© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is...
-
Upload
phoebe-suit -
Category
Documents
-
view
214 -
download
0
Transcript of © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is...
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Mobile Application SecurityCan You Trust Your Mobile Applications?
Paras Shah
Country Manager, Canada
Software Security Assurance
HP Enterprise Security Products
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
The motivation
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.3
Rise of the mobile machines
Smartphones Tablets
2005 2006 2007 2008 2009 2010 2011 2012E 2013E
Desktop PCs Notebook PCs
700,000
600,000
500,000
400,000
300,000
200,000
100,000
Glo
bal
Sh
ipm
en
ts (
MM
)
Q4: Inflection PointSmartphones + Tablets > PCs
Source: Morgan Stanley Research
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.4
The evolution of the modern enterprise
2010s
2000s
1990sWebpage era Web 2.0 Mobile era
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.5
The smartphones as pocket PCs
81%Browsed
the internet
77%Used a search engine
68%Used an app
48%Watch videos
Smartphone activities within past week (excluding calls)
Source: The Mobile Movement Study, Google, April 2011
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.6
Mobile represents a huge business opportunityPlease select the most important benefit that your organization ultimately expects to gain from current or future mobile solutions deployments (whether or not you are currently receiving those benefits)
N = 600, Source: IDC’s mobile enterprise software survey, 2011
Provide perception of an advanced company to customers
Speed the sales process
Eliminate paperwork
Enhance portability within the office or work environment
Offer employees more flexibility
Decreased costs
Improve customer service
Provide ease of information access
Improve competitive advantage/market share
Improve field service response time
Increased sales/revenue
Improve/enhance worker productivity
0 5 10 15 20 25 30
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Challenges
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.8
The Swiss army knife of computing
Laptop
Rolodex Game console
Calculator
Camera
Book
Television
Internet
GPS
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.9
A treasure trove of private information
Your smartphone knows you better than you know yourself• Pins & passwords • Contacts • Call history • Messages • Social networking • Visited web sites • Mobile banking • Personal videos • Family photos • Documents
… and cyber attackers are after your personal records
$
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.10
Risks
• Difficult to train and retain staff - very difficult to keep skills up-to-date
• Constantly changing environment
• New attacks constantly emerge
• Compliance Requirements
• Too many tools for various results
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.11
Threats at all points
Client• Insecure storage of
credentials• Improper use of
configuration files• Use of insecure
development libraries• Poor Cert Management
Server• Authentication• Session
Management• Cross-site Scripting• SQL Injection• Command Injection
Network• Insecure data transfer
during installation or execution of the application
• Insecure transmission of data across the network
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.12
Top 10 Mobile by Prevalence
Source: HP 2012 Cyber Security RiskReport
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.13
Increasing Awareness
IDC Web Conference, 12 April 2012
Green IT
Unified Communications
VoIP
Social Networking
Virtualization
Mobility
0% 10% 20% 30% 40% 50% 60% 70%
Source: IDC Security as a Service Survey n-47
Which of the following technologies have resulted in an increase in IT security management spending at your organization within past 12 months?
More than 60% of mobile apps have at least one critical
vulnerability
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.14
Oops!
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
The solution
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.16
What is mobile?
ServersConnectionDevices
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.17
Same old client server model
browserServerNetwork
Client
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.18
Mobile application concerns
• Does the application function as the business intends?
• Are all features there and working?
• Will the application perform for all users?
• Does it meet SLAs in production?
Does it work? Does it perform?• Is the application securely
coded?• Has the application been
assessed for known threats?
Is it secure?
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.19
Get over yourself.The testing stick will not
work.
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.20
Integrating security into your established SDLC process
Process integration
Security Foundations – Mobile Applications
Build ProductionTestArchitecture & Design
RequirementsPlan
Mobile Security Development Standards
Application Specific Threat Modeling and Analysis
Mobile Secure Coding Training
Mobile Application Security Assessment (Static, Dynamic, Server, Network, Client)
Threat Modeling CBT for Developers Mobile Secure Coding Standards Wiki
Mobile Risk Dictionary
Mobile Application Security Process Design
Mobile Firewall
Mobile Security Policies
Static Analysis
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.21
How you see your world
Get the username
Get the password
Remember the User
Get Sales Data
Edit my account
Generate Reports
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.22
How an attacker sees your world
SQL Injection
Cross Site Scripting
Improper Session Handling
Data Leakage
Sensitive Information Disclosure
Weak Server Side ControlsClient Side Injection
Insufficient Data Storage
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.23
Get over yourself.You are responsible for
security.
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.24
Test, test some more and then test again
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.25
Testing Solution
1. Proactive – test early and often; repeatable and automated
2. Breadth – support for multiple platforms
3. Depth − Research− Secure the entire stack - client, server and network− Quality analysis
4. Compliance – enforce internal and external standards
5. Scalability – 10, 100, 1,000
6. Cost effective
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.26
HP Fortify on Demand
SimpleLaunch your application security initiative in <1 day• No hardware or software
investments• No security experts to
hire, train and retain
FastScale to test all applications in your organization• 1 day turn-around on
application security results• Support 1000s of
applications for the desktop, mobile or cloud
FlexibleTest any application from anywhere• Secure commercial, open
source and 3rd party applications
• Test applications on-premise or on demand, or both
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.27
Secure
Comprehensive and accurate
Broad support Fast and scalable
Breadth of testing
Powerful remediation
HP Fortify on Demand at a glance
HP Fortify SCA
HP WebInspec
t
Insightful Analysis and Reports
Collaboration Module
• ABAP• C/C++• Cold Fusion• Java• Objective C• Python
• ASP.NET• Classic ASP• Flex• JavaScript/AJAX• PHP• T-SQL
• C#• COBOL• JSP• PL/SQL• VB.NET• XML
1 Day Static Turnaround
Virtual Scan Farm
Datacenter
Encryption
Third Party Reviews
• 10,000+ applications• 16 different industries represented• 5 Continents• Civilian and Defense Agencies across US Government• Vendor Management and Internal Management• Development teams from 1 to 10,000s
Manual
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.28
Powerful remediation and guidance
• Executive Summary• Most prevalent vulnerabilities• Top 5 applications• Heat Map
• Line of code details- Web based IDE- IDE Plug-in
• Assign issues to developers
• Star Rating• Remediation roadmap• Detailed vulnerability data• Recommendations
Insightful Dashboard CollaborationDetailed Reports
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Questions