SlideShare a Scribd company logo

Sql securitytesting

Download as PPT, PDF
Thilak Pathirage -Senior IT Gov and Risk Consultant
Thilak Pathirage -Senior IT Gov and Risk Consultant

This document discusses security testing for mobile and web applications. It covers security risks for Android apps, including actions malicious apps could take like gaining ungranted permissions or spreading automatically. It also discusses Android OS security features and how mobile app permissions work. Other topics include signed apps/app stores, problems with permissions, an example attack exploiting browser vulnerabilities, and designing apps with security best practices like least privilege and input sanitization in mind. The document concludes with discussions of security for mobile apps that interface with web apps and the importance of using secure protocols like HTTPS for web traffic.

Technology
1 of 36
CSE 403 Lecture 20 Security Testing for Mobile and Web Apps Reading: Android Apps Security, Ch. 2-3 (Gunasekara) How to Break Web Software, Ch. 2-5 (Andrews/Whittaker) slides created by Marty Stepp http://www.cs.washington.edu/403/
2 Android security risks • What are some security risks you can think of that can affect an Android phone? – What are actions a malicious app could take? • Examples: – uses a bug or security vulnerability to gain ungranted permissions – shows the user unsolicited messages (especially commercial) – resists (or attempts to resist) the user's effort to uninstall it – attempts to automatically spread itself to other devices – hides its files and/or processes – discloses the user's private information to a third party w/o consent – destroys the user's data (or the device itself) without w/o consent – impersonates the user (such as by sending email or buying things) – drains the phone's battery, data bytes/minutes, SMS/MMS remaining – otherwise degrades the user's experience with the device
3 Android OS security • The Android operating system provides security: – Unix-based file/directory permission model – process memory isolation and memory protection – filesystem encryption – per-app access to hardware devices – per-app restrictions on memory/CPU usage, other resources • network/data connection • camera • location (GPS) data • bluetooth • SMS/MMS • ... – DRM framework
4 Mobile app permissions • Apps must declare which permissions they need – e.g. use internet; write to local files; look at contacts; use Bluetooth; access GPS location; send SMS – user must manually give permission for actions • Fine-grained access control in Manifest XML file – File/URL-specific permissions <manifest xmlns:android="http://schemas.android.com/apk/res/android" package="com.android.app.myapp" > <uses-permission android:name="android.permission.RECEIVE_SMS" /> ... </manifest>
5 Signed apps/stores • signed apps: Coded with a private developer key – On Android / iPhone, apps must be signed in market – manual approval reduces chance of rogue apps – any app bought in official App Store / Market is generally thought of as having being audited • Is this true for Apple store apps? • Is this true for Google Play Market apps? • App store users can rate the apps and comment – Do you feel that an app is more likely to be secure: • If it is from a publisher/company you already know? • If a friend of yours has it installed? • If it costs money?
6 Problems with Android • Apps can ask for too many permissions. – Users don't really understand permissions. – Users are overwhelmed and just click "Yes" – Now the app can do almost anything. • Updates to an app can change its permissions. – example: recent Facebook app update – Users often click "Yes" if they already trust the app. – "privilege escalation" • Spammy apps – resist attempts to uninstall – show ads that are like system/OS UI
7 Example attack • Android 2.2 / 2.3 had vulnerabilities. – Browser could download a HTML page. – The page contains JS code. – The JS code can self-execute later in a "local" context. – This has higher permissions and can modify the local file system. • App ABC stores sensitive data on the local file system. – The data is financially important. – It is saved as a file in plain-text. – The above malicious browser JS code can read and access it.
Designing for security
9 Methods of security • Security through obscurity: Relying on the fact that attackers don't know something needed to harm you. – Example: "If an attacker pointed their browser to http://foo.com/passwords.txt, they'd get our passwords. But nobody knows that file is there, so we are safe." – Example: "Our app saves its sensitive user data using SQLite which ends up as a file on the local file system." – Example: "Our authentication database goes down for 2 minutes every night at 4am. During that time any user can log in without restrictions. But no one knows this, and the odds of a login at that time are miniscule."
10 Secure authentication • Force users to log in to your system before performing sensitive operations • Use secure protocols (https, etc.) to prevent sniffing – Some sites use HTTPS only for login page, then switch back to regular HTTP for future page views. Is this bad? • Force users to use strong passwords – not "password", or "abc", or same as their user name, etc.
11 Principle of least privilege • principle of least privilege: Granting just enough authority to get the job done (no more!). – Examples: • Code should not "run as root" or as a highly privileged user unless absolutely necessary. • A web server should only be given access to the set of HTML files that the web server is supposed to serve. – Turn off unnecessary services on your server • disable SSH, VNC, sendmail, etc. • close all ports except 80, and any others needed for web traffic
12 Sanitizing inputs • sanitizing inputs: Encoding and filtering untrusted user input before accepting it into a trusted system. – Ensure that accepted data is the right type, format, length... – Disallow entry of bad data into a graphical form. – Remove any SQL code from submitted user names. – Encode/sanitize input text that is displayed back to the user.
13 Verifying that code is secure • Before code is written: – considering security in the design process • As code is being written: – code reviews – code security audits – pair programming • After code has been written: – walkthroughs – system security audits – system/functional security testing – penetration tests
14 Security audits • security audit: A series of checks and questions to assess the security of your system. – can be done by an internal or external auditor – best if done as a process, not an individual event • penetration test: Targeted white-hat attempt to compromise your system's security. • risk analysis: Assessment of relative risks of what can go wrong when security is compromised.
15 Security audit questions • Does your system require secure authentication with passwords? • Are passwords difficult to crack? • Are there access control lists (ACLs) in place on network devices? • Are there audit logs to record who accesses data? • Are the audit logs reviewed? • Are your OS security settings up to accepted industry levels? • Have all unnecessary applications and services been eliminated? • Are all operating systems and applications patched to current levels? • How is backup media stored? Who has access to it? Is it up-to-date? • Is there a disaster recovery plan? Has it ever been rehearsed? • Are there good cryptographic tools in place to govern data encryption? • Have custom-built applications been written with security in mind? • How have these custom applications been tested for security flaws? • How are configuration and code changes documented at every level? How are these records reviewed and who conducts the review?
16 Data classification • data classification table: For each kind of data your app saves/uses, ask yourself: – Is this information personal or sensitive in nature? – What does my app do with this information? – Where and in what format is it saved? – Is it sent over the network? – (for all above) Does it need to be? Can I reduce my use?
17 Data storage location • Where is your app storing its data, and why? Is it secure?
18 Encryption • You can easily encrypt data in Android just before/after saving it to the device's SD card or local database. private static byte[] encrypt(byte[] key, byte[] data) { SecretKeySpec sKeySpec = new SecretKeySpec(key, "AES"); Cipher cipher; byte[] ciphertext = null; try { cipher = Cipher.getInstance("AES"); cipher.init(Cipher.ENCRYPT_MODE, sKeySpec); ciphertext = cipher.doFinal(data); } catch (NoSuchAlgorithmException e) { Log.e(TAG, "NoSuchAlgorithmException"); } catch (InvalidKeyException e) { Log.e(TAG, "InvalidKeyException"); } catch (Exception e) { Log.e(TAG, "Exception"); } return ciphertext; }
19 Mobile+web apps • OWASP Top 10 issues for mobile apps that talk to web apps: – Identify and protect sensitive data on the mobile device. – Handle password credentials securely on the device. – Ensure that sensitive data is protected in transit. – Implement user authentication and session management correctly. – Keep the back-end APIs (services) and the platform (server) secure. – Perform data integration with third party services/apps securely. – Pay specific attention to the collection and storage of consent for the collection and use of the user’s data. – Implement controls to prevent unauthorized access to paid-for resources (e.g., wallet, SMS, and phone calls). – Ensure secure distribution/provisioning of mobile applications. – Carefully check any runtime interpretation of code for errors.
20 Secure web (HTTPS) • man-in-the-middle attack: – unauthorized third party can hear web traffic on its hops between client and server • For security, all web traffic in your app should use HTTPS secure protocol. – built on Secure Socket Layer (SSL)
Web security
22 Denial-of-Service (DoS) • Denial of Service (DoS) attack: Attacker causes web server to be unavailable. • How attack is performed: – Attacker frequently requests many pages from your web site. • distributed DoS (DDoS): DoS using lots of computers – Your server cannot handle this many requests at a time, so it turns into a smoldering pile of goo (or just becomes very slow). • Problems that this attack can cause: – Users cannot get to your site. – Online store's server crashes -> store loses potential revenue. – Server may crash and lose or corrupt important data. – All the bandwidth used by the DoSers may cost you $$$.
23 Packet sniffing • packet sniffing: Listening to traffic sent on a network. – Many internet protocols (http, aim, email) are unsecure. – If an attacker is on the same local network (LAN) as you, he can: • read your email/IMs as you send them • see what web sites you are viewing • grab your password as it's being sent to the server • solutions: – Use secure protocols (ssh, https) – Encryption – Don't let creeps on your LAN/wifi
24 Password cracking • password cracking: Guessing the passwords of privileged users of your system. • How attack is performed: – brute force attack: Attacker uses software that sequentially tries every possible password. – dictionary attack: Attacker uses software that sequentially tries passwords based on words in a dictionary. • every word in the dictionary • combinations of words, numbers, etc. • What you can do about it: – Force users to have secure passwords. – Block an IP address from logging in after N failed attempts.
25 Phishing/social engineering • phishing: Masqueraded mails or web sites. – social engineering: Attempts to manipulate users, such as fraudulently acquiring passwords or credit card numbers. • Problems: – If trusted users of your system are tricked into giving out their personal information, attackers can use this to log in as those users and compromise your system.
26 Privilege escalation • privilege escalation: Attacker becomes able to run code on your server as a privileged user. – Example: Perhaps normal users aren't able to directly query your database. But an attacker may find a flaw in your security letting him run as an administrator and perform the query. – Once you're running as root, You own the server. You can do anything you want!
27 Cross-site scripting (XSS) • cross-site scripting: Causing one person's script code to be executed when a user browses to another site. – Example: Visit google.com, but evil.com's JavaScript runs. • How attack is performed: – Attacker finds unsecure code on target site. – Attacker uses hole to inject JavaScript into the page. – User visits page, sees malicious script code.
28 SQL Injection • SQL injection: Causing undesired SQL queries to be run on your database. – Often caused when untrusted input is pasted into a SQL query PHP: "SELECT * FROM Users WHERE name='$name';"; – specify a user name of: x' OR 'a'='a SELECT * FROM Users WHERE name='x' OR 'a'='a';
Thinking like an attacker: Finding vulnerabilities
30 Panning for gold • View Source, and look for: – HTML comments – script code – other sensitive information in code: IP/email addresses, SQL queries, hidden fields,... – watch HTTP requests/responses • look for hidden pages, files, parameters to target – error messages sent to your browser by app • 200: OK 400: Invalid request • 403: Forbidden 404: File not found • 500: Internal server error
31 Input forms • Forms let users pass parameters to the web server. • Parameters are passed using GET or POST requests. – GET: parameters are contained in the request URL. http://www.google.com?q=Stephen+Colbert&lang=en – POST: parameters are contained in the HTTP packet header. • harder for the user to see, but no more secure than GET • Forms provide a rich attack ground...
32 Form validation • validation: Examining form parameters to make sure they are acceptable before/as they are submitted. – nonempty, alphabetical, numeric, length, ... – client-side: HTML/JS checks values before request is sent. – server-side: JSP/Ruby/PHP/etc. checks values received. • Some validation is performed by restricting the user's choices. – select boxes – input text boxes with maxlength attribute – key event listeners that erase certain key presses
33 User input attacks • Bypassing client-side input restrictions and validation – maxlength limits on an input text field – choices not listed in a select box – hidden input fields – modifying or disabling client-side JavaScript validation code
34 Guessing files/directories • security through obscurity: Many reachable files/resources are hidden only by the fact that there is no link to them. • Try common file/folder/commands to see what happens: – /etc/passwd , /etc/shadow , cat, ls, grep – guess file names based on others • page11.php --> page12.php • loginfailure.jsp --> loginsuccess.jsp • accounts/fred.html --> accounts/sue.html – brute force / web spiders – port scanners
35 Other attacks • Attacking GET parameters • Attacking hidden input fields • Attacking cookies • Cross-site request forgery (CSRF) • ...
36 Web attack exercise • We are taking CSE 144, which uses an online turnin system. – We want to hack it because we are evil. • Our goals: – We want to cheat on Homework Assignment 7, Song.java. We want to find a way to submit a perfect working solution without doing any real work. – We got a low grade on a past assignment, so if possible, we want to set our past grades to be higher than they are now. – Our enemy is fellow classmate Felix Chu. We want to find out his personal information (password, email, student ID, grade, etc.). – We don't like the course instructor, Marty Stepp. We want to make the turnin page print an embarrassing message about him.

Recommended

2017-10-05 Mitigating Cybersecurity and Cyber Fraud risk in Your Organization
2017-10-05 Mitigating Cybersecurity and Cyber Fraud risk in Your Organization2017-10-05 Mitigating Cybersecurity and Cyber Fraud risk in Your Organization
2017-10-05 Mitigating Cybersecurity and Cyber Fraud risk in Your OrganizationRaffa Learning Community
 
BlockChain Enabled-Cloud Delivered For Network Secuirty
BlockChain Enabled-Cloud Delivered For Network SecuirtyBlockChain Enabled-Cloud Delivered For Network Secuirty
BlockChain Enabled-Cloud Delivered For Network SecuirtyHappiest Minds Technologies
 
Azure bastion- Remote desktop RDP/SSH in Azure using Bastion Service as (PaaS)
Azure bastion- Remote desktop RDP/SSH in Azure using Bastion Service as (PaaS)Azure bastion- Remote desktop RDP/SSH in Azure using Bastion Service as (PaaS)
Azure bastion- Remote desktop RDP/SSH in Azure using Bastion Service as (PaaS)Happiest Minds Technologies
 
Enterprise Digital Assistants: How they can support you in your Credit, Colle...
Enterprise Digital Assistants: How they can support you in your Credit, Colle...Enterprise Digital Assistants: How they can support you in your Credit, Colle...
Enterprise Digital Assistants: How they can support you in your Credit, Colle...emagia
 
Happiest Minds
Happiest MindsHappiest Minds
Happiest MindsFMA Summits
 
Mobile App Security: Enterprise Checklist
Mobile App Security: Enterprise ChecklistMobile App Security: Enterprise Checklist
Mobile App Security: Enterprise ChecklistJignesh Solanki
 
Securing Sensitive Data in Your Hybrid Cloud
Securing Sensitive Data in Your Hybrid CloudSecuring Sensitive Data in Your Hybrid Cloud
Securing Sensitive Data in Your Hybrid CloudRightScale
 
SECURING THE CLOUD DATA LAKES
SECURING THE CLOUD DATA LAKESSECURING THE CLOUD DATA LAKES
SECURING THE CLOUD DATA LAKESHappiest Minds Technologies
 

Recommended

2017-10-05 Mitigating Cybersecurity and Cyber Fraud risk in Your Organization
2017-10-05 Mitigating Cybersecurity and Cyber Fraud risk in Your Organization2017-10-05 Mitigating Cybersecurity and Cyber Fraud risk in Your Organization
2017-10-05 Mitigating Cybersecurity and Cyber Fraud risk in Your OrganizationRaffa Learning Community
 
BlockChain Enabled-Cloud Delivered For Network Secuirty
BlockChain Enabled-Cloud Delivered For Network SecuirtyBlockChain Enabled-Cloud Delivered For Network Secuirty
BlockChain Enabled-Cloud Delivered For Network SecuirtyHappiest Minds Technologies
 
Azure bastion- Remote desktop RDP/SSH in Azure using Bastion Service as (PaaS)
Azure bastion- Remote desktop RDP/SSH in Azure using Bastion Service as (PaaS)Azure bastion- Remote desktop RDP/SSH in Azure using Bastion Service as (PaaS)
Azure bastion- Remote desktop RDP/SSH in Azure using Bastion Service as (PaaS)Happiest Minds Technologies
 
Enterprise Digital Assistants: How they can support you in your Credit, Colle...
Enterprise Digital Assistants: How they can support you in your Credit, Colle...Enterprise Digital Assistants: How they can support you in your Credit, Colle...
Enterprise Digital Assistants: How they can support you in your Credit, Colle...emagia
 
Happiest Minds
Happiest MindsHappiest Minds
Happiest MindsFMA Summits
 
Mobile App Security: Enterprise Checklist
Mobile App Security: Enterprise ChecklistMobile App Security: Enterprise Checklist
Mobile App Security: Enterprise ChecklistJignesh Solanki
 
Securing Sensitive Data in Your Hybrid Cloud
Securing Sensitive Data in Your Hybrid CloudSecuring Sensitive Data in Your Hybrid Cloud
Securing Sensitive Data in Your Hybrid CloudRightScale
 
SECURING THE CLOUD DATA LAKES
SECURING THE CLOUD DATA LAKESSECURING THE CLOUD DATA LAKES
SECURING THE CLOUD DATA LAKESHappiest Minds Technologies
 
Securing Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid CloudsSecuring Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid CloudsRightScale
 
Best-Practices-Web-Usability
Best-Practices-Web-UsabilityBest-Practices-Web-Usability
Best-Practices-Web-UsabilityLarry Wilson
 
Data loss prevention by using MRSH-v2 algorithm
Data loss prevention by using MRSH-v2 algorithm Data loss prevention by using MRSH-v2 algorithm
Data loss prevention by using MRSH-v2 algorithm IJECEIAES
 
Mindtree distributed agile journey and guiding principles
Mindtree distributed agile journey and guiding principlesMindtree distributed agile journey and guiding principles
Mindtree distributed agile journey and guiding principlesMindtree Ltd.
 
Security as a Service with Microsoft Presented by Razor Technology
Security as a Service with Microsoft Presented by Razor TechnologySecurity as a Service with Microsoft Presented by Razor Technology
Security as a Service with Microsoft Presented by Razor TechnologyDavid J Rosenthal
 
SaaS (Software-as-a-Service) as-a-secure-service
SaaS (Software-as-a-Service) as-a-secure-serviceSaaS (Software-as-a-Service) as-a-secure-service
SaaS (Software-as-a-Service) as-a-secure-serviceTayyaba Farhat
 
Unlock the full potential of IoT
Unlock the full potential of IoT Unlock the full potential of IoT
Unlock the full potential of IoT Happiest Minds Technologies
 
The security of SAAS and private cloud
The security of SAAS and private cloudThe security of SAAS and private cloud
The security of SAAS and private cloudAzure Group
 
Risk based it auditing for non it auditors (basics of it auditing) final 12
Risk based it auditing for non it auditors (basics of it auditing) final 12Risk based it auditing for non it auditors (basics of it auditing) final 12
Risk based it auditing for non it auditors (basics of it auditing) final 12Thilak Pathirage -Senior IT Gov and Risk Consultant
 
Intel SaaS Security Playbook
Intel SaaS Security PlaybookIntel SaaS Security Playbook
Intel SaaS Security PlaybookIntel IT Center
 
Msft cloud architecture_security_commonattacks
Msft cloud architecture_security_commonattacksMsft cloud architecture_security_commonattacks
Msft cloud architecture_security_commonattacksAkram Qureshi
 
Implementing zero trust architecture in azure hybrid cloud
Implementing zero trust architecture in azure hybrid cloudImplementing zero trust architecture in azure hybrid cloud
Implementing zero trust architecture in azure hybrid cloudAjit Bhingarkar
 
User Behavior based Anomaly Detection for Cyber Network Security
User Behavior based Anomaly Detection for Cyber Network SecurityUser Behavior based Anomaly Detection for Cyber Network Security
User Behavior based Anomaly Detection for Cyber Network SecurityHappiest Minds Technologies
 
Lisa Guess - Embracing the Cloud
Lisa Guess - Embracing the CloudLisa Guess - Embracing the Cloud
Lisa Guess - Embracing the Cloudcentralohioissa
 
Hipaa Compliance With IT
Hipaa Compliance With ITHipaa Compliance With IT
Hipaa Compliance With ITNainil Chheda
 
Mindtree agile offering.
Mindtree agile offering.Mindtree agile offering.
Mindtree agile offering.Mindtree Ltd.
 
Security concerns with SaaS layer of cloud computing
Security concerns with SaaS layer of cloud computingSecurity concerns with SaaS layer of cloud computing
Security concerns with SaaS layer of cloud computingClinton DSouza
 
Cloud Security Governance
Cloud Security GovernanceCloud Security Governance
Cloud Security GovernanceShankar Subramaniyan
 
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORKZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORKMaganathin Veeraragaloo
 
IT Security As A Service
IT Security As A ServiceIT Security As A Service
IT Security As A ServiceMichael Davis
 
Security Testing
Security TestingSecurity Testing
Security TestingISsoft
 
CNIT 128 8: Mobile development security
CNIT 128 8: Mobile development securityCNIT 128 8: Mobile development security
CNIT 128 8: Mobile development securitySam Bowne
 

More Related Content

What's hot

Securing Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid CloudsSecuring Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid CloudsRightScale
 
Best-Practices-Web-Usability
Best-Practices-Web-UsabilityBest-Practices-Web-Usability
Best-Practices-Web-UsabilityLarry Wilson
 
Data loss prevention by using MRSH-v2 algorithm
Data loss prevention by using MRSH-v2 algorithm Data loss prevention by using MRSH-v2 algorithm
Data loss prevention by using MRSH-v2 algorithm IJECEIAES
 
Mindtree distributed agile journey and guiding principles
Mindtree distributed agile journey and guiding principlesMindtree distributed agile journey and guiding principles
Mindtree distributed agile journey and guiding principlesMindtree Ltd.
 
Security as a Service with Microsoft Presented by Razor Technology
Security as a Service with Microsoft Presented by Razor TechnologySecurity as a Service with Microsoft Presented by Razor Technology
Security as a Service with Microsoft Presented by Razor TechnologyDavid J Rosenthal
 
SaaS (Software-as-a-Service) as-a-secure-service
SaaS (Software-as-a-Service) as-a-secure-serviceSaaS (Software-as-a-Service) as-a-secure-service
SaaS (Software-as-a-Service) as-a-secure-serviceTayyaba Farhat
 
The security of SAAS and private cloud
The security of SAAS and private cloudThe security of SAAS and private cloud
The security of SAAS and private cloudAzure Group
 
Intel SaaS Security Playbook
Intel SaaS Security PlaybookIntel SaaS Security Playbook
Intel SaaS Security PlaybookIntel IT Center
 
Msft cloud architecture_security_commonattacks
Msft cloud architecture_security_commonattacksMsft cloud architecture_security_commonattacks
Msft cloud architecture_security_commonattacksAkram Qureshi
 
Implementing zero trust architecture in azure hybrid cloud
Implementing zero trust architecture in azure hybrid cloudImplementing zero trust architecture in azure hybrid cloud
Implementing zero trust architecture in azure hybrid cloudAjit Bhingarkar
 
User Behavior based Anomaly Detection for Cyber Network Security
User Behavior based Anomaly Detection for Cyber Network SecurityUser Behavior based Anomaly Detection for Cyber Network Security
User Behavior based Anomaly Detection for Cyber Network SecurityHappiest Minds Technologies
 
Lisa Guess - Embracing the Cloud
Lisa Guess - Embracing the CloudLisa Guess - Embracing the Cloud
Lisa Guess - Embracing the Cloudcentralohioissa
 
Hipaa Compliance With IT
Hipaa Compliance With ITHipaa Compliance With IT
Hipaa Compliance With ITNainil Chheda
 
Mindtree agile offering.
Mindtree agile offering.Mindtree agile offering.
Mindtree agile offering.Mindtree Ltd.
 
Security concerns with SaaS layer of cloud computing
Security concerns with SaaS layer of cloud computingSecurity concerns with SaaS layer of cloud computing
Security concerns with SaaS layer of cloud computingClinton DSouza
 
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORKZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORKMaganathin Veeraragaloo
 
IT Security As A Service
IT Security As A ServiceIT Security As A Service
IT Security As A ServiceMichael Davis
 

What's hot (20)

Securing Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid CloudsSecuring Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid Clouds
 
Best-Practices-Web-Usability
Best-Practices-Web-UsabilityBest-Practices-Web-Usability
Best-Practices-Web-Usability
 
Data loss prevention by using MRSH-v2 algorithm
Data loss prevention by using MRSH-v2 algorithm Data loss prevention by using MRSH-v2 algorithm
Data loss prevention by using MRSH-v2 algorithm
 
Mindtree distributed agile journey and guiding principles
Mindtree distributed agile journey and guiding principlesMindtree distributed agile journey and guiding principles
Mindtree distributed agile journey and guiding principles
 
Security as a Service with Microsoft Presented by Razor Technology
Security as a Service with Microsoft Presented by Razor TechnologySecurity as a Service with Microsoft Presented by Razor Technology
Security as a Service with Microsoft Presented by Razor Technology
 
SaaS (Software-as-a-Service) as-a-secure-service
SaaS (Software-as-a-Service) as-a-secure-serviceSaaS (Software-as-a-Service) as-a-secure-service
SaaS (Software-as-a-Service) as-a-secure-service
 
Unlock the full potential of IoT
Unlock the full potential of IoT Unlock the full potential of IoT
Unlock the full potential of IoT
 
The security of SAAS and private cloud
The security of SAAS and private cloudThe security of SAAS and private cloud
The security of SAAS and private cloud
 
Risk based it auditing for non it auditors (basics of it auditing) final 12
Risk based it auditing for non it auditors (basics of it auditing) final 12Risk based it auditing for non it auditors (basics of it auditing) final 12
Risk based it auditing for non it auditors (basics of it auditing) final 12
 
Intel SaaS Security Playbook
Intel SaaS Security PlaybookIntel SaaS Security Playbook
Intel SaaS Security Playbook
 
Msft cloud architecture_security_commonattacks
Msft cloud architecture_security_commonattacksMsft cloud architecture_security_commonattacks
Msft cloud architecture_security_commonattacks
 
Implementing zero trust architecture in azure hybrid cloud
Implementing zero trust architecture in azure hybrid cloudImplementing zero trust architecture in azure hybrid cloud
Implementing zero trust architecture in azure hybrid cloud
 
User Behavior based Anomaly Detection for Cyber Network Security
User Behavior based Anomaly Detection for Cyber Network SecurityUser Behavior based Anomaly Detection for Cyber Network Security
User Behavior based Anomaly Detection for Cyber Network Security
 
Lisa Guess - Embracing the Cloud
Lisa Guess - Embracing the CloudLisa Guess - Embracing the Cloud
Lisa Guess - Embracing the Cloud
 
Hipaa Compliance With IT
Hipaa Compliance With ITHipaa Compliance With IT
Hipaa Compliance With IT
 
Mindtree agile offering.
Mindtree agile offering.Mindtree agile offering.
Mindtree agile offering.
 
Security concerns with SaaS layer of cloud computing
Security concerns with SaaS layer of cloud computingSecurity concerns with SaaS layer of cloud computing
Security concerns with SaaS layer of cloud computing
 
Cloud Security Governance
Cloud Security GovernanceCloud Security Governance
Cloud Security Governance
 
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORKZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
 
IT Security As A Service
IT Security As A ServiceIT Security As A Service
IT Security As A Service
 

Similar to Sql securitytesting

Security Testing
Security TestingSecurity Testing
Security TestingISsoft
 
CNIT 128 8: Mobile development security
CNIT 128 8: Mobile development securityCNIT 128 8: Mobile development security
CNIT 128 8: Mobile development securitySam Bowne
 
Enterprise mobileapplicationsecurity
Enterprise mobileapplicationsecurityEnterprise mobileapplicationsecurity
Enterprise mobileapplicationsecurityVenkat Alagarsamy
 
Andrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.pptAndrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.pptSilverGold16
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application SecurityNicholas Davis
 
INFORMATION AND CYBER SECURITY
INFORMATION AND CYBER SECURITYINFORMATION AND CYBER SECURITY
INFORMATION AND CYBER SECURITYNishant Pawar
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...IBM Security
 
Security Architectures and Models.pptx
Security Architectures and Models.pptxSecurity Architectures and Models.pptx
Security Architectures and Models.pptxRushikeshChikane2
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSebastien Deleersnyder
 
Security Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptxSecurity Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptxAmardeepKumar621436
 
Owasp mobile top 10
Owasp mobile top 10Owasp mobile top 10
Owasp mobile top 10Pawel Rzepa
 
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data LeakageOwasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data LeakageAnant Shrivastava
 
Marcos de Pedro Neoris authenware_cybersecurity step1
Marcos de Pedro Neoris authenware_cybersecurity step1Marcos de Pedro Neoris authenware_cybersecurity step1
Marcos de Pedro Neoris authenware_cybersecurity step1Marcos De Pedro
 
Meletis Belsis - Introduction to information security
Meletis Belsis - Introduction to information securityMeletis Belsis - Introduction to information security
Meletis Belsis - Introduction to information securityMeletis Belsis MPhil/MRes/BSc
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochQA or the Highway
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochQA or the Highway
 

Similar to Sql securitytesting (20)

Security Testing
Security TestingSecurity Testing
Security Testing
 
CNIT 128 8: Mobile development security
CNIT 128 8: Mobile development securityCNIT 128 8: Mobile development security
CNIT 128 8: Mobile development security
 
Securing Android
Securing AndroidSecuring Android
Securing Android
 
Enterprise mobileapplicationsecurity
Enterprise mobileapplicationsecurityEnterprise mobileapplicationsecurity
Enterprise mobileapplicationsecurity
 
Andrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.pptAndrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.ppt
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application Security
 
INFORMATION AND CYBER SECURITY
INFORMATION AND CYBER SECURITYINFORMATION AND CYBER SECURITY
INFORMATION AND CYBER SECURITY
 
Digital Self Defense (RRLC version)
Digital Self Defense (RRLC version)Digital Self Defense (RRLC version)
Digital Self Defense (RRLC version)
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
 
Security Architectures and Models.pptx
Security Architectures and Models.pptxSecurity Architectures and Models.pptx
Security Architectures and Models.pptx
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
 
Security Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptxSecurity Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptx
 
Owasp mobile top 10
Owasp mobile top 10Owasp mobile top 10
Owasp mobile top 10
 
Application security
Application securityApplication security
Application security
 
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data LeakageOwasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
 
Marcos de Pedro Neoris authenware_cybersecurity step1
Marcos de Pedro Neoris authenware_cybersecurity step1Marcos de Pedro Neoris authenware_cybersecurity step1
Marcos de Pedro Neoris authenware_cybersecurity step1
 
Meletis Belsis - Introduction to information security
Meletis Belsis - Introduction to information securityMeletis Belsis - Introduction to information security
Meletis Belsis - Introduction to information security
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan Koch
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan Koch
 

More from Thilak Pathirage -Senior IT Gov and Risk Consultant

More from Thilak Pathirage -Senior IT Gov and Risk Consultant (11)

Cybersecurity-Audit-A-Case-Study-for-SME.pdf
Cybersecurity-Audit-A-Case-Study-for-SME.pdfCybersecurity-Audit-A-Case-Study-for-SME.pdf
Cybersecurity-Audit-A-Case-Study-for-SME.pdf
 
ISACA Cyber-Audit-Certificate-Exam-Guide_Eng_0819.pdf
ISACA Cyber-Audit-Certificate-Exam-Guide_Eng_0819.pdfISACA Cyber-Audit-Certificate-Exam-Guide_Eng_0819.pdf
ISACA Cyber-Audit-Certificate-Exam-Guide_Eng_0819.pdf
 
Auditing-Cybersecurity in the enterprise
Auditing-Cybersecurity in the enterpriseAuditing-Cybersecurity in the enterprise
Auditing-Cybersecurity in the enterprise
 
ISACA Cybersecurity Audit course brochure
ISACA Cybersecurity Audit course brochureISACA Cybersecurity Audit course brochure
ISACA Cybersecurity Audit course brochure
 
Capability_Assessment_of_IT_Governance_Using_the_2.pdf
Capability_Assessment_of_IT_Governance_Using_the_2.pdfCapability_Assessment_of_IT_Governance_Using_the_2.pdf
Capability_Assessment_of_IT_Governance_Using_the_2.pdf
 
cobit 2019 -current-user - ISACA Publication
cobit 2019 -current-user - ISACA Publicationcobit 2019 -current-user - ISACA Publication
cobit 2019 -current-user - ISACA Publication
 
Introduction to ISACA COBIT-2019 Framwork.pdf
Introduction to ISACA COBIT-2019 Framwork.pdfIntroduction to ISACA COBIT-2019 Framwork.pdf
Introduction to ISACA COBIT-2019 Framwork.pdf
 
Social media-assessment
Social media-assessmentSocial media-assessment
Social media-assessment
 
Cissp nda
Cissp ndaCissp nda
Cissp nda
 
314
314314
314
 
Composite indicators
Composite indicatorsComposite indicators
Composite indicators
 

Recently uploaded

GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 

Recently uploaded (20)

GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 

Sql securitytesting

  • 1. CSE 403 Lecture 20 Security Testing for Mobile and Web Apps Reading: Android Apps Security, Ch. 2-3 (Gunasekara) How to Break Web Software, Ch. 2-5 (Andrews/Whittaker) slides created by Marty Stepp http://www.cs.washington.edu/403/
  • 2. 2 Android security risks • What are some security risks you can think of that can affect an Android phone? – What are actions a malicious app could take? • Examples: – uses a bug or security vulnerability to gain ungranted permissions – shows the user unsolicited messages (especially commercial) – resists (or attempts to resist) the user's effort to uninstall it – attempts to automatically spread itself to other devices – hides its files and/or processes – discloses the user's private information to a third party w/o consent – destroys the user's data (or the device itself) without w/o consent – impersonates the user (such as by sending email or buying things) – drains the phone's battery, data bytes/minutes, SMS/MMS remaining – otherwise degrades the user's experience with the device
  • 3. 3 Android OS security • The Android operating system provides security: – Unix-based file/directory permission model – process memory isolation and memory protection – filesystem encryption – per-app access to hardware devices – per-app restrictions on memory/CPU usage, other resources • network/data connection • camera • location (GPS) data • bluetooth • SMS/MMS • ... – DRM framework
  • 4. 4 Mobile app permissions • Apps must declare which permissions they need – e.g. use internet; write to local files; look at contacts; use Bluetooth; access GPS location; send SMS – user must manually give permission for actions • Fine-grained access control in Manifest XML file – File/URL-specific permissions <manifest xmlns:android="http://schemas.android.com/apk/res/android" package="com.android.app.myapp" > <uses-permission android:name="android.permission.RECEIVE_SMS" /> ... </manifest>
  • 5. 5 Signed apps/stores • signed apps: Coded with a private developer key – On Android / iPhone, apps must be signed in market – manual approval reduces chance of rogue apps – any app bought in official App Store / Market is generally thought of as having being audited • Is this true for Apple store apps? • Is this true for Google Play Market apps? • App store users can rate the apps and comment – Do you feel that an app is more likely to be secure: • If it is from a publisher/company you already know? • If a friend of yours has it installed? • If it costs money?
  • 6. 6 Problems with Android • Apps can ask for too many permissions. – Users don't really understand permissions. – Users are overwhelmed and just click "Yes" – Now the app can do almost anything. • Updates to an app can change its permissions. – example: recent Facebook app update – Users often click "Yes" if they already trust the app. – "privilege escalation" • Spammy apps – resist attempts to uninstall – show ads that are like system/OS UI
  • 7. 7 Example attack • Android 2.2 / 2.3 had vulnerabilities. – Browser could download a HTML page. – The page contains JS code. – The JS code can self-execute later in a "local" context. – This has higher permissions and can modify the local file system. • App ABC stores sensitive data on the local file system. – The data is financially important. – It is saved as a file in plain-text. – The above malicious browser JS code can read and access it.
  • 9. 9 Methods of security • Security through obscurity: Relying on the fact that attackers don't know something needed to harm you. – Example: "If an attacker pointed their browser to http://foo.com/passwords.txt, they'd get our passwords. But nobody knows that file is there, so we are safe." – Example: "Our app saves its sensitive user data using SQLite which ends up as a file on the local file system." – Example: "Our authentication database goes down for 2 minutes every night at 4am. During that time any user can log in without restrictions. But no one knows this, and the odds of a login at that time are miniscule."
  • 10. 10 Secure authentication • Force users to log in to your system before performing sensitive operations • Use secure protocols (https, etc.) to prevent sniffing – Some sites use HTTPS only for login page, then switch back to regular HTTP for future page views. Is this bad? • Force users to use strong passwords – not "password", or "abc", or same as their user name, etc.
  • 11. 11 Principle of least privilege • principle of least privilege: Granting just enough authority to get the job done (no more!). – Examples: • Code should not "run as root" or as a highly privileged user unless absolutely necessary. • A web server should only be given access to the set of HTML files that the web server is supposed to serve. – Turn off unnecessary services on your server • disable SSH, VNC, sendmail, etc. • close all ports except 80, and any others needed for web traffic
  • 12. 12 Sanitizing inputs • sanitizing inputs: Encoding and filtering untrusted user input before accepting it into a trusted system. – Ensure that accepted data is the right type, format, length... – Disallow entry of bad data into a graphical form. – Remove any SQL code from submitted user names. – Encode/sanitize input text that is displayed back to the user.
  • 13. 13 Verifying that code is secure • Before code is written: – considering security in the design process • As code is being written: – code reviews – code security audits – pair programming • After code has been written: – walkthroughs – system security audits – system/functional security testing – penetration tests
  • 14. 14 Security audits • security audit: A series of checks and questions to assess the security of your system. – can be done by an internal or external auditor – best if done as a process, not an individual event • penetration test: Targeted white-hat attempt to compromise your system's security. • risk analysis: Assessment of relative risks of what can go wrong when security is compromised.
  • 15. 15 Security audit questions • Does your system require secure authentication with passwords? • Are passwords difficult to crack? • Are there access control lists (ACLs) in place on network devices? • Are there audit logs to record who accesses data? • Are the audit logs reviewed? • Are your OS security settings up to accepted industry levels? • Have all unnecessary applications and services been eliminated? • Are all operating systems and applications patched to current levels? • How is backup media stored? Who has access to it? Is it up-to-date? • Is there a disaster recovery plan? Has it ever been rehearsed? • Are there good cryptographic tools in place to govern data encryption? • Have custom-built applications been written with security in mind? • How have these custom applications been tested for security flaws? • How are configuration and code changes documented at every level? How are these records reviewed and who conducts the review?
  • 16. 16 Data classification • data classification table: For each kind of data your app saves/uses, ask yourself: – Is this information personal or sensitive in nature? – What does my app do with this information? – Where and in what format is it saved? – Is it sent over the network? – (for all above) Does it need to be? Can I reduce my use?
  • 17. 17 Data storage location • Where is your app storing its data, and why? Is it secure?
  • 18. 18 Encryption • You can easily encrypt data in Android just before/after saving it to the device's SD card or local database. private static byte[] encrypt(byte[] key, byte[] data) { SecretKeySpec sKeySpec = new SecretKeySpec(key, "AES"); Cipher cipher; byte[] ciphertext = null; try { cipher = Cipher.getInstance("AES"); cipher.init(Cipher.ENCRYPT_MODE, sKeySpec); ciphertext = cipher.doFinal(data); } catch (NoSuchAlgorithmException e) { Log.e(TAG, "NoSuchAlgorithmException"); } catch (InvalidKeyException e) { Log.e(TAG, "InvalidKeyException"); } catch (Exception e) { Log.e(TAG, "Exception"); } return ciphertext; }
  • 19. 19 Mobile+web apps • OWASP Top 10 issues for mobile apps that talk to web apps: – Identify and protect sensitive data on the mobile device. – Handle password credentials securely on the device. – Ensure that sensitive data is protected in transit. – Implement user authentication and session management correctly. – Keep the back-end APIs (services) and the platform (server) secure. – Perform data integration with third party services/apps securely. – Pay specific attention to the collection and storage of consent for the collection and use of the user’s data. – Implement controls to prevent unauthorized access to paid-for resources (e.g., wallet, SMS, and phone calls). – Ensure secure distribution/provisioning of mobile applications. – Carefully check any runtime interpretation of code for errors.
  • 20. 20 Secure web (HTTPS) • man-in-the-middle attack: – unauthorized third party can hear web traffic on its hops between client and server • For security, all web traffic in your app should use HTTPS secure protocol. – built on Secure Socket Layer (SSL)
  • 22. 22 Denial-of-Service (DoS) • Denial of Service (DoS) attack: Attacker causes web server to be unavailable. • How attack is performed: – Attacker frequently requests many pages from your web site. • distributed DoS (DDoS): DoS using lots of computers – Your server cannot handle this many requests at a time, so it turns into a smoldering pile of goo (or just becomes very slow). • Problems that this attack can cause: – Users cannot get to your site. – Online store's server crashes -> store loses potential revenue. – Server may crash and lose or corrupt important data. – All the bandwidth used by the DoSers may cost you $$$.
  • 23. 23 Packet sniffing • packet sniffing: Listening to traffic sent on a network. – Many internet protocols (http, aim, email) are unsecure. – If an attacker is on the same local network (LAN) as you, he can: • read your email/IMs as you send them • see what web sites you are viewing • grab your password as it's being sent to the server • solutions: – Use secure protocols (ssh, https) – Encryption – Don't let creeps on your LAN/wifi
  • 24. 24 Password cracking • password cracking: Guessing the passwords of privileged users of your system. • How attack is performed: – brute force attack: Attacker uses software that sequentially tries every possible password. – dictionary attack: Attacker uses software that sequentially tries passwords based on words in a dictionary. • every word in the dictionary • combinations of words, numbers, etc. • What you can do about it: – Force users to have secure passwords. – Block an IP address from logging in after N failed attempts.
  • 25. 25 Phishing/social engineering • phishing: Masqueraded mails or web sites. – social engineering: Attempts to manipulate users, such as fraudulently acquiring passwords or credit card numbers. • Problems: – If trusted users of your system are tricked into giving out their personal information, attackers can use this to log in as those users and compromise your system.
  • 26. 26 Privilege escalation • privilege escalation: Attacker becomes able to run code on your server as a privileged user. – Example: Perhaps normal users aren't able to directly query your database. But an attacker may find a flaw in your security letting him run as an administrator and perform the query. – Once you're running as root, You own the server. You can do anything you want!
  • 27. 27 Cross-site scripting (XSS) • cross-site scripting: Causing one person's script code to be executed when a user browses to another site. – Example: Visit google.com, but evil.com's JavaScript runs. • How attack is performed: – Attacker finds unsecure code on target site. – Attacker uses hole to inject JavaScript into the page. – User visits page, sees malicious script code.
  • 28. 28 SQL Injection • SQL injection: Causing undesired SQL queries to be run on your database. – Often caused when untrusted input is pasted into a SQL query PHP: "SELECT * FROM Users WHERE name='$name';"; – specify a user name of: x' OR 'a'='a SELECT * FROM Users WHERE name='x' OR 'a'='a';
  • 29. Thinking like an attacker: Finding vulnerabilities
  • 30. 30 Panning for gold • View Source, and look for: – HTML comments – script code – other sensitive information in code: IP/email addresses, SQL queries, hidden fields,... – watch HTTP requests/responses • look for hidden pages, files, parameters to target – error messages sent to your browser by app • 200: OK 400: Invalid request • 403: Forbidden 404: File not found • 500: Internal server error
  • 31. 31 Input forms • Forms let users pass parameters to the web server. • Parameters are passed using GET or POST requests. – GET: parameters are contained in the request URL. http://www.google.com?q=Stephen+Colbert&lang=en – POST: parameters are contained in the HTTP packet header. • harder for the user to see, but no more secure than GET • Forms provide a rich attack ground...
  • 32. 32 Form validation • validation: Examining form parameters to make sure they are acceptable before/as they are submitted. – nonempty, alphabetical, numeric, length, ... – client-side: HTML/JS checks values before request is sent. – server-side: JSP/Ruby/PHP/etc. checks values received. • Some validation is performed by restricting the user's choices. – select boxes – input text boxes with maxlength attribute – key event listeners that erase certain key presses
  • 33. 33 User input attacks • Bypassing client-side input restrictions and validation – maxlength limits on an input text field – choices not listed in a select box – hidden input fields – modifying or disabling client-side JavaScript validation code
  • 34. 34 Guessing files/directories • security through obscurity: Many reachable files/resources are hidden only by the fact that there is no link to them. • Try common file/folder/commands to see what happens: – /etc/passwd , /etc/shadow , cat, ls, grep – guess file names based on others • page11.php --> page12.php • loginfailure.jsp --> loginsuccess.jsp • accounts/fred.html --> accounts/sue.html – brute force / web spiders – port scanners
  • 35. 35 Other attacks • Attacking GET parameters • Attacking hidden input fields • Attacking cookies • Cross-site request forgery (CSRF) • ...
  • 36. 36 Web attack exercise • We are taking CSE 144, which uses an online turnin system. – We want to hack it because we are evil. • Our goals: – We want to cheat on Homework Assignment 7, Song.java. We want to find a way to submit a perfect working solution without doing any real work. – We got a low grade on a past assignment, so if possible, we want to set our past grades to be higher than they are now. – Our enemy is fellow classmate Felix Chu. We want to find out his personal information (password, email, student ID, grade, etc.). – We don't like the course instructor, Marty Stepp. We want to make the turnin page print an embarrassing message about him.