SlideShare a Scribd company logo

NS-Presentation-v2.pptx

Download as PPTX, PDF
S
ShaikFaiz2

Now Secure

Engineering
1 of 18
NOWSECURE PROJECT Collins, Stacey D Defersha, Endale A Jacobson, Rhiannon N Peterka, Joseph D Spring 2022
WHAT TYPE OF PATTERN OF SECURITY RISK OR MALWARE DID YOU ATTEMPT TO FIND?
SUMMARY IN REVIEW • 1007 distinct apps associated to 79 distinct countries. • 207 (20.6%) of apps have key size vulnerabilities. • There was no significant difference in key size vulnerabilities based on geographic region from which the app originated.
BACKGROUND Use of a digital signature is important for users of applications to know the data being transferred is coming from the correct users. Appropriate key sizes, as well as other cryptographic based security measures, are necessary in protecting information, specifically for apps that deal with sensitive information. In the NowSecure provided data, Apps that have a key size vulnerability have a keysize_check variable value equal to True. If keysize_check is True, then the app uses a weak key size which could lead to forged digital signatures, and if False then no such vulnerability was found. Please note that a True value does not indicate that a digital signature has been forged, but simply that the vulnerability exists within the application that could lead to a forgery
SECURITY ISSUES RELATED TO THE KEY SIZE dependent variable: • keysize_check Independent variables: • secure_random_check • change_cipher_spec_check • certificate_validity_check • sqlcipher_key_leakage_check
HOW DID YOU GO ABOUT FINDING THIS SECURITY RISK ACROSS ALL THE NOWSECURE APPS?
APPROACH • Conducted two phases of Experiments  Model 1) Using 2 of the proposed independent variables • secure_random_check • sqlcipher_key_leakage_check  two were removed because they didn't vary - all values were false • change_cipher_spec_check • certificate_validity_check  Model 2) Including all variables with chi-sq p-value <0.25
CHI-SQ TABLE Variable Name Chi-Sq p-value DF secure_random_check 4.59 0.032 1 sends_sms_check 2.58 0.109 1 dirtycow_check 1.99 0.158 1 javascript_interface_check 1.87 0.171 1 allow_backup_check 1.81 0.179 1 decode_apk_check 1.65 0.199 1 publisher_global_location 3.85 0.427 4 auto_generated_screenshots_check 0.41 0.520 1 application_overprivileged_check 0.26 0.611 1 sqlcipher_key_leakage_check 0.26 0.612 1 decompile_apk_check 0.22 0.640 1 get_reflection_code 0.07 0.787 1 obfuscation_check 0.07 0.787 1 okhttp_vuln_check 0.01 0.905 1 dynamic_code_loading_check 0.00 0.979 1 certificate_validity_check 0.00 1.000 0 change_cipher_spec_check 0.00 1.000 0 debug_flag_check 0.00 1.000 0 extract_lib_info 0.00 1.000 0 get_native_methods 0.00 1.000 0 heartbleed_check 0.00 1.000 0 master_key_check 0.00 1.000 0
STEPS looked at the odds ratios of the vulnerabilities in the independent variables to quantify the size of the relationship between the independent vulnerabilities and the key size vulnerability Is vulnerability in one independent variable significantly more likely to experience a key size vulnerability? The odds ratios will allow us to quantify the size of that likelihood examined the output of the model to determine which independent variables are significant in relation to the dependent variable, and which, if any, are not created a logistic regression model to examine relationship between our dependent and independent variables
Results from Experiment 1
Results from Experiment 2
ODDS RATIOS COMPARISON MODEL 1 Variable Name OR (CI) secure_random_check 1.68 (1.07, 2.66) * sqlcipher_key_leakage_check 0.68 (0.23, 1.98) * = odds ratio significantly different from 1 MODEL 2 Variable Name OR (CI) dirtycow_check 1.50 (0.90, 2.51) sends_sms_check 1.64 (0.87, 3.10) decode_apk_check 0.30 (0.06, 1.50) allow_backup_check 0.78 (0.57, 1.07) secure_random_check 1.82 (1.14, 2.90) * javascript_interface_check 1.34 (0.89, 2.03) * = odds ratio significantly different from 1
WHAT DID YOU FIND? DO YOU HAVE A LIST OF INSECURE APPS? OR PATTERNS OF INSECURE LIBRARIES OR OTHER ASPECTS OF APPS?
FINDINGS • Only secure_random_check was significant • Model1 • odds ratio of 1.68 (95% CI 1.07 - 2.66) • Model 2 • odds ratio of 1.82 (95% CI 1.14 - 2.90) • Country Association • 1007 applications – representing 48 categories and developed across 79 distinct countries • 57 apps were unable to be logically associated to a country of origin • A unique trend by location was found to be insignificant
Total Apps Vulnerable Keysize % Africa 15 1 6.7% Americas 333 63 18.9% Asia 386 85 22.0% Europe 163 48 29.4% Oceania 13 3 23.1%
DO YOU THINK THERE ARE ANY IMPLICATIONS OF WHAT YOU’VE FOUND? IS IT NOVEL? IS IT WORTH OTHERS CHECKING ON THE APPS OR OTHER FINDINGS YOU HAVE?
IMPLICATIONS • Model1:odds ratio of 1.68 (95% CI 1.07 - 2.66) • apps that have a secure_random_check vulnerability are 1.68 times as likely to also have a keysize_check vulnerability than those apps that do not have a secure_random_check vulnerability • Model 2 : odds ratio of 1.80 (95% CI 1.14 - 2.90) • apps that have a secure_random_check vulnerability are 1.80 times as likely to also have a keysize_check vulnerability than those apps that do not have a secure_random_check vulnerability • Country Attribution • Associating Apps to Country of Origin • Global Associations
THE END

Recommended

Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Jeff Williams
 
Security by the numbers
Security by the numbersSecurity by the numbers
Security by the numbersEoin Keary
 
Check point security stock pitch greer, scudieri (1) (1)
Check point security stock pitch greer, scudieri (1) (1)Check point security stock pitch greer, scudieri (1) (1)
Check point security stock pitch greer, scudieri (1) (1)Robert Greer
 
Check Point Software Stock Pitch Greer, Scudieri
Check Point Software Stock Pitch Greer, ScudieriCheck Point Software Stock Pitch Greer, Scudieri
Check Point Software Stock Pitch Greer, ScudieriAnthony Scudieri
 
Standards and methodology for application security assessment
Standards and methodology for application security assessment Standards and methodology for application security assessment
Standards and methodology for application security assessment Mykhailo Antonishyn
 
How automation can help boost security
How automation can help boost securityHow automation can help boost security
How automation can help boost securityTestingXperts
 
Step by-step mobile testing approaches and strategies
Step by-step mobile testing approaches and strategiesStep by-step mobile testing approaches and strategies
Step by-step mobile testing approaches and strategiesAlisha Henderson
 
Streamlining AppSec Policy Definition.pptx
Streamlining AppSec Policy Definition.pptxStreamlining AppSec Policy Definition.pptx
Streamlining AppSec Policy Definition.pptxtmbainjr131
 

Recommended

Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Jeff Williams
 
Security by the numbers
Security by the numbersSecurity by the numbers
Security by the numbersEoin Keary
 
Check point security stock pitch greer, scudieri (1) (1)
Check point security stock pitch greer, scudieri (1) (1)Check point security stock pitch greer, scudieri (1) (1)
Check point security stock pitch greer, scudieri (1) (1)Robert Greer
 
Check Point Software Stock Pitch Greer, Scudieri
Check Point Software Stock Pitch Greer, ScudieriCheck Point Software Stock Pitch Greer, Scudieri
Check Point Software Stock Pitch Greer, ScudieriAnthony Scudieri
 
Standards and methodology for application security assessment
Standards and methodology for application security assessment Standards and methodology for application security assessment
Standards and methodology for application security assessment Mykhailo Antonishyn
 
How automation can help boost security
How automation can help boost securityHow automation can help boost security
How automation can help boost securityTestingXperts
 
Step by-step mobile testing approaches and strategies
Step by-step mobile testing approaches and strategiesStep by-step mobile testing approaches and strategies
Step by-step mobile testing approaches and strategiesAlisha Henderson
 
Streamlining AppSec Policy Definition.pptx
Streamlining AppSec Policy Definition.pptxStreamlining AppSec Policy Definition.pptx
Streamlining AppSec Policy Definition.pptxtmbainjr131
 
Patch Management Best Practices 2019
Patch Management Best Practices 2019Patch Management Best Practices 2019
Patch Management Best Practices 2019Ivanti
 
Software testing
Software testingSoftware testing
Software testingAbrianto Nugraha
 
Cost effective cyber security
Cost effective cyber securityCost effective cyber security
Cost effective cyber security임채호 박사님
 
PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?Black Duck by Synopsys
 
Software engineering
Software engineeringSoftware engineering
Software engineeringGuruAbirami2
 
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...Denim Group
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Cenzic
 
Highly dependable automotive software
Highly dependable automotive softwareHighly dependable automotive software
Highly dependable automotive softwareAlan Tatourian
 
The Sweet Spot of Cyber Intelligence
The Sweet Spot of Cyber IntelligenceThe Sweet Spot of Cyber Intelligence
The Sweet Spot of Cyber IntelligenceTieu Luu
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks Ahmed Sherif
 
Software Security Metrics
Software Security MetricsSoftware Security Metrics
Software Security MetricsCigital
 
Four things that are almost guaranteed to reduce the reliability of a softwa...
Four things that are almost guaranteed to reduce the reliability of a softwa...Four things that are almost guaranteed to reduce the reliability of a softwa...
Four things that are almost guaranteed to reduce the reliability of a softwa...Ann Marie Neufelder
 
Four things that are almost guaranteed to reduce the reliability of a softwa...
Four things that are almost guaranteed to reduce the reliability of a softwa...Four things that are almost guaranteed to reduce the reliability of a softwa...
Four things that are almost guaranteed to reduce the reliability of a softwa...Ann Marie Neufelder
 
Mobile Apps Security Testing -1
Mobile Apps Security Testing -1Mobile Apps Security Testing -1
Mobile Apps Security Testing -1Krisshhna Daasaarii
 
Zero-bug Software, Mathematically Guaranteed
Zero-bug Software, Mathematically GuaranteedZero-bug Software, Mathematically Guaranteed
Zero-bug Software, Mathematically GuaranteedAshley Zupkus
 
Blackhat Europe 2009 - Detecting Certified Pre Owned Software
Blackhat Europe 2009 - Detecting Certified Pre Owned SoftwareBlackhat Europe 2009 - Detecting Certified Pre Owned Software
Blackhat Europe 2009 - Detecting Certified Pre Owned SoftwareTyler Shields
 
J034057065
J034057065J034057065
J034057065ijceronline
 
Web app penetration testing best methods tools used
Web app penetration testing best methods tools usedWeb app penetration testing best methods tools used
Web app penetration testing best methods tools usedZoe Gilbert
 
One login enemy at the gates
One login enemy at the gatesOne login enemy at the gates
One login enemy at the gatesEoin Keary
 
Vulnerability Management System
Vulnerability Management SystemVulnerability Management System
Vulnerability Management SystemIRJET Journal
 
Work-Permit-Receiver-in-Saudi-Aramco.pptx
Work-Permit-Receiver-in-Saudi-Aramco.pptxWork-Permit-Receiver-in-Saudi-Aramco.pptx
Work-Permit-Receiver-in-Saudi-Aramco.pptxJuliansyahHarahap1
 
Thermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - VThermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - VDineshKumar4165
 

More Related Content

Similar to NS-Presentation-v2.pptx

Patch Management Best Practices 2019
Patch Management Best Practices 2019Patch Management Best Practices 2019
Patch Management Best Practices 2019Ivanti
 
PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?Black Duck by Synopsys
 
Software engineering
Software engineeringSoftware engineering
Software engineeringGuruAbirami2
 
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...Denim Group
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Cenzic
 
Highly dependable automotive software
Highly dependable automotive softwareHighly dependable automotive software
Highly dependable automotive softwareAlan Tatourian
 
The Sweet Spot of Cyber Intelligence
The Sweet Spot of Cyber IntelligenceThe Sweet Spot of Cyber Intelligence
The Sweet Spot of Cyber IntelligenceTieu Luu
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks Ahmed Sherif
 
Software Security Metrics
Software Security MetricsSoftware Security Metrics
Software Security MetricsCigital
 
Four things that are almost guaranteed to reduce the reliability of a softwa...
Four things that are almost guaranteed to reduce the reliability of a softwa...Four things that are almost guaranteed to reduce the reliability of a softwa...
Four things that are almost guaranteed to reduce the reliability of a softwa...Ann Marie Neufelder
 
Four things that are almost guaranteed to reduce the reliability of a softwa...
Four things that are almost guaranteed to reduce the reliability of a softwa...Four things that are almost guaranteed to reduce the reliability of a softwa...
Four things that are almost guaranteed to reduce the reliability of a softwa...Ann Marie Neufelder
 
Zero-bug Software, Mathematically Guaranteed
Zero-bug Software, Mathematically GuaranteedZero-bug Software, Mathematically Guaranteed
Zero-bug Software, Mathematically GuaranteedAshley Zupkus
 
Blackhat Europe 2009 - Detecting Certified Pre Owned Software
Blackhat Europe 2009 - Detecting Certified Pre Owned SoftwareBlackhat Europe 2009 - Detecting Certified Pre Owned Software
Blackhat Europe 2009 - Detecting Certified Pre Owned SoftwareTyler Shields
 
Web app penetration testing best methods tools used
Web app penetration testing best methods tools usedWeb app penetration testing best methods tools used
Web app penetration testing best methods tools usedZoe Gilbert
 
One login enemy at the gates
One login enemy at the gatesOne login enemy at the gates
One login enemy at the gatesEoin Keary
 
Vulnerability Management System
Vulnerability Management SystemVulnerability Management System
Vulnerability Management SystemIRJET Journal
 

Similar to NS-Presentation-v2.pptx (20)

Patch Management Best Practices 2019
Patch Management Best Practices 2019Patch Management Best Practices 2019
Patch Management Best Practices 2019
 
Software testing
Software testingSoftware testing
Software testing
 
Cost effective cyber security
Cost effective cyber securityCost effective cyber security
Cost effective cyber security
 
PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?
 
Software engineering
Software engineeringSoftware engineering
Software engineering
 
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...
 
Highly dependable automotive software
Highly dependable automotive softwareHighly dependable automotive software
Highly dependable automotive software
 
The Sweet Spot of Cyber Intelligence
The Sweet Spot of Cyber IntelligenceThe Sweet Spot of Cyber Intelligence
The Sweet Spot of Cyber Intelligence
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks
 
Software Security Metrics
Software Security MetricsSoftware Security Metrics
Software Security Metrics
 
Four things that are almost guaranteed to reduce the reliability of a softwa...
Four things that are almost guaranteed to reduce the reliability of a softwa...Four things that are almost guaranteed to reduce the reliability of a softwa...
Four things that are almost guaranteed to reduce the reliability of a softwa...
 
Four things that are almost guaranteed to reduce the reliability of a softwa...
Four things that are almost guaranteed to reduce the reliability of a softwa...Four things that are almost guaranteed to reduce the reliability of a softwa...
Four things that are almost guaranteed to reduce the reliability of a softwa...
 
Mobile Apps Security Testing -1
Mobile Apps Security Testing -1Mobile Apps Security Testing -1
Mobile Apps Security Testing -1
 
Zero-bug Software, Mathematically Guaranteed
Zero-bug Software, Mathematically GuaranteedZero-bug Software, Mathematically Guaranteed
Zero-bug Software, Mathematically Guaranteed
 
Blackhat Europe 2009 - Detecting Certified Pre Owned Software
Blackhat Europe 2009 - Detecting Certified Pre Owned SoftwareBlackhat Europe 2009 - Detecting Certified Pre Owned Software
Blackhat Europe 2009 - Detecting Certified Pre Owned Software
 
J034057065
J034057065J034057065
J034057065
 
Web app penetration testing best methods tools used
Web app penetration testing best methods tools usedWeb app penetration testing best methods tools used
Web app penetration testing best methods tools used
 
One login enemy at the gates
One login enemy at the gatesOne login enemy at the gates
One login enemy at the gates
 
Vulnerability Management System
Vulnerability Management SystemVulnerability Management System
Vulnerability Management System
 

Recently uploaded

Work-Permit-Receiver-in-Saudi-Aramco.pptx
Work-Permit-Receiver-in-Saudi-Aramco.pptxWork-Permit-Receiver-in-Saudi-Aramco.pptx
Work-Permit-Receiver-in-Saudi-Aramco.pptxJuliansyahHarahap1
 
Thermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - VThermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - VDineshKumar4165
 
Moment Distribution Method For Btech Civil
Moment Distribution Method For Btech CivilMoment Distribution Method For Btech Civil
Moment Distribution Method For Btech CivilVinayVitekari
 
Double Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueDouble Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueBhangaleSonal
 
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...Call Girls Mumbai
 
Wadi Rum luxhotel lodge Analysis case study.pptx
Wadi Rum luxhotel lodge Analysis case study.pptxWadi Rum luxhotel lodge Analysis case study.pptx
Wadi Rum luxhotel lodge Analysis case study.pptxNadaHaitham1
 
"Lesotho Leaps Forward: A Chronicle of Transformative Developments"
"Lesotho Leaps Forward: A Chronicle of Transformative Developments""Lesotho Leaps Forward: A Chronicle of Transformative Developments"
"Lesotho Leaps Forward: A Chronicle of Transformative Developments"mphochane1998
 
Introduction to Serverless with AWS Lambda
Introduction to Serverless with AWS LambdaIntroduction to Serverless with AWS Lambda
Introduction to Serverless with AWS LambdaOmar Fathy
 
COST-EFFETIVE and Energy Efficient BUILDINGS ptx
COST-EFFETIVE and Energy Efficient BUILDINGS ptxCOST-EFFETIVE and Energy Efficient BUILDINGS ptx
COST-EFFETIVE and Energy Efficient BUILDINGS ptxJIT KUMAR GUPTA
 
Computer Networks Basics of Network Devices
Computer Networks Basics of Network DevicesComputer Networks Basics of Network Devices
Computer Networks Basics of Network DevicesChandrakantDivate1
 
Online electricity billing project report..pdf
Online electricity billing project report..pdfOnline electricity billing project report..pdf
Online electricity billing project report..pdfKamal Acharya
 
DC MACHINE-Motoring and generation, Armature circuit equation
DC MACHINE-Motoring and generation, Armature circuit equationDC MACHINE-Motoring and generation, Armature circuit equation
DC MACHINE-Motoring and generation, Armature circuit equationBhangaleSonal
 
Block diagram reduction techniques in control systems.ppt
Block diagram reduction techniques in control systems.pptBlock diagram reduction techniques in control systems.ppt
Block diagram reduction techniques in control systems.pptNANDHAKUMARA10
 
Thermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . pptThermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . pptDineshKumar4165
 
Generative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTGenerative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTbhaskargani46
 
1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf
1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf
1_Introduction + EAM Vocabulary + how to navigate in EAM.pdfAldoGarca30
 
Unit 4_Part 1 CSE2001 Exception Handling and Function Template and Class Temp...
Unit 4_Part 1 CSE2001 Exception Handling and Function Template and Class Temp...Unit 4_Part 1 CSE2001 Exception Handling and Function Template and Class Temp...
Unit 4_Part 1 CSE2001 Exception Handling and Function Template and Class Temp...drmkjayanthikannan
 

Recently uploaded (20)

Work-Permit-Receiver-in-Saudi-Aramco.pptx
Work-Permit-Receiver-in-Saudi-Aramco.pptxWork-Permit-Receiver-in-Saudi-Aramco.pptx
Work-Permit-Receiver-in-Saudi-Aramco.pptx
 
Thermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - VThermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - V
 
Moment Distribution Method For Btech Civil
Moment Distribution Method For Btech CivilMoment Distribution Method For Btech Civil
Moment Distribution Method For Btech Civil
 
Double Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueDouble Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torque
 
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
 
Wadi Rum luxhotel lodge Analysis case study.pptx
Wadi Rum luxhotel lodge Analysis case study.pptxWadi Rum luxhotel lodge Analysis case study.pptx
Wadi Rum luxhotel lodge Analysis case study.pptx
 
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak HamilCara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
 
"Lesotho Leaps Forward: A Chronicle of Transformative Developments"
"Lesotho Leaps Forward: A Chronicle of Transformative Developments""Lesotho Leaps Forward: A Chronicle of Transformative Developments"
"Lesotho Leaps Forward: A Chronicle of Transformative Developments"
 
Introduction to Serverless with AWS Lambda
Introduction to Serverless with AWS LambdaIntroduction to Serverless with AWS Lambda
Introduction to Serverless with AWS Lambda
 
COST-EFFETIVE and Energy Efficient BUILDINGS ptx
COST-EFFETIVE and Energy Efficient BUILDINGS ptxCOST-EFFETIVE and Energy Efficient BUILDINGS ptx
COST-EFFETIVE and Energy Efficient BUILDINGS ptx
 
Computer Networks Basics of Network Devices
Computer Networks Basics of Network DevicesComputer Networks Basics of Network Devices
Computer Networks Basics of Network Devices
 
FEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced Loads
FEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced LoadsFEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced Loads
FEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced Loads
 
Integrated Test Rig For HTFE-25 - Neometrix
Integrated Test Rig For HTFE-25 - NeometrixIntegrated Test Rig For HTFE-25 - Neometrix
Integrated Test Rig For HTFE-25 - Neometrix
 
Online electricity billing project report..pdf
Online electricity billing project report..pdfOnline electricity billing project report..pdf
Online electricity billing project report..pdf
 
DC MACHINE-Motoring and generation, Armature circuit equation
DC MACHINE-Motoring and generation, Armature circuit equationDC MACHINE-Motoring and generation, Armature circuit equation
DC MACHINE-Motoring and generation, Armature circuit equation
 
Block diagram reduction techniques in control systems.ppt
Block diagram reduction techniques in control systems.pptBlock diagram reduction techniques in control systems.ppt
Block diagram reduction techniques in control systems.ppt
 
Thermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . pptThermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . ppt
 
Generative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTGenerative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPT
 
1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf
1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf
1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf
 
Unit 4_Part 1 CSE2001 Exception Handling and Function Template and Class Temp...
Unit 4_Part 1 CSE2001 Exception Handling and Function Template and Class Temp...Unit 4_Part 1 CSE2001 Exception Handling and Function Template and Class Temp...
Unit 4_Part 1 CSE2001 Exception Handling and Function Template and Class Temp...
 

NS-Presentation-v2.pptx

  • 2. WHAT TYPE OF PATTERN OF SECURITY RISK OR MALWARE DID YOU ATTEMPT TO FIND?
  • 3. SUMMARY IN REVIEW • 1007 distinct apps associated to 79 distinct countries. • 207 (20.6%) of apps have key size vulnerabilities. • There was no significant difference in key size vulnerabilities based on geographic region from which the app originated.
  • 4. BACKGROUND Use of a digital signature is important for users of applications to know the data being transferred is coming from the correct users. Appropriate key sizes, as well as other cryptographic based security measures, are necessary in protecting information, specifically for apps that deal with sensitive information. In the NowSecure provided data, Apps that have a key size vulnerability have a keysize_check variable value equal to True. If keysize_check is True, then the app uses a weak key size which could lead to forged digital signatures, and if False then no such vulnerability was found. Please note that a True value does not indicate that a digital signature has been forged, but simply that the vulnerability exists within the application that could lead to a forgery
  • 5. SECURITY ISSUES RELATED TO THE KEY SIZE dependent variable: • keysize_check Independent variables: • secure_random_check • change_cipher_spec_check • certificate_validity_check • sqlcipher_key_leakage_check
  • 6. HOW DID YOU GO ABOUT FINDING THIS SECURITY RISK ACROSS ALL THE NOWSECURE APPS?
  • 7. APPROACH • Conducted two phases of Experiments  Model 1) Using 2 of the proposed independent variables • secure_random_check • sqlcipher_key_leakage_check  two were removed because they didn't vary - all values were false • change_cipher_spec_check • certificate_validity_check  Model 2) Including all variables with chi-sq p-value <0.25
  • 8. CHI-SQ TABLE Variable Name Chi-Sq p-value DF secure_random_check 4.59 0.032 1 sends_sms_check 2.58 0.109 1 dirtycow_check 1.99 0.158 1 javascript_interface_check 1.87 0.171 1 allow_backup_check 1.81 0.179 1 decode_apk_check 1.65 0.199 1 publisher_global_location 3.85 0.427 4 auto_generated_screenshots_check 0.41 0.520 1 application_overprivileged_check 0.26 0.611 1 sqlcipher_key_leakage_check 0.26 0.612 1 decompile_apk_check 0.22 0.640 1 get_reflection_code 0.07 0.787 1 obfuscation_check 0.07 0.787 1 okhttp_vuln_check 0.01 0.905 1 dynamic_code_loading_check 0.00 0.979 1 certificate_validity_check 0.00 1.000 0 change_cipher_spec_check 0.00 1.000 0 debug_flag_check 0.00 1.000 0 extract_lib_info 0.00 1.000 0 get_native_methods 0.00 1.000 0 heartbleed_check 0.00 1.000 0 master_key_check 0.00 1.000 0
  • 9. STEPS looked at the odds ratios of the vulnerabilities in the independent variables to quantify the size of the relationship between the independent vulnerabilities and the key size vulnerability Is vulnerability in one independent variable significantly more likely to experience a key size vulnerability? The odds ratios will allow us to quantify the size of that likelihood examined the output of the model to determine which independent variables are significant in relation to the dependent variable, and which, if any, are not created a logistic regression model to examine relationship between our dependent and independent variables
  • 12. ODDS RATIOS COMPARISON MODEL 1 Variable Name OR (CI) secure_random_check 1.68 (1.07, 2.66) * sqlcipher_key_leakage_check 0.68 (0.23, 1.98) * = odds ratio significantly different from 1 MODEL 2 Variable Name OR (CI) dirtycow_check 1.50 (0.90, 2.51) sends_sms_check 1.64 (0.87, 3.10) decode_apk_check 0.30 (0.06, 1.50) allow_backup_check 0.78 (0.57, 1.07) secure_random_check 1.82 (1.14, 2.90) * javascript_interface_check 1.34 (0.89, 2.03) * = odds ratio significantly different from 1
  • 13. WHAT DID YOU FIND? DO YOU HAVE A LIST OF INSECURE APPS? OR PATTERNS OF INSECURE LIBRARIES OR OTHER ASPECTS OF APPS?
  • 14. FINDINGS • Only secure_random_check was significant • Model1 • odds ratio of 1.68 (95% CI 1.07 - 2.66) • Model 2 • odds ratio of 1.82 (95% CI 1.14 - 2.90) • Country Association • 1007 applications – representing 48 categories and developed across 79 distinct countries • 57 apps were unable to be logically associated to a country of origin • A unique trend by location was found to be insignificant
  • 15. Total Apps Vulnerable Keysize % Africa 15 1 6.7% Americas 333 63 18.9% Asia 386 85 22.0% Europe 163 48 29.4% Oceania 13 3 23.1%
  • 16. DO YOU THINK THERE ARE ANY IMPLICATIONS OF WHAT YOU’VE FOUND? IS IT NOVEL? IS IT WORTH OTHERS CHECKING ON THE APPS OR OTHER FINDINGS YOU HAVE?
  • 17. IMPLICATIONS • Model1:odds ratio of 1.68 (95% CI 1.07 - 2.66) • apps that have a secure_random_check vulnerability are 1.68 times as likely to also have a keysize_check vulnerability than those apps that do not have a secure_random_check vulnerability • Model 2 : odds ratio of 1.80 (95% CI 1.14 - 2.90) • apps that have a secure_random_check vulnerability are 1.80 times as likely to also have a keysize_check vulnerability than those apps that do not have a secure_random_check vulnerability • Country Attribution • Associating Apps to Country of Origin • Global Associations

Editor's Notes

  1. Endale
  2. Endale
  3. Rhiannon
  4. Joseph 
  5. Stacy
  6. Endale
  7. Stacy
  8. Stacy
  9. Rhiannon
  10. Stacy
  11. Stacy
  12. Stacy
  13. Endale
  14. Stacy & Joseph 
  15. Joseph 
  16. Endale 
  17. Stacy and Joseph 
  18. Joseph