View on demand webinar: http://event.on24.com/wcc/r/1046276/0204EB8CE1FE0CEDAA9B863FB9AB0ED9 Poor coding practices and human error, combined with the relative ease with which hackers find and exploit these vulnerabilities, can make application security the Achilles’ heel of enterprise security initiatives. What’s more, compromised devices can increase the risk of fraud and create an insecure environment for business-critical applications and transactions. Today’s enterprises must be able to verify the security of their own, in-house applications, while also enabling runtime risk detection, tamper resistance and enhanced control via “whitelisting” or “blacklisting” of applications. Join IBM Mobile Security experts as they: - Discuss current state of the mobile security market and threats facing the enterprise - Share the 4 key imperatives that must be a part of a holistic mobile security strategy - Take a deep dive into the key imperative: “Safeguarding Applications & Data”

1. © 2015 IBM Corporation
Surviving the Mobile Phenomenon:
Shielding Mobile Apps from Critical Vulnerabilities
Jason Hardy, IBM Mobile Security Team
Neil Jones, IBM Application Security Team
Patrick Kehoe, CMO, Arxan
IBM Mobile Security

2. 2© 2015 IBM Corporation
by 2017
Mobile downloads
will increase to
268 billion
Gartner
by 2016
The number of smartphone
users worldwide will surpass
2 billion
eMarketer
Enterprise mobile trends
“Enterprise mobility will continue to be one of the hottest topics in IT,
and high on the list of priorities for all CIOs.”
Ovum
“IT organizations will dedicate at least 25% of their software budget
to mobile application development, deployment, and management by 2017.”
IDC

3. 3© 2015 IBM Corporation
387new threats
every minute or more
than six every second
McAfee
As mobile grows, so do security threats
“With the growing penetration of mobile devices in the enterprise, security testing
and protection of mobile applications and data become mandatory.”
Gartner
“Enterprise mobility… new systems of engagement.
These new systems help firms empower their customers, partners,
and employees with context-aware apps and smart products.”
Forrester
Arxan
Top mobile devices
and apps hacked 97%Android
87%iOS

4. 4© 2015 IBM Corporation
What concerns does this create for the enterprise?
Source: 2014 Information Security Media Group Survey, “The State of Mobile Security Maturity”
32% are concerned about
fraudulent transactions
Only 18% can detect
malware / jailbreaks
52% worry about
application vulnerabilities
Only 23% have
tamper-proofing capabilities
50% are content and data leakage
are their top security concern
60% use secure containers
for data security
57% say a lost or stolen device
is top concern
60% use passcodes
for device security

5. 5© 2015 IBM Corporation
MobileFirst
Protect (MaaS360)
AppScan, Arxan, Trusteer M;
bile SDK
IBM Mobile Security Framework
AirWatch, MobileIron, Good,
Citrix, Microsoft, Mocana
HP Fortify, Veracode, Proguard CA, Oracle, RSA
• Manage multi-OS BYOD
environment
• Mitigate risks of lost and
compromised devices
• Separate enterprise
and personal data
• Enforce compliance
with security policies
• Distribute and control
enterprise apps
• Build and secure apps
and protect them
“in the wild”
• Provide secure web,
mobile, API access
and identify device risk
• Meet authentication
ease-of-use expectation
Extend Security Intelligence
• Extend security information and event management (SIEM) to mobile platform
• Incorporate mobile log management, anomaly detection, configuration and vulnerability management
Manage Access
and Fraud
Safeguard
Applications and Data
Secure Content
and Collaboration
Protect
Devices

6. 6© 2015 IBM Corporation
IBM Mobile Security Portfolio
IBM
Security
Access
Manager
IBM
DataPower
Gateway
IBM
BigFix
IBM
MobileFirst
Platform
IBM
MobileFirst
Protect
MaaS360
IBM
Security
AppScan
Arxan
Application
Protection
for IBM
Solutions
IBM QRadar
Security
Intelligence
Platform
IBM
Security
Trusteer
IBM
Mobile
Security
Services

7. 7© 2015 IBM Corporation
Extend Security Intelligence
Manage
Access and Fraud
Safeguard
Applications and Data
Secure Content
and Collaboration
Protect
Devices
Safeguarding applications and data
2.2
Kaspersky Lab “IT Threat Evolution Report for Q1 of 2015”
billion malicious attacks on
computers and mobile devices
were blocked during Q1 2015
Gartner Press Release, May 2014
of all mobile security
breaches are through apps75%overall mobile app usage
grew in 201476%
Shopping, Productivity and Messaging Give Mobile
Another Stunning Growth Year”, Flurry Insights, January 2015
On average, a company tests less than
half of the mobile apps they build and…
never test apps to ensure
they are secure33%
Ponemon The State of Mobile Application Insecurity, February 2015

8. 8© 2015 IBM Corporation
Security Risk
Application security spending
Where are your “security risks” versus your “spend”?
Spending
Spend ≠ Risk
35% -
30% -
25% -
20% -
15% -
10% -
5% -
Application
Layer
Data
Layer
Network
Layer
Human
Layer
Host
Layer
Physical
Layer
Many clients do not prioritize application security in their environments
Source: The State of Risk-Based Security Management, Research Study by Ponemon Institute, 2013

9. 9© 2015 IBM Corporation
• Cost of a Data Breach $7.2M
• 80 days to detect
• More than four months (123 days) to resolve
Find during Development
$80 / defect
Find during Build
$240 / defect
Find during QA/Test
$960 / defect
Find in Production
$7,600 / defect
80% of development costs are spent
identifying and correcting defects!
Source: Ponemon Institute
Source: National Institute of Standards and Technology
Cost of Security Defects

10. 10© 2015 IBM Corporation
Cost of a data breach
Source: 2014 ‘Cost of Data Breach Study: Global Analysis’, Ponemon Institute
$5.85M average organizational
cost of a data breach in the U.S.
$201 average organizational cost
per compromised record in the U.S.

11. 11© 2015 IBM Corporation
IBM Application Security Framework
Utilize resources effectively to identify and mitigate risk
Application Security Management
Database
Activity
Monitoring
Web
Application
FirewallSIEM
Mobile
Application
Protection
Monitor and Protect
Deployed Applications
Static
Analysis
Dynamic
Analysis
Mobile
Application
Analysis
Interactive
Analysis
Intrusion
Prevention
Test
Applications in Development
Business Impact
Assessment
Asset
Inventory
Compliance
Determination
Status and Progress
Measurement
Vulnerability
Prioritization

12. 12© 2015 IBM Corporation
Mobile Application Security
Application
Protection
Protect
Deployed Applications
Static
Analysis
Dynamic
Analysis
Interactive
Analysis
Test
Applications in Development
IBM Application
Security Analyzer
IBM Security AppScan Source/
MF App Scanning
IBM Security AppScan
Standard
Arxan Application Protection
for IBM Solutions
Test Mobile Apps
for vulnerabilities
Test
Mobile Backend
(Web Services)
for vulnerabilities
Reduce runtime
Tampering for
Mobile App

13. © 2015 IBM Corporation
IBM Application Security on Cloud

14. 14© 2015 IBM Corporation
Does my Mobile App contain security vulnerabilities?
UPLOAD TEST REMEDIATE
Easy as 1,2,3!
IBM Application Security Analyzer
Free Trial Link: IBM Application Security Analyzer

15. 15© 2015 IBM Corporation
IBM Application Security Analyzer

16. 16© 2015 IBM Corporation
IBM Application Security Analyzer

17. © 2015 IBM Corporation
IBM AppScan Source/MobileFirst Platform
Application Scanning

18. 18© 2015 IBM Corporation
AppScan Source/MobileFirst Platform Application Scanning identify security
vulnerabilities in your application source code before deployment
! Analyze data flow within
applications
! Find vulnerabilities such as
Insecure Data, Unintended Data
Leakage, etc. (covering all of the
OWASP 2014 Top 10 Mobile
Risks*)
! Identify vulnerable lines of code
and provide remediation
assistance
! Support native Android (Java),
native iOS (Objective-C), Web,
and MobileFirst Platform
Foundation projects (JavaScript,
HTML5, Cordova)
*www.owasp.org/
(Risk #10 though Arxan)

19. © 2015 IBM Corporation
IBM Security AppScan Standard

20. 20© 2015 IBM Corporation
IBM Security AppScan Standard

21. © 2015 IBM Corporation
Arxan Application Protection for IBM
Solutions

22. 22© 2015 IBM Corporation
Disruption in the Security Landscape
Centralized,
trusted environment
Distributed or untrusted environment “Apps in
the Wild”
• Web Apps
• Data Center Apps
Attackers do not have easy access to
application binary
+ Application Security Testing
(“Build it Secure”)
+ Application Self-Protection
(“Keep it Secure”)
• Mobile Apps
• Internet of Things
• Packaged Software
Attackers can easily access and compromise
application binary

23. 23© 2015 IBM Corporation
Mobile Apps “in the Wild” Are Vulnerable to Attacks
• Applications can be modified and tampered with
• Run-time behavior of applications can be altered,
causing unsafe or improper operation
• Malicious code can be injected or hooked into
applications
Integrity Risk
(Code Modification or
Code Injection
Vulnerabilities)
• Private and sensitive information can be
exposed, including cryptographic keys that are
used to secure information
• Applications can be reverse-engineered back to
the source code
• Code and Intellectual Property (IP) can be
lifted, stolen, reused or repackaged
Confidentiality
Risk
(Reverse Engineering
or
Code Analysis
Vulnerabilities)

24. 24© 2015 IBM Corporation
Protection is a critical, final step in any secure SDLC
Build It Secure Keep It Secure
Application
Development
Vulnerability
Analysis
& Testing
Application
Protection
Release &
Deployment
IBM MobileFirst
Platform & Native
Build and Manage
Mobile Apps
IBM Security
AppScan Source &
Application Security
Analyzer
Identify
Vulnerabilities
Arxan Application Protection for
IBM Solutions
Defends, Detects, and Reacts
to Attacks
Secure and
Protected
Application
" Extend security from testing to run-time code protection
" Mitigate risks comprehensively against hacking attacks and exploits
" Gain the world’s strongest multi-layer protection (defend, detect, react)
Free of critical
flaws and
vulnerabilities
Protects itself
against attacks
http://www-03.ibm.com/software/products/en/arxan-application-protection

25. 25© 2015 IBM Corporation
Preventing Reverse Engineering
-- Apply Control Flow Obfuscation Control Flow
Obfuscation
Confuse the Hacker
• Dummy Code Insertion
• Instruction Merging
• Block Shuffling
• Function Inlining
• … and More!
Before: Unprotected After: Protected
25

26. 26© 2015 IBM Corporation
Preventing Reverse Engineering
-- Other Techniques
• Method Renaming
• String Encryption
• … and More!
String not
found
Where did
it go?
26

27. 27© 2015 IBM Corporation
Preventing Tampering and Runtime Attacks
Common Techniques
Jailbreak
Detection
Am I on a
jailbroken device?
Checksum -- Has the
binary changed?
If so, let me know so I can do something about it!
Method Swizzling
Detection --
Is someone hijacking
my code? Debug Detection
Is a debugger running?
27

28. 28© 2015 IBM Corporation
Arxan Application Protection – Defends, Detects, and Reacts
Defend
against compromise
• Advanced Obfuscation
• Encryption
• Pre-Damage
• Metadata Removal
Detect
attacks at
run time
• Environmental checks
• Anti-Debug
• Jailbreak/Root detection
• Run time
• Checksum
• Resource Verification
• Swizzling / Hooking
Detection
React
to ward off attacks
• Repair
• Custom Reactions
• Shut Down (Exit, Fail)
• Alert / Phone Home
Protected App
• Self-defending
• Tamper-resistant
• Hardened against hacking attacks & malware exploits

29. 29© 2015 IBM Corporation
Arxan Security is Applied at the Compile Stage --
Security is “Built-In” the App so It is Protected Everywhere

30. 30© 2015 IBM Corporation
Additional Resources
! Blog: 10 Convenient Ways to Increase Your Mobile Application Security Knowledge
! Blog: Another 10 Convenient Ways to Increase Your Mobile Application Security
Knowledge
! IBM/Arxan White Paper: Securing Mobile Applications in the Wild with Application
Hardening and Run-Time Protection
! IBM White Paper: Securing the Mobile Enterprise with IBM Security Solutions

31. © 2015 IBM Corporation
Q&A Session

32. © Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any
kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor
shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use
of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or
capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product
or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or
both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your
enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on
others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM
systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other
systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE
IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
THANK YOU
www.ibm.com/security

33. Information concerning non-IBM products was obtained from the suppliers of those
products, their published announcements or other publicly available sources. IBM has not
tested those products in connection with this publication and cannot confirm the accuracy
of performance, compatibility or any other claims related to non-IBM products. Questions
on the capabilities of non-IBM products should be addressed to the suppliers of those
products. IBM does not warrant the quality of any third-party products, or the ability of
any such third-party products to interoperate with IBM’s products. IBM EXPRESSLY
DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
A PARTICULAR PURPOSE.
The provision of the information contained herein is not intended to, and does not, grant
any right or license under any IBM patents, copyrights, trademarks or other intellectual
property right.
Other company, product, or service names may be trademarks or service marks of others.
A current list of IBM trademarks is available at “Copyright and trademark information”
www.ibm.com/legal/copytrade.shtml
Copyright © 2015 by International Business Machines Corporation (IBM). No part of this
document may be reproduced or transmitted in any form without written permission from
IBM.
U.S. Government Users Restricted Rights – Use, duplication or disclosure restricted by
GSA ADP Schedule Contract with IBM.
Information in these presentations (including information relating to products that have not
yet been announced by IBM) has been reviewed for accuracy as of the date of initial
publication and could include unintentional technical or typographical errors. IBM shall
have no responsibility to update this information. THIS document is distributed "AS IS"
without any warranty, either express or implied. In no event shall IBM be liable for any
damage arising from the use of this information, including but not limited to, loss of data,
business interruption, loss of profit or loss of opportunity.
IBM products and services are warranted according to the terms and conditions of the
agreements under which they are provided.
Any statements regarding IBM’s future direction, intent or product plans are subject to
change or withdrawal without notice. Performance data contained herein was generally
obtained in a controlled, isolated environments. Customer examples are presented as
illustrations of how those customers have used IBM products and the results they may
have achieved. Actual performance, cost, savings or other results in other operating
environments may vary. References in this document to IBM products, programs, or
services does not imply that IBM intends to make such products, programs or services
available in all countries in which IBM operates or does business.
Workshops, sessions and associated materials may have been prepared by independent
session speakers, and do not necessarily reflect the views of IBM. All materials and
discussions are provided for informational purposes only, and are neither intended to, nor
shall constitute legal or other guidance or advice to any individual participant or their
specific situation.
It is the customer’s responsibility to insure its own compliance with legal requirements and
to obtain advice of competent legal counsel as to the identification and interpretation of
any relevant laws and regulatory requirements that may affect the customer’s business
and any actions the customer may need to take to comply with such laws. IBM does not
provide legal advice or represent or warrant that its services or products will ensure that
the customer is in compliance with any law.
Legal notices and disclaimers