1 / 8

Canberra OWASP Chapter meeting

Andrew Muller Canberra Chapter Leader andrew.muller@owasp.org 0400 481 179. Canberra OWASP Chapter meeting. 19th July 2012. Chapter meetings. First Wednesday every three months* Next meetings: 4 th August 2012 ??? 5 th September 2012 5 th December 2012 6 th March 2013*.

jessicajohnson
Download Presentation

Canberra OWASP Chapter meeting

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Andrew Muller Canberra Chapter Leader andrew.muller@owasp.org 0400 481 179 Canberra OWASP Chapter meeting 19th July 2012

  2. Chapter meetings • First Wednesday every three months* • Next meetings: • 4th August 2012 ??? • 5th September 2012 • 5th December 2012 • 6th March 2013*

  3. Comms • Subscribe to OWASP Canberra mailing list • Speak

  4. News • Formspring – ~?,000,000 accounts • Phandroid forums - ~1,000,000 accounts • Nvidia forums - ~400,000 accounts • Billabong - ~35,000 password • Yahoo Voice – ~450,000 passwords • billabong, 123456, 12345, passwords • 123456, password, welcome, ninja • Stored in plaintext FFS!

  5. Mobile Security Project • Threat Model • Top Ten Risks • Top Ten Controls • Secure Development • Security Testing (guide, GoatDroid, iGoat) • Cheat Sheets • https://www.owasp.org/index.php/OWASP_Mobile_Security_Project

  6. Top Ten Risks • Insecure Data Storage • Weak Server Side Controls • Insufficient Transport Layer Protection • Client Side Injection • Poor Authorization and Authentication • Improper Session Handling • Security Decisions Via Untrusted Inputs • Side Channel Data Leakage • Broken Cryptography • Sensitive Information Disclosure

  7. Top Ten Controls • Identify and protect sensitive data on the mobile devices • Handle password credentials securely on the device • Ensure sensitive data is protected in transit • Implement user authentication, authorisation and session management correctly • Keep the backend APIs and platform secure • Secure data integration with third party services and applications • Pay attention to collection and storage of consent for collection and use of user’s data • Implement controls to prevent unauthorised access to paid-for resources • Ensure secure distribution/provisioning of mobile applications • Carefully check any runtime interpretation of code for errors

  8. Guest Speaker • Jacob West • Director Software Security Research at HP Enterprise Security Products

More Related