How to scale mobile application security testing

•

2 likes•1,345 views

Mobile security testing during application development is difficult - but it doesn’t have to be. Director of Mobile Services Katie Strzempka highlights how you can incorporate automated mobile application security testing throughout every step of your app SDLC.

Mobile

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Connect with NowSecure
Connect with us on Twitter @NowSecureMobile / #SecureTalks
—
Learn more at https://nowsecure.com

Katie Strzempka
Services
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
● Author of IPhone and iOS Forensics
● Masters in Cyber Forensics and
Bachelors of Science in Computer
Technology from Purdue University
● @kstrzemp

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Contents
● 2016 NowSecure Mobile Security Report
● The Challenges Teams Face
● How You Can Scale

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
2016 NowSecure Mobile
Security Report
Released last week

© Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
400K APPS
We tested

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
25%of Android apps have at least one
high risk security or privacy flaw

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Percentage of Android Apps with Security Issues
Sensitive Data Leak Issues
Network Issues
File System Issues

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Business apps:
High risk issues exist within each app category
3x
more likely to leak
login credentials
more likely to leak login
credentials or email address
4x1.5xmore likely to include a
high risk vulnerability
Gaming apps: Social apps:

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
82%of devices tested by the
Vulnerability Test Suite for Android had
at least one of 25 vulnerabilities

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
The Challenges
Teams face a variety of challenges with security in the SDLC

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Teams are overwhelmed with security testing
100+Many enterprises have more than 100
unique, internal apps

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Source code analysis has too many false positives
● Testing reports more false
positives instead of identifying
actual issues
● Static only
● Misses key tests such as insecure
data storage or authentication
issues

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Teams lack a process for mobile
● App testing is repetitive and
takes time to manually set up
testing environments
● Inconsistent methods and
results across team members

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information..
Teams are finding vulnerabilities too late in the SDLC
The back-and-forth between
developers and analysts wastes
time and money

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
The longer you wait, the more it costs
Requirements /
Architecture
Coding Integration /
Component
Testing
System /
Acceptance
Testing
Production /
Post-Release
Source: National Institute of Standards and Technology
The cost for fixing
vulnerabilities is
30xhigher after an application has
been deployed

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
How to Scale
You can save time, money, and effort

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
What needs to be a part of the process for mobile?
● Structure a team that can integrate testing to be efficient
● Emphasize process and similar tools across teams
● Automation (both static and dynamic)
● Test early in the SDLC, with remediation recommendations built in

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information..
Lab Workstation
Analyst-driven mobile app security testing kit

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Lab Automated
Automated app analysis with continuous integration
● Heading to RSA Conference? Stop by our booth # 3235 for a live demo.
● Set up a demo. Contact us at www.nowsecure.com/contact.

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information..
Questions?
kstrzempka@nowsecure.com
+1 312.878.1100
@kstrzemp

What's hot

Originally presented on January 23, 2018 A comprehensive analysis of iOS and Android apps found that a staggering 85% of those apps fail one or more of the OWASP Mobile Top 10 criteria. Given that the average mobile device has over 89 mobile apps on it, what are the odds your employees have one or more of the apps and what’s the real risk to your business? Mobile apps power productivity in the modern business; don’t let a few bad apps bring it down.

85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?

NowSecure

Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk

NowSecure

Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA

NowSecure

Cybersecurity Fundamentals for Bar Associations

NowSecure

Our threat research team spends every waking moment reverse-engineering and cracking mobile apps and devices to help organizations reduce mobile risk. Originally presented on October 24, 2017, mobile security expert and NowSecure founder Andrew Hoog explains the attacker’s point-of-view, what attackers are looking for in mobile banking or financial services apps, and what makes your mobile app an appetizing target. He then provides tips for deploying a mobile app security testing program to ensure you proactively plug security holes, squash privacy leaks, and fill compliance gaps in your mobile apps.

What attackers know about your mobile apps that you don’t: Banking & FinTech

NowSecure

Mobile App Crashworthiness - Securing Vehicle-to-Device (V2D) Interfaces and ...

NowSecure

Pegasus Spyware - What You Need to Know

Skycure

Webinar: Stopping evasive malware - how a cloud sandbox array works

Cyren, Inc

Splunk Discovery Day Dubai 2017 - Security Keynote

Splunk

Lookout pegasus-android-technical-analysis

Andrey Apuhtin

Developing a delivery pipeline means more than just adding automated deploys to the development cycle. To be successful, quality testing of all types must be incorporated throughout the process to ensure that problems aren’t slipping through. Those checks must include security, or you risk developing insecure software. Fortunately, the delivery pipeline opens up opportunities to add more security testing to the delivery process. Continuous integration builds can add static analysis tools to test for simple security errors and check if components with known vulnerabilities are being used. Gene Gotimer introduces several types of open-source and free security testing tools, that can be quickly added to a delivery pipeline. Security tools reduce the initial investment of both time and money, and help eliminate some barriers to adding security testing to the process.

Add Security Testing Tools to Your Delivery Pipeline

Gene Gotimer

If you still think Mobile Security is a thing of the future--think again. Millions of mobile devices worldwide were exposed in 2015 to vulnerabilities and advanced cyber-attacks including: No iOS Zone, XcodeGhost, Stagefright and SwiftKey to name just a few. Given 2015’s ultra-active cyber-risk front, we are sure 2016 has much more in store. In this webinar, Yair Amit, CTO and Co-founder at Skycure, wraps-up the state of mobile security in 2015 and shares his predictions for 2016.

Mobile Security - 2015 Wrap-up and 2016 Predictions

Skycure

A day in the life of a pentester

Cláudio André

Using Deception to Detect and Profile Hidden Threats

Satnam Singh

Mobile Security: 2016 Wrap-Up and 2017 Predictions

Skycure

Splunk Discovery Dusseldorf: September 2017 - Security Session

Splunk

SplunkLive! London Enterprise Security & UBA

Splunk

Deception in Cyber Security (League of Women in Cyber Security)

Phillip Maddux

With the transition from paper to electronic medical records, the threats and potential ramifications of network security risks to physician practices have skyrocketed. From liability for loss of patient data, to the rapidly emerging, office crippling threats of "Spear Phishing" attacks and "Ransomware," the likelihood of being affected is "when," not "if." This presentation includes an eye-opening primer of cybersecurity threats for small and medium sized practices and a roadmap to help protect patient records and practice viability. Ravi D Goel MD presented this talk at the 2016 American Academy of Ophthalmology Annual Meeting. #aao2016 ----- About Ravi Goel Ravi D. Goel graduated with a bachelor’s degree in ethics, politics, and economics from Yale University. He earned a medical degree from the Robert Wood Johnson Medical School and completed an ophthalmology residency at the Greater Baltimore Medical Center. Dr. Goel is in private practice in Cherry Hill, NJ, and a clinical instructor at the Wills Eye Hospital in Philadelphia. Dr. Goel is a past chair of the American Medical Association—Young Physicians Section. He is a recipient of the AMA Foundation Excellence in Medicine Leadership Award, the American Academy of Ophthalmology Achievement Award, and Secretariat Award. He is a past president of the New Jersey Academy of Ophthalmology. He is a member of the AMA Ophthalmology Section Council. He is also a member of the New Jersey Governors School Board of Overseers, director of the American Academy of Ophthalmic Executives and a member of the Yale University Development Council.

Cybersecurity 101 for Ophthalmology & Physician Practices

Ravi D. Goel, MD

The Threat Landscape in the Era of Directed Attacks - Webinar

Kaspersky

What's hot (20)

85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?

Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk

Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA

Cybersecurity Fundamentals for Bar Associations

What attackers know about your mobile apps that you don’t: Banking & FinTech

Mobile App Crashworthiness - Securing Vehicle-to-Device (V2D) Interfaces and ...

Pegasus Spyware - What You Need to Know

Webinar: Stopping evasive malware - how a cloud sandbox array works

Splunk Discovery Day Dubai 2017 - Security Keynote

Lookout pegasus-android-technical-analysis

Add Security Testing Tools to Your Delivery Pipeline

Mobile Security - 2015 Wrap-up and 2016 Predictions

A day in the life of a pentester

Using Deception to Detect and Profile Hidden Threats

Mobile Security: 2016 Wrap-Up and 2017 Predictions

Splunk Discovery Dusseldorf: September 2017 - Security Session

SplunkLive! London Enterprise Security & UBA

Deception in Cyber Security (League of Women in Cyber Security)

Cybersecurity 101 for Ophthalmology & Physician Practices

The Threat Landscape in the Era of Directed Attacks - Webinar

Viewers also liked

Cybersecurity Best Practices in Financial Services

John Rapa

Mobile Apps Security Testing -1

Krisshhna Daasaarii

Gursev kalra _mobile_application_security_testing - ClubHack2009

ClubHack

Mobile application security – effective methodology, efficient testing! hem...

owaspindia

Web and Mobile Application Security

Prateek Jain

Basic Guide For Mobile Application Testing

Sourabh Kasliwal

Security Testing Mobile Applications

Denim Group

The curious case of mobile app security.pptx

Ankit Giri

Mobile Application Security Testing, Testing for Mobility App | www.idexcel.com

Idexcel Technologies

Mobile Application Security

cclark_isec

Mobile Application Security Testing (Static Code Analysis) of Android App

Abhilash Venkata

Security testing

baskar p

Mobile Security Framework (MobSF) is an intelligent, all-in-one open source mobile application (Android/iOS) automated pen-testing framework capable of performing static and dynamic analysis. It can be used for effective and fast security analysis of Android and iOS Applications and supports both binaries (APK & IPA) and zipped source code. MobSF can also perform Web API Security testing with it's API Fuzzer that can do Information Gathering, analyze Security Headers, identify Mobile API specific vulnerabilities like XXE, SSRF, Path Traversal, IDOR, and other logical issues related to Session and API Rate Limiting.

Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...

Ajin Abraham

Viewers also liked (13)

Cybersecurity Best Practices in Financial Services

Mobile Apps Security Testing -1

Gursev kalra _mobile_application_security_testing - ClubHack2009

Mobile application security – effective methodology, efficient testing! hem...

Web and Mobile Application Security

Basic Guide For Mobile Application Testing

Security Testing Mobile Applications

The curious case of mobile app security.pptx

Mobile Application Security Testing, Testing for Mobility App | www.idexcel.com

Mobile Application Security

Mobile Application Security Testing (Static Code Analysis) of Android App

Security testing

Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...

Similar to How to scale mobile application security testing

Katie Stzempka, VP of Customer Success & Services, shares some helpful guidance on how to launch and improve an internal mobile app security program. You'll learn: -- How to unite a disarray of tasks into a mobile app security testing process -- How to choose the right mobile app security testing tools for your maturity -- How to establish buy-in and collaborate with developers and your DevOps team

Next-level mobile app security: A programmatic approach

NowSecure

Vetting Mobile Apps for Corporate Use: Security Essentials

NowSecure

Add Security Testing Tools to Your Delivery Pipeline

TechWell

OWASP Mobile Top 10

NowSecure

A mobile app that’s vulnerable to man-in-the-middle (MITM) attacks can allow an attacker to capture, view, and modify sensitive traffic sent and received between the app and backend servers. At NowSecure, Michael Krueger and Tony Ramirez spend their days performing penetration tests on Android and iOS apps, which include exploiting MITM vulnerabilities and helping developers fix them. These slides are from a 30-minute webinar with Michael & Tony about MITM attacks on mobile apps and how to prevent them that will cover: -- Identifying man-in-the-middle vulnerabilities in mobile apps -- How to execute a mobile man-in-the-middle attack -- Right and wrong ways to implement certificate validation and certificate pinning

Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...

NowSecure

iOS and Android security: Differences you need to know

NowSecure

Mobile testing is getting harder—more devices, multiple operating systems, higher quality expectations, and shorter development cycles. How do you deal with these demands? In order to align mobile testing with product strategies and market goals, Tom Chavez says you first need to (1) know your users and how they will use your app. (2) Knowing the app and how users may actually be using it differently are key to testing to satisfy users—not the designers. (3) With test case matrices vastly larger than ever, prioritizing tests into “must-haves” and “nice-to-haves” is necessary to make the testing process manageable. With so many devices on the market, you have to (4) determine which are required for testing, which are optional, which to purchase, and which you might borrow or rent from a device cloud. Tom advises (5) how to know which tests to automate, which should remain manual, and (6) how back-end performance affects user experience. And finally, (7) know your edges. Learn the key strategies for mobile testing and this seven-step process with the tools you can use to deliver the testing to meet your project goals.

Seven Steps to Pragmatic Mobile Testing

TechWell

Originally Presenter October 18, 2018 Enterprise-grade ephemeral messaging provider Vaporstream knows firsthand that security needs to be built into the software development lifecycle rather than bolted on. Serving highly regulated industries such as federal government, energy, financial services and healthcare, Vaporstream’s leakproof communication platform provides the highest level of assurance that compliance professionals require. Vaporstream partners with NowSecure to test and certify its Android and iOS mobile messaging apps. This case study webinar covers how Vaporstream adheres to a rigorous secure app lifecycle in order to meet customer expectations for secure communications: + Designing a secure app architecture & development process + Incorporating security testing into the release cycle + Comprehensive penetration testing

CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries

NowSecure

Is your mobile website ready for load? Can your mobile app's back-end scale to service peak demand? Mobile web and app usage is growing at a breakneck pace! Between 2014 and 2015, traffic from mobile devices increased from 40% to 75% of total retail traffic, an increase of 35%. In 2015, mobile commerce accounted for $115 billion worldwide. At the end of this year, that number is projected to reach $142 billion. Join us at this webinar to learn: • The different types of mobile traffic generated by browsing and apps • How to load test your mobile web site for mobile browsers • Why mobile apps need load testing, too, and how to create tests Whether your peak time is Black Friday and Cyber Monday, monthly filing rush, quarterly reporting, annual open enrollment, tax filing, or any other peak, this webinar will give you the steps to build load tests so your mobile site and apps will be ready for mobile peak.

Webinar: How to Load Test for Your Mobile Peak

Jennifer Finney

“Mobile Test Coverage: It’s not just about the devices!" With the proliferation of mobile devices, there is a renewed discussion on Test Coverage as it relates to mobile functional testing. Many of our customers have taken a fresh look at their mobile strategy with a renewed focus on their test coverage strategy. What do they discover? That test coverage is not just about devices. Join us for an hour and we will walk you through the key areas that you need to focus on to keep your mobile strategy covered.

3 tips to increase mobile test coverage

SOASTA

Application Security - Making It Work

IANS

This webinar demonstrates how organizations can use the ThreadFix application vulnerability resolution platform to improve vulnerability resolution time and protect applications with Prevoty's RASP technology. Join Denim Group CTO and Principal Dan Cornell and Prevoty VP, Marketing and Product, Arpit Joshipura for a free webinar to learn more about these tools that can help application security teams. This webinar provides an overview how to use ThreadFix and Prevoty's RASP to run a high-efficiency, high visibility application security program.

Running a High-Efficiency, High-Visibility Application Security Program with...

Denim Group

Effective application security programs both highlight security requirements early in the development process and manage vulnerabilities throughout the development lifecycle. This webinar demonstrates how the SD Elements security requirements automation system can be integrated with the ThreadFix vulnerability resolution platform to provide end-to-end tracking throughout the SDLC. The combination increases both developer and security team productivity by providing a seamless way to enumerate security specifications and track development teams success in meeting these obligations, and the presentation provides insight into how the integrated system reduces the cost of developing and maintaining secure applications.

ThreadFix and SD Elements Unifying Security Requirements and Vulnerability Ma...

Denim Group

Original webinar: http://get.skycure.com/mobile-security-in-healthcare-webinar In this webinar, Jim Routh, CSO at Aetna, and Adi Sharabani, CEO and co-founder at Skycure, discuss: - The state of mobile security in Healthcare organizations - How to improve incident response and resilience of mHealth IT operations - How to leverage risk-based mobility to predict, detect and protect against threats

How Healthcare CISOs Can Secure Mobile Devices

Skycure

The Netsparker web application security scanner allows both development and security teams to easily test web applications for common security vulnerabilities. This webinar demonstrates how Netsparker can be used with the ThreadFix vulnerability resolution platform to correlate testing results, prioritize risk decisions based on data, and transition security vulnerabilities to development teams in the tools they’re already using. Combining the application vulnerability correlation capabilities of ThreadFix with the proof-based vulnerability scanning technology of Netsparker allows organizations to take a quantitative approach to addressing application security risk.

Optimizing Your Application Security Program with Netsparker and ThreadFix

Denim Group

Test Masters 2016 Spring Conference

Adam Sandman

Testing mobile apps is different. There are more form factors, more combinations, more complexity and more users. You need a checklist to be sure you don't overbuild or under test. SOASTA and Utopia have the experience and technology you need to be successful. Join this free webinar and learn: The most common mobile app issues Missed areas like app interrupts, poor connections and device settings When to automate for functionality and performance Technology for end-to-end mobile testing How to collect mobile user information for continuous improvement Utopia Solutions Founder and CTO, Lee Barnes and the SOASTA team will share customer experiences and demonstrations that will help you cross off every critical element of your mobile testing checklist.

The Mobile Testing Checklist

SOASTA

Crowdstrike And Guest Forrester Share Keys To Mastering The Endpoint CrowdStrike VP, Product Management Rod Murchison and guest speaker Chris Sherman, Forrester Research analyst, will discuss how modern approaches must balance prevention with detection capabilities in the context of an overall security strategy. Ultimately, this will give security professionals the ability to better deal with the influx of new device types and data access requirements while reducing the likelihood of compromise. In this CrowdCast, Forrester and CrowdStrike will present: - Forrester’s Targeted-Attack Hierarchy of Needs - The six core requirements to a successful endpoint security strategy - Preparing for and responding to targeted intrusions and attacks - How CrowdStrike lines up with Forrester’s Hierarchy of Needs framework

You Can't Stop The Breach Without Prevention And Detection

CrowdStrike

The webinar covers: • The origin and need for security and privacy in IoT devices • Elements of the IoT Trust Framework • Plans for implementation and certification This webinar was presented by Scott S. Perry CPA and Online Trust Alliance: Scott Perry is Principle of Scott S. Perry CPA, an expert with more than 25 years of experience as a manager, senior manager and director on the audit firms. A national consulting firm has led him to drive his own licensed, nationally operating CPA firm based in Bellevue, Washington specializing in Cybersecurity Audits. Craig Spiezle is Executive director of Online Trust Alliance (OTA), a recognized authority on trust and the convergence of privacy, security and interactive marketing promoting a privacy practices, balanced public policy, end-to-end security and data stewardship. Currently Craig is on board Identity Theft Council and a member of InfraGuard a partnership between the Federal Bureau of Investigation and private sector. Link of the recorded session published on YouTube: https://youtu.be/K3KZHWHO8bg

Creating Trust for the Internet of Things

PECB

SplunkLive! Zurich 2018: Use Splunk for Incident Response, Orchestration and ...

Splunk

Similar to How to scale mobile application security testing (20)

Next-level mobile app security: A programmatic approach

Vetting Mobile Apps for Corporate Use: Security Essentials

Add Security Testing Tools to Your Delivery Pipeline

OWASP Mobile Top 10

Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...

iOS and Android security: Differences you need to know

Seven Steps to Pragmatic Mobile Testing

CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries

Webinar: How to Load Test for Your Mobile Peak

3 tips to increase mobile test coverage

Application Security - Making It Work

Running a High-Efficiency, High-Visibility Application Security Program with...

ThreadFix and SD Elements Unifying Security Requirements and Vulnerability Ma...

How Healthcare CISOs Can Secure Mobile Devices

Optimizing Your Application Security Program with Netsparker and ThreadFix

Test Masters 2016 Spring Conference

The Mobile Testing Checklist

You Can't Stop The Breach Without Prevention And Detection

Creating Trust for the Internet of Things

SplunkLive! Zurich 2018: Use Splunk for Incident Response, Orchestration and ...

More from NowSecure

iOS recon with Radare2

NowSecure

Originally Recorded March 18, 2020 DevSecOps enthusiast D.J. Schleen unveils the latest updates to the DevSecOps Reference Architecture, an extensive chart of open-source tools and third-party applications that now includes mobile app pipelines. Join us to score your own copy and learn: + The most popular tools and integrations to automate and scale your pipeline + How and where mobile DevSecOps differs from web + Where to apply dynamic and interactive application security testing to speed app delivery

From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture

NowSecure

Originally Recorded July 19, 2019 Apple and Google’s forthcoming mobile operating systems boast a bevy of privacy features that enable users to seize more control of their personal data. NowSecure Mobile Security Analyst Tony Ramirez will dives into Android and iOS application security and privacy enhancements and what they mean for mobile DevSecOps teams. Join us to learn about: + Increased transparency and granularity over location tracking + New protections for sensitive information + Safer data exchanges in Android Q through TLS 1.3 encryption

Android Q & iOS 13 Privacy Enhancements

NowSecure

Originally presented June 24, 2019 https://www.nowsecure.com/resource/debunking-the-top-5-myths-about-mobile-appsec/ It’s hard to believe that mobile app stores are more than a decade old yet some crazy misconceptions about mobile application security still linger. Have you heard these before? - Testing mobile apps is the same as web apps - SAST is good enough for mobile, you don’t need DAST - Mobile apps are secure because Apple and Google security test them - Outsourcing a penetration test once per year is sufficient to mitigate risk Sort fact from fiction and learn how to ensure your mobile appsec program is on the right track. You may discover some surprising things about modern mobile application security.

Debunking the Top 5 Myths About Mobile AppSec

NowSecure

Hear Radare creator Sergi (Pancake) Alvarez conduct a deep dive of r2frida, a framework that combines the best of Frida and Radare. Frida and Radare are leading open-source reverse engineering tools sponsored by NowSecure. Targeting intermediate to advanced users and security analysts, this overview will highlight the r2frida plug-in architecture. Watch the webinar: http://bit.ly/2DBHt7M Watch this webinar to learn: + What dynamic and static techniques the individual tools provide to assist security analysts with reverse engineering; + Why r2frida’s plugin architecture eases the task of performing reverse engineering workflows; + How to create your own new plug-in.

OSS Tools: Creating a Reverse Engineering Plug-in for r2frida

NowSecure

Mobile penetration testing helps uncover app exploits and vulnerabilities and is a crucial component of risk assessment. However, many people fear the complexity and don’t know where to get started. It all begins with a solid plan of attack. NowSecure veterans of hundreds of mobile app pen tests will walk you through the process of assembling a pen testing playbook to hack your app. This webinar covers: +Tips and tricks for targeting common issues +The best tools for the job +How to document findings to close the loop on vulnerabilities.

Building a Mobile App Pen Testing Blueprint

NowSecure

Originally presented January 23, 2019 -https://www.brighttalk.com/webcast/15139/344870?utm_source=Slideshare&utm_medium=referral&utm_campaign=344870 2019 is already shaping up to be a standout year for mobile appsec and secure DevOps. If we can say anything with certainty, it’s that cybersecurity is unpredictable and the wave of DevSecOps is unstoppable. But we foresee intensifying concerns about digital privacy amidst high-profile breaches. This deck lists our predictions about what’s in store for our customers and the community in the year ahead. Our veteran industry leaders will prognosticate about developments in these areas: + Mobile ecosystem: OSes, devices, apps and app stores + Evolving mobile security threats + The rise of DevSecOps and the automation of everything + The disruptive economics of automating manual pen testing

Mobile App Security Predictions 2019

NowSecure

Originally Presented December 6, 2018 As DevOps teams seek to accelerate the mobile app dev pipeline, they rely on tools and best practices to gain speed. Because our engineering leader Jeff Fairman previously ran software development for a top online brokerage, he understands the challenges of scaling security testing to meet current demands. After discovering the NowSecure automated testing platform, Jeff Fairman was so impressed with the tech that he joined the company to help DevOps and security teams build and release safe mobile apps. Listen this webinar to learn: + Why you need dynamic application security (DAST) testing to flag vulnerabilities in the post-build phase + The unique requirements, toolchain options and best practices for secure mobile DevOps + How to combine continuous daily testing with outsourced pen testing.

Jeff's Journey: Best Practices for Securing Mobile App DevOps

NowSecure

Originally presented on September 19, 2018 Given the volume and velocity of mobile apps, there simply aren’t enough resources to test them all in the same manner. There has to be a better way. NowSecure introduces a new framework to help organizations craft a Risk-Based Mobile App Security Testing strategy. Watch the presentation here: https://www.nowsecure.com/webinars/a-risk-based-mobile-app-security-testing-strategy/

A Risk-Based Mobile App Security Testing Strategy

NowSecure

Android P Security Updates: What You Need to Know

NowSecure

Originally presented on June 12, 2018 Much of the improvements for iOS 12 focused on privacy and reliability. What prompted these changes and how will it affect the path forward? In this discussion, Tony Ramirez, Mobile Security Analyst, shares about the following: + Learnings & remediations from iOS 11 + Predictions coming out of WWDC + How we see the newest software update, iOS 12, affecting mobile app security testing

iOS 12 Preview - What You Need To Know

NowSecure

Originally Presented March 21, 2018 Most mobile app penetration tests or vulnerability assessments take anywhere from a couple of days to two weeks to deliver because of the manual approaches, brittle open source stacks in homegrown testing rigs and legacy application security testing (AST) tools. The shift to agile development common in mobile app development teams has left appsec testing behind. New mobile app builds are pushed daily, weekly or monthly, and appsec testing teams struggle to keep up. Each new build brings new code, including 3rd-party libraries, and with that code comes new potential vulnerabilities. Application security & testing teams - this one’s for you. If you’re looking for ways to join the agile approach and keep pace with the speed of your development team’s CI/CD pipeline, take stock of these 5 tips for mobile appsec testing and integrate them into your company’s workflow.

5 Tips for Agile Mobile App Security Testing

NowSecure

Mobile apps fall in scope for a number of regulatory requirements that govern the banking and financial services industries, such as: guidelines from the Federal Financial Institutions Examination Council (FFIEC), the Gramm–Leach–Bliley Act (GLBA), New York State cybersecurity requirements for financial services companies, the Payment Card Industry Data Security Standard (PCI DSS), the Sarbanes-Oxley Act, and more. Luckily, a repeatable mobile app security assessment program and standardized reporting go a long way in both achieving compliance objectives and securing mobile apps and data. Originally presented on August 22, 2017, NowSecure Security Solutions Engineer Brian Lawrence explains: -- How and where exactly mobile apps fall in scope for various compliance regimes -- Mobile app security issues financial institutions must identify and fix for compliance purposes -- How assessment reports can be used to demonstrate due diligence

Solving for Compliance: Mobile app security for banking and financial services

NowSecure

The amount of data collected by mobile devices and apps is shocking, and vulnerable mobile apps expose that data to compromise. In our static and dynamic analysis of hundreds-of-thousands of mobile apps, we found that 25 percent of them harbor at least one high-risk vulnerability such as collecting/transmitting location data, credentials, and more in cleartext. Mobile data may only be as secure as the weakest app on someone’s device. Mobile app developers need to protect the users of their apps by building high quality, secure apps. This presentation covers the most common mobile app vulnerabilities (including a real-world demonstration), how to identify those vulnerabilities, and what to do to remediate them. Slides from NowSecure Senior Solutions Engineer Jon Porter's talk at the OWASP Denver Chapter's July 2017 meeting.

Leaky Mobile Apps: What You Need to Know

NowSecure

Delivering secure mobile financial services (MFS) - "Frictionless" vs diligence

NowSecure

This is an encore presentation of NowSecure CEO Andrew Hoog’s talk “How Android and iOS Security Enhancements Complicate Threat Detection” from RSA Conference 2017. You'll learn about: + Five security enhancements in the Android and iOS platforms that present obstacles to defenders and incident responders + Tips on overcoming those challenges + The open-source Mobile Triage toolset that facilitates the collection of mobile threat and vulnerability data

How Android and iOS Security Enhancements Complicate Threat Detection

NowSecure

Mobile Penetration Testing: Episode III - Attack of the Code

NowSecure

In this, the second, episode of our mobile penetration testing trilogy, NowSecure Solutions Engineer Michael Krueger takes you beyond the device. Michael will explain how to perform network and web services/API testing to capture data exposed in transit between apps and backend services -- some of the highest risk security flaws around. This high intensity 30-minute crash course covers: + Man-in-the-middle (MITM) attacks + Taking advantage of improper certificate validation + Demonstration of a privilege escalation exploit of a web back-end vulnerability Watch it here: https://youtu.be/bT1-7ZkSdNY

Mobile Penetration Testing: Episode II - Attack of the Code

NowSecure

Mobile Penetration Testing: Episode 1 - The Forensic Menace

NowSecure

More from NowSecure (19)

iOS recon with Radare2

From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture

Android Q & iOS 13 Privacy Enhancements

Debunking the Top 5 Myths About Mobile AppSec

OSS Tools: Creating a Reverse Engineering Plug-in for r2frida

Building a Mobile App Pen Testing Blueprint

Mobile App Security Predictions 2019

Jeff's Journey: Best Practices for Securing Mobile App DevOps

A Risk-Based Mobile App Security Testing Strategy

Android P Security Updates: What You Need to Know

iOS 12 Preview - What You Need To Know

5 Tips for Agile Mobile App Security Testing

Solving for Compliance: Mobile app security for banking and financial services

Leaky Mobile Apps: What You Need to Know

Delivering secure mobile financial services (MFS) - "Frictionless" vs diligence

How Android and iOS Security Enhancements Complicate Threat Detection

Mobile Penetration Testing: Episode III - Attack of the Code

Mobile Penetration Testing: Episode II - Attack of the Code

Mobile Penetration Testing: Episode 1 - The Forensic Menace

Recently uploaded

Mobile Application Development-Android and It’s Tools

ChandrakantDivate1

Mobile Application Development-Components and Layouts

ChandrakantDivate1

Obat Penggugur Kandungan Di Apotik Kimia Farma (087776558899)

Cara Menggugurkan Kandungan 087776558899

Android Application Components with Implementation & Examples

ChandrakantDivate1

Mobile App Penetration Testing Bsides312

wphillips114

low price Call ☎️ 74796/13122 me 100%genuine 👥 sexy VIP call girl safe service 24hours📞74796/13122 call me ✅ 100% genuine young 🙋 college girl and housewife 💋 Full enjoy open minded girl provide 24hour 🕰️ full cooperative model and full satisfactions☎️74796/13122⭐Escorts service █▬█⓿▀█▀ call girls and bhabhi available for room Sex and video call service A-1 HIGH CLASS CALL GIRLS TOP MODEL 24X7 HOME/HOTEL Call Girls Safe & Secure High Class Sm Affordable Rate 100% Satisfaction, Unlimited Enjoyment. Any Time for Model/Escort in High class luxury and premium Get High Profile queens , Well Educated , Good Looking , Full Cooperative Model Services

Satara Call girl escort *74796//13122* Call me punam call girls 24*7hour avai...

nishasame66

Recently uploaded (6)

Mobile Application Development-Android and It’s Tools

Mobile Application Development-Components and Layouts

Obat Penggugur Kandungan Di Apotik Kimia Farma (087776558899)

Android Application Components with Implementation & Examples

Mobile App Penetration Testing Bsides312

Satara Call girl escort *74796//13122* Call me punam call girls 24*7hour avai...

How to scale mobile application security testing

2. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Connect with NowSecure Connect with us on Twitter @NowSecureMobile / #SecureTalks — Learn more at https://nowsecure.com

3. Katie Strzempka Services © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. ● Author of IPhone and iOS Forensics ● Masters in Cyber Forensics and Bachelors of Science in Computer Technology from Purdue University ● @kstrzemp

9. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Business apps: High risk issues exist within each app category 3x more likely to leak login credentials more likely to leak login credentials or email address 4x1.5xmore likely to include a high risk vulnerability Gaming apps: Social apps:

13. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Source code analysis has too many false positives ● Testing reports more false positives instead of identifying actual issues ● Static only ● Misses key tests such as insecure data storage or authentication issues

14. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Teams lack a process for mobile ● App testing is repetitive and takes time to manually set up testing environments ● Inconsistent methods and results across team members

15. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.. Teams are finding vulnerabilities too late in the SDLC The back-and-forth between developers and analysts wastes time and money

16. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. The longer you wait, the more it costs Requirements / Architecture Coding Integration / Component Testing System / Acceptance Testing Production / Post-Release Source: National Institute of Standards and Technology The cost for fixing vulnerabilities is 30xhigher after an application has been deployed

18. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. What needs to be a part of the process for mobile? ● Structure a team that can integrate testing to be efficient ● Emphasize process and similar tools across teams ● Automation (both static and dynamic) ● Test early in the SDLC, with remediation recommendations built in

20. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Lab Automated Automated app analysis with continuous integration ● Heading to RSA Conference? Stop by our booth # 3235 for a live demo. ● Set up a demo. Contact us at www.nowsecure.com/contact.

How to scale mobile application security testing

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (13)

Similar to How to scale mobile application security testing

Similar to How to scale mobile application security testing (20)

More from NowSecure

More from NowSecure (19)

Recently uploaded

Recently uploaded (6)

How to scale mobile application security testing