, or both

  27. HP Fortify on Demand at a glance Comprehensive and accurate Powerful remediation Insightful Analysis and Reports Collaboration Module HP Fortify SCA HP WebInspect Manual Broad support Fast and scalable • C# • COBOL • JSP • PL/SQL • VB.NET • XML • ASP.NET • Classic ASP • Flex • JavaScript/AJAX • PHP • T-SQL • ABAP • C/C++ • Cold Fusion • Java • Objective C • Python 1 Day Static Turnaround Virtual Scan Farm Secure Breadth of testing Datacenter Encryption Third Party Reviews • 10,000+ applications • 16 different industries represented • 5Continents • Civilian and Defense Agencies across US Government • Vendor Management and Internal Management • Development teams from 1 to 10,000s

  28. Powerful remediation and guidance Insightful Dashboard Detailed Reports Collaboration • Executive Summary • Most prevalent vulnerabilities • Top 5 applications • Heat Map • Star Rating • Remediation roadmap • Detailed vulnerability data • Recommendations • Line of code details • Web based IDE • IDE Plug-in • Assign issues to developers

  29. Questions

More Related