290 likes | 512 Views
Mobile Application Security Can You Trust Your Mobile Applications?. Paras Shah Country Manager, Canada Software Security Assurance HP Enterprise Security Products. The motivation. Rise of the mobile machines. Q4: Inflection Point Smartphones + Tablets > PCs. 700,000 600,000 500,000
E N D
Mobile Application SecurityCan You Trust Your Mobile Applications? Paras Shah Country Manager, Canada Software Security Assurance HP Enterprise Security Products
Rise of the mobile machines Q4: Inflection Point Smartphones + Tablets > PCs 700,000 600,000 500,000 400,000 300,000 200,000 100,000 Global Shipments (MM) 2005 2006 2007 2008 2009 2010 2011 2012E 2013E Source: Morgan Stanley Research Desktop PCs Notebook PCs Smartphones Tablets
The evolution of the modern enterprise 1990s 2000s 2010s Webpage era Web 2.0 Mobile era
The smartphones as pocket PCs 81% Browsed the internet 77% Used a search engine 68% Used an app 48% Watch videos Smartphone activities within past week (excluding calls) Source: The Mobile Movement Study, Google, April 2011
Mobile represents a huge business opportunity Please select the most important benefit that your organization ultimately expects to gain from current or future mobile solutions deployments (whether or not you are currently receiving those benefits) N = 600, Source: IDC’s mobile enterprise software survey, 2011
The Swiss army knife of computing • Rolodex • Game console • Camera • Television • Calculator • Laptop • Email • Book • Internet • GPS
A treasure trove of private information • Your smartphone knows you better than you know yourself • Pins & passwords • Contacts • Call history • Messages • Social networking • Visited web sites • Mobile banking • Personal videos • Family photos • Documents … and cyber attackers are after your personal records $
Risks • Difficult to train and retain staff - very difficult to keep skills up-to-date • Constantly changing environment • New attacks constantly emerge • Compliance Requirements • Too many tools for various results
Threats at all points • Client • Insecure storage of credentials • Improper use of configuration files • Use of insecure development libraries • Poor Cert Management • Network • Insecure data transfer during installation or execution of the application • Insecure transmission of data across the network • Server • Authentication • Session Management • Cross-site Scripting • SQL Injection • Command Injection
Top 10 Mobile by Prevalence Source: HP 2012 Cyber Security RiskReport
Increasing Awareness Which of the following technologies have resulted in an increase in IT security management spending at your organization within past 12 months? More than 60% of mobile apps have at least one critical vulnerability IDC Web Conference, 12 April 2012 Source: IDC Security as a Service Survey n-47
What is mobile? Devices Connection Servers
Same old client server model Client Network Server browser
Mobile application concerns • Does it work? • Does it perform? • Is it secure? • Does the application function as the business intends? • Are all features there and working? • Will the application perform for all users? • Does it meet SLAs in production? • Is the application securely coded? • Has the application been assessed for known threats?
Process integration Integrating security into your established SDLC process Security Foundations – Mobile Applications Test Production Plan Requirements Architecture & Design Build Mobile Security Development Standards Application Specific Threat Modeling and Analysis Mobile Secure Coding Training Mobile Application Security Assessment (Static, Dynamic, Server, Network, Client) Mobile Secure Coding Standards Wiki Mobile Firewall Threat Modeling CBT for Developers Mobile Application Security Process Design Mobile Risk Dictionary Static Analysis Mobile Security Policies
How you see your world Get Sales Data Get the username Get the password Edit my account Remember the User Generate Reports
How an attacker sees your world Insufficient Data Storage SQL Injection Data Leakage Cross Site Scripting Sensitive Information Disclosure Improper Session Handling Weak Server Side Controls Client Side Injection
Testing Solution Proactive – test early and often; repeatable and automated Breadth – support for multiple platforms Depth • Research • Secure the entire stack - client, server and network • Quality analysis Compliance – enforce internal and external standards Scalability – 10, 100, 1,000 Cost effective
HP Fortify on Demand • Simple • Launch your application security initiative in <1 day • No hardware or software investments • No security experts to hire, train and retain • Fast • Scale to test all applications in your organization • 1 day turn-around on application security results • Support 1000s of applications for the desktop, mobile or cloud • Flexible • Test any application from anywhere • Secure commercial, open source and 3rd party applications • Test applications on-premise or on demand, or both
HP Fortify on Demand at a glance Comprehensive and accurate Powerful remediation Insightful Analysis and Reports Collaboration Module HP Fortify SCA HP WebInspect Manual Broad support Fast and scalable • C# • COBOL • JSP • PL/SQL • VB.NET • XML • ASP.NET • Classic ASP • Flex • JavaScript/AJAX • PHP • T-SQL • ABAP • C/C++ • Cold Fusion • Java • Objective C • Python 1 Day Static Turnaround Virtual Scan Farm Secure Breadth of testing Datacenter Encryption Third Party Reviews • 10,000+ applications • 16 different industries represented • 5Continents • Civilian and Defense Agencies across US Government • Vendor Management and Internal Management • Development teams from 1 to 10,000s
Powerful remediation and guidance Insightful Dashboard Detailed Reports Collaboration • Executive Summary • Most prevalent vulnerabilities • Top 5 applications • Heat Map • Star Rating • Remediation roadmap • Detailed vulnerability data • Recommendations • Line of code details • Web based IDE • IDE Plug-in • Assign issues to developers