2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design

323 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
323
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design

  1. 1. Mobile apps and security by design Ollie Whitehouse, Associate Director - NCC Group
  2. 2. Agenda •Challenges •Benefits • Features • Privacy • Product security •Assurance and COTS •Response planning
  3. 3. Problem Statement “How to develop or purchase COTS mobile apps for my enterprise while ensuring security.”
  4. 4. Real-world challenges •Cost •Timelines •Available security skill-set •Trust in underlying technologies •COTS, the big black box
  5. 5. Reality •Last minute security can lead to •Poor user experience •Risk of fundamental flaws •Implementation issues •Higher expense and wasted effort •…. Band-Aid solutions
  6. 6. How do we know this? •Secure Development Life-cycles! •Security earlier is •Cheaper •Easier •More integrated •Less likely to be wrong
  7. 7. How do we know this? •Issues found during final testing •Back to development •Re-testing (functional) •Issues found after release •All of the above •Customer support costs •Regulatory, press / brand etc. •…
  8. 8. Put another way.. “Those practicing SDL specifically reported visibly better ROI results than the overall population.“ - Forester research
  9. 9. But it’s not without cost… ~14% extra effort
  10. 10. What do we care about? •Functionality •Security has a bad reputation •Security is seen as impeding •Privacy •Users and customers •Security •Risk and regulator •Integrity and data protection
  11. 11. Feature benefits •Meet your risk appetite •User friendly (UX etc.) •Measured •Integrated •Lower risk of fundamental issues
  12. 12. Privacy benefits •Regulatory compliance •Publically acceptable •Consumer versus employee •Internet versus VPN •… concepts like do not track etc … •Consideration around •What we send, how we send, what we store and how we store
  13. 13. Security benefits •Baked in (intrinsic to the fabric) •Defence in depth •Easy (automatic?) to upgrade •Auditing / logging •Authentication / authorisation •Transport security •Data at rest security
  14. 14. Mobile security by design •User experience •Authentication •Authorisation •Storage •Logging •Transport •Upgradability •Device / user identification
  15. 15. The COTS challenge •Marketing buzzword bingo •3rd party development practices •Gaining assurance … in code and processes … ideally via code access (rare!) … likely black-box security assessments … we don’t want to outsource risk
  16. 16. If it all goes wrong •Security response processes •Internally developed •Escalation points? •Vendor relationships •Who would you call? •Legal agreements? •Security SLAs? •Short term mitigations?
  17. 17. Summary •Consider security & risk early •Design security in from the start •Test security early, test often •Bigger locks != better security •Consider user base •Consider underlying technologies •Consider tech/user case constraints •Coax COTS vendors to improve
  18. 18. UK Offices Manchester - Head Office Cheltenham Edinburgh Leatherhead London Thame North American Offices San Francisco Atlanta New York Seattle Australian Offices Sydney European Offices Amsterdam - Netherlands Munich - Germany Zurich - Switzerland Ollie Whitehouse ollie.whitehouse@nccgroup.com Thanks! Questions?

×