SlideShare a Scribd company logo

CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries

NowSecure
NowSecure

Originally Presenter October 18, 2018 Enterprise-grade ephemeral messaging provider Vaporstream knows firsthand that security needs to be built into the software development lifecycle rather than bolted on. Serving highly regulated industries such as federal government, energy, financial services and healthcare, Vaporstream’s leakproof communication platform provides the highest level of assurance that compliance professionals require. Vaporstream partners with NowSecure to test and certify its Android and iOS mobile messaging apps. This case study webinar covers how Vaporstream adheres to a rigorous secure app lifecycle in order to meet customer expectations for secure communications: + Designing a secure app architecture & development process + Incorporating security testing into the release cycle + Comprehensive penetration testing

Technology
1 of 27
Download to read offline
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. CASE STUDY: IRONCLAD MESSAGING & SECURE APP DEV FOR REGULATED INDUSTRIES
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.3 #MOBSEC5 - A WEEKLY MOBILE SECURITY NEWS UPDATE www.nowsecure.com/go/subscribe
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. AGENDA INTRODUCTIONS MOBILE APP SECURITY LANDSCAPE VAPORSTREAM CASE STUDY NOWSECURE SOLUTIONS RECOMMENDATIONS Q&A 4 SPEAKERS AVI ELKONI COO/CTO VAPORSTREAM KRISTI PERDUE HINKLE VAPORSTREAM BRIAN REED NOWSECURE
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.5 HOW SAFE ARE YOUR MOBILE APPS? Web and App Breached of PII & Credit Card Mobile App Breach Exposing 20,000 Customers Data Breach Reveals Military Training Sites
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. NOWSECURE BENCHMARKS: BANKING & FINANCE 0 59 60-69 70-79 80-89 90-100 *Scoring algorithm based on Industry Standard CVSS Scored findings Low RiskHgh Risk Caution A significant 10 of 100 Apps (10%) fail w/ critical & high risks Identified Failures: Man in Middle Attack, Invalid Certificate, Known Vulnerable 3rd Party Libraries, Unencrypted credentials/PII in local files or over HTTP NowSecure Score Risk Range 46-100
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. NOWSECURE BENCHMARKS: RETAIL 0 59 60-69 70-79 80-89 90-100 *Scoring algorithm based on Industry Standard CVSS Scored findings Low RiskHgh Risk Caution NowSecure Score Risk Range 6-100 A shocking 27 of 80 Apps (34%) fail w/ critical & high risks Identified Failures: Man in Middle Attack, Invalid Certificate, Known Vulnerable 3rd Party Libraries, Unencrypted credentials/PII in local files or over HTTP
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.9 INSIDE THE MOBILE ATTACK SURFACE iOS APPS iOS FRAMEWORKS iOS NATIVE LIBRARIES iOS Mach/XNU KERNEL iOS HAL HARDWARE CODE FUNCTIONALITY DATA AT REST DATA IN MOTION Data Center & App Backend Network & Cloud Services TEST APP GPS spoofing Buffer overflow allowBackup Flag allowDebug Flag Code Obfuscation Configuration manipulation Escalated privileges URL schemes GPS Leaking Integrity/tampering/repacking Side channel attacks App signing key unprotected JSON-RPC Automatic Reference Counting Dynamic runtime injection Unintended permissions UI overlay/pin stealing Intent hijacking Zip directory traversal Clipboard data World Readable Files Data caching Data stored in application directory Decryption of keychain Data stored in log files Data cached in memory/RAM Data stored in SD card OS data caching Passwords & data accessible No/Weak encryption TEE/Secure Enclave Processor Side channel leak SQLite database Emulator variance Wi-Fi (no/weak encryption) Rogue access point Packet sniffing Man-in-the-middle Session hijacking DNS poisoning TLS Downgrade Fake TLS certificate Improper TLS validation HTTP Proxies VPNs Weak/No Local authentication App transport security Transmitted to insecure server Zip files in transit Cookie “httpOnly” flag Cookie “secure” flag Android rooting/iOS jailbreak User-initiated code Confused deputy attack Media/file format parsers Insecure 3rd party libraries World Writable Files World Writable Executables
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. § Founded in 2008 § Based in Chicago, IL § Privately owned and backed by investors and VC funding § Clients in Healthcare, Financial Services, Energy & Utilities, Higher Education, Government and more § Vaporstream is a comprehensive and configurable platform that addresses a wide variety of use cases for secure communication 10 ABOUT VAPORSTREAM
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. THE VAPORSTREAM SECURE COMMUNICATION PLATFORM 11 Vaporstream delivers a secure, ephemeral, compliant platform built to increase efficiency and revenue opportunities for the enterprise. While uniquely protecting sensitive data, Vaporstream automates processes to increase work team efficiency and create new levels of service delivery. Analytics Compliance Engage Secure Messaging Vaporstream Platform
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. § Healthcare § Patient Care Coordination § Patient Engagement § Surgical workflow/Instruction delivery § Billing/Insurance submission § All Industries § Incident notification and response § Mass communications § Compliant, secure, leak-proof business messaging § Crisis and reputation management § Executive and Board communication § Strategy, IP, Legal, M&A, HR/ Recruiting § Financial transactions § International travel § Others 12 SECURE COMMUNICATION USE CASES
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. VAPORSTREAM’S MULTI-LAYERED SECURITY MODEL 13 § Automated message expiration based on enterprise policy, group and user § No footprint left on any device, nor server § Shred on demand gives ultimate sender control Ephemerality Encryption § Encryption of data in transit and at rest § Keys and data always kept separate Governance & Compliance § Archive a single copy of messages to client-specified repository to safeguard information for legal, regulatory and business requirements. § Client data remains under client control; never stored with vendor § Comprehensive audit logging and reporting Advanced Controls § Unique Sender Controls prevent data propagation to unintended recipients § In-app camera keeps all images from upload to iCloud, Google, never stored on devices § Screenshot detection and protection § Message Body / Header separation
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. 1. Extensive black-box penetration testing § Apps § Platform 2. Dedicated staff for each platform § iOS § Android 3. Dedicated equipment § Jailbroken iOS devices § Rooted Android devices 4. Detailed reports with actionable findings 14 VAPORSTREAM MOBILE APPSEC TESTING REQUIREMENTS
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. § Known and reputable (Strong reputation) § Dedicated and experienced teams § Black box testing minimizes stress on development team § Continuous testing keeps us protected between certifications 15 VAPORSTREAM CHOOSES NOWSECURE
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. § Started with initial certification in 2014 § Recertify every year § Work certification recommendations into product releases § Apply NowSecure AUTO to every store release as part of our standard QA process § Use our NowSecure Certification as third-party validation § Vaporstream differentiation 16 HOW VAPORSTREAM USES NOWSECURE TODAY
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.17 VAPORSTREAM NOWSECURE CERTIFIED
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. 1. Design for security 2. Test from first prototype 3. Incorporate security testing into your regular QA cycle 4. Prepare for enterprise customer security audits § Document internal procedures § Hoard certifications 18 VAPORSTREAM RECOMMENDED BEST PRACTICES
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.19 NOWSECURE – DELIVERING SECURE MOBILE APPS FASTER Automated Mobile AppSec Testing Optimized for Speed, Accuracy, Integration Powers Security in Agile & DevOps Teams Expert Pen Testing, App Certification & Training Advanced Expert Research & Engineering Teams Wrote the book on mobile forensics Trusted by world’s highest security organizations
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.20 NOWSECURE APPSEC TESTING COVERAGE CHECKLIST ✓ Man in the Middle: Cert Validation ✓ Man in the Middle: Cert Pinning ✓ Man in the Middle: HTTP Connections ✓ SSL Downgrade ✓ Unprotected TLS traffic ✓ Cookie integrity ✓ Certificate Validity ✓ App Transport Security ✓ … ✓ App files & Log Files ✓ Keychain ✓ SD Card ✓ World Writable Files ✓ World Readable Files ✓ RAM ✓ Unencrypted credential storage ✓ SQLite Databases ✓ Secure Enclave Processor ✓ … ✓ Development flags ✓ Automatic Reference Counting ✓ Stack Smashing ✓ Bad Authentication/Authorization ✓ Root access ✓ Path Traversal ✓ SQL Injection ✓ Vulnerable 3rd party libraries ✓ Heartbleed ✓ Bad cryptography ✓ Obfuscation ✓ … CODE FUNCTIONALITY DATA IN MOTIONDATA AT REST Data Center & App Backend Network & Cloud Services iOS APPS iOS FRAMEWORKS iOS NATIVE LIBRARIES iOS Mach/XNU KERNEL iOS HAL HARDWARE TEST APP AUTOMATED MOBILE APP SECURITY TESTING PLATFORM
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.21 NOWSECURE AUTOMATION PLATFORM NowSecure AUTO NowSecure WORKSTATION NowSecure INTEL NowSecure SERVICES Continuous Integration Continuous Monitoring Automated Security Testing in SDLC for Dev, QA & Security Teams Deep Pen Testing Analysis of Complex, High Risk Mobile Apps for Security Analysts Public App Store Risk Data for EMM, Threat & Security Teams Expert Pen Testing, Training & Mobile App Security Programs for App Owners, Dev & Security Teams Data Repository Dashboards & Reports Advanced Configuration Device Farm Compliance Mapping Analysis Engine
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.22 PHASES OF SHIFTING LEFT WITH NOWSECURE Dev Cycle Auto-Generate Issue Tickets Build Binary Code Commit Test Binary </> Stage Deploy Auto-Test Every Build Monitor App Store Production On-Demand Auto Test Annual /Periodic PEN Test
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.23 INSIDE NOWSECURE MOBILE APP RISK SCORING
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.24 INSIDE NOWSECURE MOBILE APP RISK SCORING
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. Fully automated mobile app security testing solution for Agile & DevOps Shorten time-to-release with security baked in Full "hands-free" automation Rapid test results in minutes Real-world tests on real iOS & Android devices Highly accurate findings & developer-friendly remediation tips Plug-in integration to the SDLC with no new tools for developers to learn Auto test every build Auto generate security tickets Auto route info to all stakeholders 25 NOWSECURE AUTO POWERS SECURE DEV TOOLCHAIN
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. Leverage Our Years of Collective Expertise in Mobile App Security Accelerate Your Mobile App Security Program Expert Setup & Guidance MAST Program Development Dev & Security Quarterly MAST Training Mobile AppSec Staff Augmentation Expert Pen Testing & Certification +100 Man Years Experience +1000 Mobile Apps Tested Advanced MAST Forensic Skills 26 NOWSECURE SERVICES EXPERTISE FOR SUCCESS
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.27 NOWSECURE INTEGRATES WITH YOUR DEV TOOLCHAIN APP MANAGEMENT TOOLS BUILD TOOLS MOBILE APP STORES VULNERABILITY MANAGEMENT ISSUE TRACKING MDM/EMM … … … … … … Application Binary Security Assessment Build Status Monitored Applications Notifications Data Repository Dashboards & Reports Advanced Configuration Device Farm Compliance Mapping Analysis Engine ARCHER GITHUB MS VSTS MOBILE IRONMS VSTSCIRCLE CI XAMARIN HOCKEYAPPTESTFLIGHT APP STORE PLAY STORE
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.28 THE PATH TO CONTINUOUS SECURITY Manual Testing PEN Test PRE RELEASE Test ON DEMAND Full CI/CD Integration Integrate with SDLC infrastructure Test every build every day Auto-generate tickets from findings in local ticketing tool Auto-route reports to risk & compliance stakeholders Auto-route results & trends to management dashboard Perform deep-dive investigations when needed 1 mo 3 mo 6 mo 12 mo Maximizing Value & Performance
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.30 OPEN Q&A Use the “Ask a Question” tab below the slides AVI ELKONI COO/CTO VAPORSTREAM KRISTI PERDUE HINKLE VAPORSTREAM BRIAN REED NOWSECURE

Recommended

Android P Security Updates: What You Need to Know
Android P Security Updates: What You Need to KnowAndroid P Security Updates: What You Need to Know
Android P Security Updates: What You Need to KnowNowSecure
 
Debunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSecDebunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSecNowSecure
 
Building a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing BlueprintBuilding a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing BlueprintNowSecure
 
A Risk-Based Mobile App Security Testing Strategy
A Risk-Based Mobile App Security Testing StrategyA Risk-Based Mobile App Security Testing Strategy
A Risk-Based Mobile App Security Testing StrategyNowSecure
 
OSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2fridaOSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2fridaNowSecure
 
Android Q & iOS 13 Privacy Enhancements
Android Q & iOS 13 Privacy EnhancementsAndroid Q & iOS 13 Privacy Enhancements
Android Q & iOS 13 Privacy EnhancementsNowSecure
 
Mobile App Security Predictions 2019
Mobile App Security Predictions 2019Mobile App Security Predictions 2019
Mobile App Security Predictions 2019NowSecure
 
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference ArchitectureFrom Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference ArchitectureNowSecure
 

Recommended

Android P Security Updates: What You Need to Know
Android P Security Updates: What You Need to KnowAndroid P Security Updates: What You Need to Know
Android P Security Updates: What You Need to KnowNowSecure
 
Debunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSecDebunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSecNowSecure
 
Building a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing BlueprintBuilding a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing BlueprintNowSecure
 
A Risk-Based Mobile App Security Testing Strategy
A Risk-Based Mobile App Security Testing StrategyA Risk-Based Mobile App Security Testing Strategy
A Risk-Based Mobile App Security Testing StrategyNowSecure
 
OSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2fridaOSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2fridaNowSecure
 
Android Q & iOS 13 Privacy Enhancements
Android Q & iOS 13 Privacy EnhancementsAndroid Q & iOS 13 Privacy Enhancements
Android Q & iOS 13 Privacy EnhancementsNowSecure
 
Mobile App Security Predictions 2019
Mobile App Security Predictions 2019Mobile App Security Predictions 2019
Mobile App Security Predictions 2019NowSecure
 
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference ArchitectureFrom Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference ArchitectureNowSecure
 
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDATop OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDANowSecure
 
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?NowSecure
 
5 Tips for Agile Mobile App Security Testing
5 Tips for Agile Mobile App Security Testing5 Tips for Agile Mobile App Security Testing
5 Tips for Agile Mobile App Security TestingNowSecure
 
5 Mobile App Security MUST-DOs in 2018
5 Mobile App Security MUST-DOs in 20185 Mobile App Security MUST-DOs in 2018
5 Mobile App Security MUST-DOs in 2018NowSecure
 
Mobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the CodeMobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the CodeNowSecure
 
Mobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic MenaceMobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic MenaceNowSecure
 
How Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat DetectionHow Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat DetectionNowSecure
 
iOS recon with Radare2
iOS recon with Radare2iOS recon with Radare2
iOS recon with Radare2NowSecure
 
Backstage Tour of Identity - London Identity Summit
Backstage Tour of Identity - London Identity SummitBackstage Tour of Identity - London Identity Summit
Backstage Tour of Identity - London Identity SummitForgeRock
 
Compliance in the mobile enterprise: 5 tips to prepare for your next audit
Compliance in the mobile enterprise: 5 tips to prepare for your next auditCompliance in the mobile enterprise: 5 tips to prepare for your next audit
Compliance in the mobile enterprise: 5 tips to prepare for your next auditNowSecure
 
Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)Prathan Phongthiproek
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10NowSecure
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017TecsyntSolutions
 
OWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-DiveOWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-DivePrathan Phongthiproek
 
I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2drewz lin
 
Mobile App Hacking In A Nutshell
Mobile App Hacking In A NutshellMobile App Hacking In A Nutshell
Mobile App Hacking In A NutshellPrathan Phongthiproek
 
Jump-Start The MASVS
Jump-Start The MASVSJump-Start The MASVS
Jump-Start The MASVSPrathan Phongthiproek
 
Addressing the OWASP Mobile Security Threats using Xamarin
Addressing the OWASP Mobile Security Threats using XamarinAddressing the OWASP Mobile Security Threats using Xamarin
Addressing the OWASP Mobile Security Threats using XamarinAlec Tucker
 
Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices
Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile DevicesDecrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices
Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile DevicesBlueboxer2014
 
Cyber Security Coverage heat map
Cyber Security Coverage heat map Cyber Security Coverage heat map
Cyber Security Coverage heat map Moti Sagey מוטי שגיא
 
Secure enterprise mobility
Secure enterprise mobilitySecure enterprise mobility
Secure enterprise mobilityDATA SECURITY SOLUTIONS
 
The fundamentals of Android and iOS app security
The fundamentals of Android and iOS app securityThe fundamentals of Android and iOS app security
The fundamentals of Android and iOS app securityNowSecure
 

More Related Content

What's hot

Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDATop OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDANowSecure
 
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?NowSecure
 
5 Tips for Agile Mobile App Security Testing
5 Tips for Agile Mobile App Security Testing5 Tips for Agile Mobile App Security Testing
5 Tips for Agile Mobile App Security TestingNowSecure
 
5 Mobile App Security MUST-DOs in 2018
5 Mobile App Security MUST-DOs in 20185 Mobile App Security MUST-DOs in 2018
5 Mobile App Security MUST-DOs in 2018NowSecure
 
Mobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the CodeMobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the CodeNowSecure
 
Mobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic MenaceMobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic MenaceNowSecure
 
How Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat DetectionHow Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat DetectionNowSecure
 
iOS recon with Radare2
iOS recon with Radare2iOS recon with Radare2
iOS recon with Radare2NowSecure
 
Backstage Tour of Identity - London Identity Summit
Backstage Tour of Identity - London Identity SummitBackstage Tour of Identity - London Identity Summit
Backstage Tour of Identity - London Identity SummitForgeRock
 
Compliance in the mobile enterprise: 5 tips to prepare for your next audit
Compliance in the mobile enterprise: 5 tips to prepare for your next auditCompliance in the mobile enterprise: 5 tips to prepare for your next audit
Compliance in the mobile enterprise: 5 tips to prepare for your next auditNowSecure
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10NowSecure
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017TecsyntSolutions
 
I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2drewz lin
 
Addressing the OWASP Mobile Security Threats using Xamarin
Addressing the OWASP Mobile Security Threats using XamarinAddressing the OWASP Mobile Security Threats using Xamarin
Addressing the OWASP Mobile Security Threats using XamarinAlec Tucker
 
Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices
Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile DevicesDecrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices
Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile DevicesBlueboxer2014
 

What's hot (20)

Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDATop OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
 
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
 
5 Tips for Agile Mobile App Security Testing
5 Tips for Agile Mobile App Security Testing5 Tips for Agile Mobile App Security Testing
5 Tips for Agile Mobile App Security Testing
 
5 Mobile App Security MUST-DOs in 2018
5 Mobile App Security MUST-DOs in 20185 Mobile App Security MUST-DOs in 2018
5 Mobile App Security MUST-DOs in 2018
 
Mobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the CodeMobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the Code
 
Mobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic MenaceMobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic Menace
 
How Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat DetectionHow Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat Detection
 
iOS recon with Radare2
iOS recon with Radare2iOS recon with Radare2
iOS recon with Radare2
 
Backstage Tour of Identity - London Identity Summit
Backstage Tour of Identity - London Identity SummitBackstage Tour of Identity - London Identity Summit
Backstage Tour of Identity - London Identity Summit
 
Compliance in the mobile enterprise: 5 tips to prepare for your next audit
Compliance in the mobile enterprise: 5 tips to prepare for your next auditCompliance in the mobile enterprise: 5 tips to prepare for your next audit
Compliance in the mobile enterprise: 5 tips to prepare for your next audit
 
Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017
 
OWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-DiveOWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-Dive
 
I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2
 
Mobile App Hacking In A Nutshell
Mobile App Hacking In A NutshellMobile App Hacking In A Nutshell
Mobile App Hacking In A Nutshell
 
Jump-Start The MASVS
Jump-Start The MASVSJump-Start The MASVS
Jump-Start The MASVS
 
Addressing the OWASP Mobile Security Threats using Xamarin
Addressing the OWASP Mobile Security Threats using XamarinAddressing the OWASP Mobile Security Threats using Xamarin
Addressing the OWASP Mobile Security Threats using Xamarin
 
Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices
Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile DevicesDecrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices
Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices
 
Cyber Security Coverage heat map
Cyber Security Coverage heat map Cyber Security Coverage heat map
Cyber Security Coverage heat map
 

Similar to CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries

The fundamentals of Android and iOS app security
The fundamentals of Android and iOS app securityThe fundamentals of Android and iOS app security
The fundamentals of Android and iOS app securityNowSecure
 
Proteja sus datos en cualquier servicio Cloud y Web de forma unificada
Proteja sus datos en cualquier servicio Cloud y Web de forma unificadaProteja sus datos en cualquier servicio Cloud y Web de forma unificada
Proteja sus datos en cualquier servicio Cloud y Web de forma unificadaCristian Garcia G.
 
"IoT Security - Make vs Buy?" - IoT Data Analytics & Visualization Summit 2016
"IoT Security - Make vs Buy?" - IoT Data Analytics & Visualization Summit 2016"IoT Security - Make vs Buy?" - IoT Data Analytics & Visualization Summit 2016
"IoT Security - Make vs Buy?" - IoT Data Analytics & Visualization Summit 2016Verimatrix
 
How to make Android apps secure: dos and don’ts
How to make Android apps secure: dos and don’tsHow to make Android apps secure: dos and don’ts
How to make Android apps secure: dos and don’tsNowSecure
 
Thales e-Security corporate presentation
Thales e-Security corporate presentationThales e-Security corporate presentation
Thales e-Security corporate presentationThales e-Security
 
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...Amazon Web Services
 
AWS Summit Auckland Platinum Sponsor presentation - Trend Micro
AWS Summit Auckland Platinum Sponsor presentation - Trend MicroAWS Summit Auckland Platinum Sponsor presentation - Trend Micro
AWS Summit Auckland Platinum Sponsor presentation - Trend MicroAmazon Web Services
 
Palo Alto Networks Soc Ent Okt2009
Palo Alto Networks Soc Ent Okt2009Palo Alto Networks Soc Ent Okt2009
Palo Alto Networks Soc Ent Okt2009Zernike College
 
SecurityWhitepaper 7-1-2015
SecurityWhitepaper 7-1-2015SecurityWhitepaper 7-1-2015
SecurityWhitepaper 7-1-2015Francisco Anes
 
Tips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile AppsTips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile AppsTechWell
 
Securing Beyond the Cloud Generation
Securing Beyond the Cloud GenerationSecuring Beyond the Cloud Generation
Securing Beyond the Cloud GenerationForcepoint LLC
 
The Future of Mobile Application Security
The Future of Mobile Application SecurityThe Future of Mobile Application Security
The Future of Mobile Application SecuritySecureAuth
 
Conf2013 bchristensen thebig_t
Conf2013 bchristensen thebig_tConf2013 bchristensen thebig_t
Conf2013 bchristensen thebig_tBeau Christensen
 
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.ITCamp
 
Palo alto networks next generation firewalls
Palo alto networks next generation firewallsPalo alto networks next generation firewalls
Palo alto networks next generation firewallsCastleforce
 
Keeping the Edge Secure - Synchronoss
Keeping the Edge Secure - SynchronossKeeping the Edge Secure - Synchronoss
Keeping the Edge Secure - SynchronossSymphony.com
 
Безопасность данных мобильных приложений. Мифы и реальность.
Безопасность данных мобильных приложений. Мифы и реальность.Безопасность данных мобильных приложений. Мифы и реальность.
Безопасность данных мобильных приложений. Мифы и реальность.Advanced monitoring
 
Intel SaaS Security Playbook
Intel SaaS Security PlaybookIntel SaaS Security Playbook
Intel SaaS Security PlaybookIntel IT Center
 

Similar to CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries (20)

Secure enterprise mobility
Secure enterprise mobilitySecure enterprise mobility
Secure enterprise mobility
 
The fundamentals of Android and iOS app security
The fundamentals of Android and iOS app securityThe fundamentals of Android and iOS app security
The fundamentals of Android and iOS app security
 
Proteja sus datos en cualquier servicio Cloud y Web de forma unificada
Proteja sus datos en cualquier servicio Cloud y Web de forma unificadaProteja sus datos en cualquier servicio Cloud y Web de forma unificada
Proteja sus datos en cualquier servicio Cloud y Web de forma unificada
 
"IoT Security - Make vs Buy?" - IoT Data Analytics & Visualization Summit 2016
"IoT Security - Make vs Buy?" - IoT Data Analytics & Visualization Summit 2016"IoT Security - Make vs Buy?" - IoT Data Analytics & Visualization Summit 2016
"IoT Security - Make vs Buy?" - IoT Data Analytics & Visualization Summit 2016
 
How to make Android apps secure: dos and don’ts
How to make Android apps secure: dos and don’tsHow to make Android apps secure: dos and don’ts
How to make Android apps secure: dos and don’ts
 
Thales e-Security corporate presentation
Thales e-Security corporate presentationThales e-Security corporate presentation
Thales e-Security corporate presentation
 
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
 
AWS Summit Auckland Platinum Sponsor presentation - Trend Micro
AWS Summit Auckland Platinum Sponsor presentation - Trend MicroAWS Summit Auckland Platinum Sponsor presentation - Trend Micro
AWS Summit Auckland Platinum Sponsor presentation - Trend Micro
 
Palo Alto Networks Soc Ent Okt2009
Palo Alto Networks Soc Ent Okt2009Palo Alto Networks Soc Ent Okt2009
Palo Alto Networks Soc Ent Okt2009
 
SecurityWhitepaper 7-1-2015
SecurityWhitepaper 7-1-2015SecurityWhitepaper 7-1-2015
SecurityWhitepaper 7-1-2015
 
Tips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile AppsTips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile Apps
 
Adaptive Trust for Strong Network Security
Adaptive Trust for Strong Network SecurityAdaptive Trust for Strong Network Security
Adaptive Trust for Strong Network Security
 
Securing Beyond the Cloud Generation
Securing Beyond the Cloud GenerationSecuring Beyond the Cloud Generation
Securing Beyond the Cloud Generation
 
The Future of Mobile Application Security
The Future of Mobile Application SecurityThe Future of Mobile Application Security
The Future of Mobile Application Security
 
Conf2013 bchristensen thebig_t
Conf2013 bchristensen thebig_tConf2013 bchristensen thebig_t
Conf2013 bchristensen thebig_t
 
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
 
Palo alto networks next generation firewalls
Palo alto networks next generation firewallsPalo alto networks next generation firewalls
Palo alto networks next generation firewalls
 
Keeping the Edge Secure - Synchronoss
Keeping the Edge Secure - SynchronossKeeping the Edge Secure - Synchronoss
Keeping the Edge Secure - Synchronoss
 
Безопасность данных мобильных приложений. Мифы и реальность.
Безопасность данных мобильных приложений. Мифы и реальность.Безопасность данных мобильных приложений. Мифы и реальность.
Безопасность данных мобильных приложений. Мифы и реальность.
 
Intel SaaS Security Playbook
Intel SaaS Security PlaybookIntel SaaS Security Playbook
Intel SaaS Security Playbook
 

More from NowSecure

Jeff's Journey: Best Practices for Securing Mobile App DevOps
Jeff's Journey: Best Practices for Securing Mobile App DevOpsJeff's Journey: Best Practices for Securing Mobile App DevOps
Jeff's Journey: Best Practices for Securing Mobile App DevOpsNowSecure
 
iOS 12 Preview - What You Need To Know
iOS 12 Preview - What You Need To KnowiOS 12 Preview - What You Need To Know
iOS 12 Preview - What You Need To KnowNowSecure
 
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App RiskMobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App RiskNowSecure
 
What attackers know about your mobile apps that you don’t: Banking & FinTech
What attackers know about your mobile apps that you don’t: Banking & FinTechWhat attackers know about your mobile apps that you don’t: Banking & FinTech
What attackers know about your mobile apps that you don’t: Banking & FinTechNowSecure
 
Solving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial servicesSolving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial servicesNowSecure
 
Leaky Mobile Apps: What You Need to Know
Leaky Mobile Apps: What You Need to KnowLeaky Mobile Apps: What You Need to Know
Leaky Mobile Apps: What You Need to KnowNowSecure
 
Vetting Mobile Apps for Corporate Use: Security Essentials
Vetting Mobile Apps for Corporate Use: Security EssentialsVetting Mobile Apps for Corporate Use: Security Essentials
Vetting Mobile Apps for Corporate Use: Security EssentialsNowSecure
 
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...NowSecure
 
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligence
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligenceDelivering secure mobile financial services (MFS) - "Frictionless" vs diligence
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligenceNowSecure
 
Next-level mobile app security: A programmatic approach
Next-level mobile app security: A programmatic approachNext-level mobile app security: A programmatic approach
Next-level mobile app security: A programmatic approachNowSecure
 
Mobile App Crashworthiness - Securing Vehicle-to-Device (V2D) Interfaces and ...
Mobile App Crashworthiness - Securing Vehicle-to-Device (V2D) Interfaces and ...Mobile App Crashworthiness - Securing Vehicle-to-Device (V2D) Interfaces and ...
Mobile App Crashworthiness - Securing Vehicle-to-Device (V2D) Interfaces and ...NowSecure
 
Cybersecurity Fundamentals for Bar Associations
Cybersecurity Fundamentals for Bar AssociationsCybersecurity Fundamentals for Bar Associations
Cybersecurity Fundamentals for Bar AssociationsNowSecure
 
Mobile Penetration Testing: Episode II - Attack of the Code
Mobile Penetration Testing: Episode II - Attack of the CodeMobile Penetration Testing: Episode II - Attack of the Code
Mobile Penetration Testing: Episode II - Attack of the CodeNowSecure
 

More from NowSecure (13)

Jeff's Journey: Best Practices for Securing Mobile App DevOps
Jeff's Journey: Best Practices for Securing Mobile App DevOpsJeff's Journey: Best Practices for Securing Mobile App DevOps
Jeff's Journey: Best Practices for Securing Mobile App DevOps
 
iOS 12 Preview - What You Need To Know
iOS 12 Preview - What You Need To KnowiOS 12 Preview - What You Need To Know
iOS 12 Preview - What You Need To Know
 
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App RiskMobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
 
What attackers know about your mobile apps that you don’t: Banking & FinTech
What attackers know about your mobile apps that you don’t: Banking & FinTechWhat attackers know about your mobile apps that you don’t: Banking & FinTech
What attackers know about your mobile apps that you don’t: Banking & FinTech
 
Solving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial servicesSolving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial services
 
Leaky Mobile Apps: What You Need to Know
Leaky Mobile Apps: What You Need to KnowLeaky Mobile Apps: What You Need to Know
Leaky Mobile Apps: What You Need to Know
 
Vetting Mobile Apps for Corporate Use: Security Essentials
Vetting Mobile Apps for Corporate Use: Security EssentialsVetting Mobile Apps for Corporate Use: Security Essentials
Vetting Mobile Apps for Corporate Use: Security Essentials
 
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
 
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligence
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligenceDelivering secure mobile financial services (MFS) - "Frictionless" vs diligence
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligence
 
Next-level mobile app security: A programmatic approach
Next-level mobile app security: A programmatic approachNext-level mobile app security: A programmatic approach
Next-level mobile app security: A programmatic approach
 
Mobile App Crashworthiness - Securing Vehicle-to-Device (V2D) Interfaces and ...
Mobile App Crashworthiness - Securing Vehicle-to-Device (V2D) Interfaces and ...Mobile App Crashworthiness - Securing Vehicle-to-Device (V2D) Interfaces and ...
Mobile App Crashworthiness - Securing Vehicle-to-Device (V2D) Interfaces and ...
 
Cybersecurity Fundamentals for Bar Associations
Cybersecurity Fundamentals for Bar AssociationsCybersecurity Fundamentals for Bar Associations
Cybersecurity Fundamentals for Bar Associations
 
Mobile Penetration Testing: Episode II - Attack of the Code
Mobile Penetration Testing: Episode II - Attack of the CodeMobile Penetration Testing: Episode II - Attack of the Code
Mobile Penetration Testing: Episode II - Attack of the Code
 

Recently uploaded

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 

Recently uploaded (20)

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 

CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries

  • 1. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. CASE STUDY: IRONCLAD MESSAGING & SECURE APP DEV FOR REGULATED INDUSTRIES
  • 2. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.3 #MOBSEC5 - A WEEKLY MOBILE SECURITY NEWS UPDATE www.nowsecure.com/go/subscribe
  • 3. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. AGENDA INTRODUCTIONS MOBILE APP SECURITY LANDSCAPE VAPORSTREAM CASE STUDY NOWSECURE SOLUTIONS RECOMMENDATIONS Q&A 4 SPEAKERS AVI ELKONI COO/CTO VAPORSTREAM KRISTI PERDUE HINKLE VAPORSTREAM BRIAN REED NOWSECURE
  • 4. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.5 HOW SAFE ARE YOUR MOBILE APPS? Web and App Breached of PII & Credit Card Mobile App Breach Exposing 20,000 Customers Data Breach Reveals Military Training Sites
  • 5. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. NOWSECURE BENCHMARKS: BANKING & FINANCE 0 59 60-69 70-79 80-89 90-100 *Scoring algorithm based on Industry Standard CVSS Scored findings Low RiskHgh Risk Caution A significant 10 of 100 Apps (10%) fail w/ critical & high risks Identified Failures: Man in Middle Attack, Invalid Certificate, Known Vulnerable 3rd Party Libraries, Unencrypted credentials/PII in local files or over HTTP NowSecure Score Risk Range 46-100
  • 6. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. NOWSECURE BENCHMARKS: RETAIL 0 59 60-69 70-79 80-89 90-100 *Scoring algorithm based on Industry Standard CVSS Scored findings Low RiskHgh Risk Caution NowSecure Score Risk Range 6-100 A shocking 27 of 80 Apps (34%) fail w/ critical & high risks Identified Failures: Man in Middle Attack, Invalid Certificate, Known Vulnerable 3rd Party Libraries, Unencrypted credentials/PII in local files or over HTTP
  • 7. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.9 INSIDE THE MOBILE ATTACK SURFACE iOS APPS iOS FRAMEWORKS iOS NATIVE LIBRARIES iOS Mach/XNU KERNEL iOS HAL HARDWARE CODE FUNCTIONALITY DATA AT REST DATA IN MOTION Data Center & App Backend Network & Cloud Services TEST APP GPS spoofing Buffer overflow allowBackup Flag allowDebug Flag Code Obfuscation Configuration manipulation Escalated privileges URL schemes GPS Leaking Integrity/tampering/repacking Side channel attacks App signing key unprotected JSON-RPC Automatic Reference Counting Dynamic runtime injection Unintended permissions UI overlay/pin stealing Intent hijacking Zip directory traversal Clipboard data World Readable Files Data caching Data stored in application directory Decryption of keychain Data stored in log files Data cached in memory/RAM Data stored in SD card OS data caching Passwords & data accessible No/Weak encryption TEE/Secure Enclave Processor Side channel leak SQLite database Emulator variance Wi-Fi (no/weak encryption) Rogue access point Packet sniffing Man-in-the-middle Session hijacking DNS poisoning TLS Downgrade Fake TLS certificate Improper TLS validation HTTP Proxies VPNs Weak/No Local authentication App transport security Transmitted to insecure server Zip files in transit Cookie “httpOnly” flag Cookie “secure” flag Android rooting/iOS jailbreak User-initiated code Confused deputy attack Media/file format parsers Insecure 3rd party libraries World Writable Files World Writable Executables
  • 8. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. § Founded in 2008 § Based in Chicago, IL § Privately owned and backed by investors and VC funding § Clients in Healthcare, Financial Services, Energy & Utilities, Higher Education, Government and more § Vaporstream is a comprehensive and configurable platform that addresses a wide variety of use cases for secure communication 10 ABOUT VAPORSTREAM
  • 9. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. THE VAPORSTREAM SECURE COMMUNICATION PLATFORM 11 Vaporstream delivers a secure, ephemeral, compliant platform built to increase efficiency and revenue opportunities for the enterprise. While uniquely protecting sensitive data, Vaporstream automates processes to increase work team efficiency and create new levels of service delivery. Analytics Compliance Engage Secure Messaging Vaporstream Platform
  • 10. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. § Healthcare § Patient Care Coordination § Patient Engagement § Surgical workflow/Instruction delivery § Billing/Insurance submission § All Industries § Incident notification and response § Mass communications § Compliant, secure, leak-proof business messaging § Crisis and reputation management § Executive and Board communication § Strategy, IP, Legal, M&A, HR/ Recruiting § Financial transactions § International travel § Others 12 SECURE COMMUNICATION USE CASES
  • 11. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. VAPORSTREAM’S MULTI-LAYERED SECURITY MODEL 13 § Automated message expiration based on enterprise policy, group and user § No footprint left on any device, nor server § Shred on demand gives ultimate sender control Ephemerality Encryption § Encryption of data in transit and at rest § Keys and data always kept separate Governance & Compliance § Archive a single copy of messages to client-specified repository to safeguard information for legal, regulatory and business requirements. § Client data remains under client control; never stored with vendor § Comprehensive audit logging and reporting Advanced Controls § Unique Sender Controls prevent data propagation to unintended recipients § In-app camera keeps all images from upload to iCloud, Google, never stored on devices § Screenshot detection and protection § Message Body / Header separation
  • 12. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. 1. Extensive black-box penetration testing § Apps § Platform 2. Dedicated staff for each platform § iOS § Android 3. Dedicated equipment § Jailbroken iOS devices § Rooted Android devices 4. Detailed reports with actionable findings 14 VAPORSTREAM MOBILE APPSEC TESTING REQUIREMENTS
  • 13. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. § Known and reputable (Strong reputation) § Dedicated and experienced teams § Black box testing minimizes stress on development team § Continuous testing keeps us protected between certifications 15 VAPORSTREAM CHOOSES NOWSECURE
  • 14. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. § Started with initial certification in 2014 § Recertify every year § Work certification recommendations into product releases § Apply NowSecure AUTO to every store release as part of our standard QA process § Use our NowSecure Certification as third-party validation § Vaporstream differentiation 16 HOW VAPORSTREAM USES NOWSECURE TODAY
  • 15. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.17 VAPORSTREAM NOWSECURE CERTIFIED
  • 16. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. 1. Design for security 2. Test from first prototype 3. Incorporate security testing into your regular QA cycle 4. Prepare for enterprise customer security audits § Document internal procedures § Hoard certifications 18 VAPORSTREAM RECOMMENDED BEST PRACTICES
  • 17. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.19 NOWSECURE – DELIVERING SECURE MOBILE APPS FASTER Automated Mobile AppSec Testing Optimized for Speed, Accuracy, Integration Powers Security in Agile & DevOps Teams Expert Pen Testing, App Certification & Training Advanced Expert Research & Engineering Teams Wrote the book on mobile forensics Trusted by world’s highest security organizations
  • 18. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.20 NOWSECURE APPSEC TESTING COVERAGE CHECKLIST ✓ Man in the Middle: Cert Validation ✓ Man in the Middle: Cert Pinning ✓ Man in the Middle: HTTP Connections ✓ SSL Downgrade ✓ Unprotected TLS traffic ✓ Cookie integrity ✓ Certificate Validity ✓ App Transport Security ✓ … ✓ App files & Log Files ✓ Keychain ✓ SD Card ✓ World Writable Files ✓ World Readable Files ✓ RAM ✓ Unencrypted credential storage ✓ SQLite Databases ✓ Secure Enclave Processor ✓ … ✓ Development flags ✓ Automatic Reference Counting ✓ Stack Smashing ✓ Bad Authentication/Authorization ✓ Root access ✓ Path Traversal ✓ SQL Injection ✓ Vulnerable 3rd party libraries ✓ Heartbleed ✓ Bad cryptography ✓ Obfuscation ✓ … CODE FUNCTIONALITY DATA IN MOTIONDATA AT REST Data Center & App Backend Network & Cloud Services iOS APPS iOS FRAMEWORKS iOS NATIVE LIBRARIES iOS Mach/XNU KERNEL iOS HAL HARDWARE TEST APP AUTOMATED MOBILE APP SECURITY TESTING PLATFORM
  • 19. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.21 NOWSECURE AUTOMATION PLATFORM NowSecure AUTO NowSecure WORKSTATION NowSecure INTEL NowSecure SERVICES Continuous Integration Continuous Monitoring Automated Security Testing in SDLC for Dev, QA & Security Teams Deep Pen Testing Analysis of Complex, High Risk Mobile Apps for Security Analysts Public App Store Risk Data for EMM, Threat & Security Teams Expert Pen Testing, Training & Mobile App Security Programs for App Owners, Dev & Security Teams Data Repository Dashboards & Reports Advanced Configuration Device Farm Compliance Mapping Analysis Engine
  • 20. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.22 PHASES OF SHIFTING LEFT WITH NOWSECURE Dev Cycle Auto-Generate Issue Tickets Build Binary Code Commit Test Binary </> Stage Deploy Auto-Test Every Build Monitor App Store Production On-Demand Auto Test Annual /Periodic PEN Test
  • 21. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.23 INSIDE NOWSECURE MOBILE APP RISK SCORING
  • 22. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.24 INSIDE NOWSECURE MOBILE APP RISK SCORING
  • 23. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. Fully automated mobile app security testing solution for Agile & DevOps Shorten time-to-release with security baked in Full "hands-free" automation Rapid test results in minutes Real-world tests on real iOS & Android devices Highly accurate findings & developer-friendly remediation tips Plug-in integration to the SDLC with no new tools for developers to learn Auto test every build Auto generate security tickets Auto route info to all stakeholders 25 NOWSECURE AUTO POWERS SECURE DEV TOOLCHAIN
  • 24. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. Leverage Our Years of Collective Expertise in Mobile App Security Accelerate Your Mobile App Security Program Expert Setup & Guidance MAST Program Development Dev & Security Quarterly MAST Training Mobile AppSec Staff Augmentation Expert Pen Testing & Certification +100 Man Years Experience +1000 Mobile Apps Tested Advanced MAST Forensic Skills 26 NOWSECURE SERVICES EXPERTISE FOR SUCCESS
  • 25. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.27 NOWSECURE INTEGRATES WITH YOUR DEV TOOLCHAIN APP MANAGEMENT TOOLS BUILD TOOLS MOBILE APP STORES VULNERABILITY MANAGEMENT ISSUE TRACKING MDM/EMM … … … … … … Application Binary Security Assessment Build Status Monitored Applications Notifications Data Repository Dashboards & Reports Advanced Configuration Device Farm Compliance Mapping Analysis Engine ARCHER GITHUB MS VSTS MOBILE IRONMS VSTSCIRCLE CI XAMARIN HOCKEYAPPTESTFLIGHT APP STORE PLAY STORE
  • 26. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.28 THE PATH TO CONTINUOUS SECURITY Manual Testing PEN Test PRE RELEASE Test ON DEMAND Full CI/CD Integration Integrate with SDLC infrastructure Test every build every day Auto-generate tickets from findings in local ticketing tool Auto-route reports to risk & compliance stakeholders Auto-route results & trends to management dashboard Perform deep-dive investigations when needed 1 mo 3 mo 6 mo 12 mo Maximizing Value & Performance
  • 27. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.30 OPEN Q&A Use the “Ask a Question” tab below the slides AVI ELKONI COO/CTO VAPORSTREAM KRISTI PERDUE HINKLE VAPORSTREAM BRIAN REED NOWSECURE