SlideShare a Scribd company logo

2014 #sitnl Mobile Security Bug Parade

Frank Koehntopp
Frank Koehntopp

2014 #sitnl Mobile Security Bug Parade

Software
1 of 24
Mobile Security Bug Parade Frank Köhntopp November 2014
WhoAmI frank.koehntopp@sap.com I work in SAP’s Products & Innovation Group, in the Security Validation Team – Perform independent security assessments on our products from a customer’s point of view – Assess product security quality and integration aspects of security under real-world conditions – Find security vulnerabilities before shipment © 2014 SAP AG or an SAP affiliate company. All rights reserved. 2
Mobile Security Why do we need to talk? http://media.kaspersky.com/en/IT_Security_Risks_Survey_2014_Global_report.pdf http://www.net-security.org/secworld.php?id=17358 © 2014 SAP AG or an SAP affiliate company. All rights reserved. 3
Mobile Security The attack surface © 2014 SAP AG or an SAP affiliate company. All rights reserved. 4
Old school security Testing at the end of development Development of functionality Static Analysis Dynamic Analysis Penetration Testing Customer Testing © 2014 SAP AG or an SAP affiliate company. All rights reserved. 5
Automated Security Testing Helpful, but not enough Static Analysis Dynamic Analysis Architecture Flaws TOP 10 Software Security Design Flaws • Earn or give, but never assume, trust • Use an authentication mechanism that cannot be bypassed or tampered with • Authorize after you authenticate • Strictly separate data and control instructions • Define an approach that ensures all data are explicitly validated • Use cryptography correctly • Identify sensitive data and how they should be handled • Always consider the users • Understand how integrating external components changes your attack surface • Be flexible when considering future changes to objects and actors http://cybersecurity.ieee.org/center-for-secure-design.html © 2014 SAP AG or an SAP affiliate company. All rights reserved. 6
Old school security Welcome to 2014 Broken Application Bad People © 2014 SAP AG or an SAP affiliate company. All rights reserved. 7
Old school security Magic Crypto Fairy Dust • Shamir’s Law: Crypto is bypassed, not penetrated https://www.flickr.com/photos/chelseamcnamara/4058966236 © 2014 SAP AG or an SAP affiliate company. All rights reserved. 8
Open Source Free != Secure © 2014 SAP AG or an SAP affiliate company. All rights reserved. 9
Geers‘s Law Any security technology whose effectiveness can’t be empirically determined is indistinguishable from blind luck — Dan Geer © 2014 SAP AG or an SAP affiliate company. All rights reserved. 10
Bug Parade Stuff we found in SAP and Partner Products (Don‘t worry – it‘s all fixed now…) © 2014 SAP AG or an SAP affiliate company. All rights reserved. 11
Connecting to the server SSL for beginners © 2014 SAP AG or an SAP affiliate company. All rights reserved. 12
Don’t let the users make security decisions They’re not particularly good at it… © 2014 SAP AG or an SAP affiliate company. All rights reserved. 13
Flaws in login mechanisms 30 years in, password handling is still difficult… OK button can only be pressed if password is correct == endless retries Issues we found in several apps:  No password complexity – “qqqqqqqq”  Unlimited retries  No lock on device lock  Password change w/o old password  Hints on logon errors © 2014 SAP AG or an SAP affiliate company. All rights reserved. 14
Storing the password Local storage is not the best idea © 2014 SAP AG or an SAP affiliate company. All rights reserved. 15
Don’t trust the client They’re all liars! © 2014 SAP AG or an SAP affiliate company. All rights reserved. 16
Sending the password to the server © 2014 SAP AG or an SAP affiliate company. All rights reserved. 17
Inventing your own cryptography Those people thinking cryptography is hard? They’re right, actually… © 2014 SAP AG or an SAP affiliate company. All rights reserved. 18
Developers *love* log files! Subtitle © 2014 SAP AG or an SAP affiliate company. All rights reserved. 19
Too much information No need to be overly specific http://www.cvedetails.com/vulnerability-list. php?vendor_id=45&product_id=887&version_id=89269&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0 &opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=0&cvssscoremax=0&year=0&month=0&cweid=0&order=3&trc=3 3&sha=f2380b70216e338e4fcf75882a55606c6b46cddc © 2014 SAP AG or an SAP affiliate company. All rights reserved. 20
Red Flags Favourite development quotes „But why would anybody do that…?“ „On the server we store the password encrypted with 2048 bits“ „It‘s BASE64 encrypted“ © 2014 SAP AG or an SAP affiliate company. All rights reserved. 21
What SAP does Help developers avoid bugs & flaws Understand Risk & Threats Build it securely Abuse, try to break & verify React © 2014 SAP AG or an SAP affiliate company. All rights reserved. 22
How do do security the right way  Consider the full solution  Do Architecture Risk Analysis  Defense in depth != do/buy EVERYTHING  Each activity must add value in the context of the threat model  Let your technology stack guide you, not a checklist  It’s the only thing that works – think continuous delivery © 2014 SAP AG or an SAP affiliate company. All rights reserved. 23
Thank you Contact information: Frank Köhntopp SAP SE frank.koehntopp@sap.com © 2014 SAP AG or an SAP affiliate company. All rights reserved.

Recommended

SAP communties rock!
SAP communties rock!SAP communties rock!
SAP communties rock!
Twan van den Broek
 
Custom Visualizations: What, How and Why
Custom Visualizations: What, How and WhyCustom Visualizations: What, How and Why
Custom Visualizations: What, How and Why
Jeroen Van Der A
 
SAP HANA native development
SAP HANA native developmentSAP HANA native development
SAP HANA native development
tamas_szirtes
 
SAP Teched && dcode 2014 Recap (@SITNL, 29 Nov 2014)
SAP Teched && dcode 2014 Recap (@SITNL, 29 Nov 2014)SAP Teched && dcode 2014 Recap (@SITNL, 29 Nov 2014)
SAP Teched && dcode 2014 Recap (@SITNL, 29 Nov 2014)
Jan Penninkhof
 
Building an SAP HANA Cloud app, a travel report (#sitFRA)
Building an SAP HANA Cloud app, a travel report (#sitFRA)Building an SAP HANA Cloud app, a travel report (#sitFRA)
Building an SAP HANA Cloud app, a travel report (#sitFRA)
Twan van den Broek
 
SAP UI5 Training
SAP UI5 TrainingSAP UI5 Training
SAP UI5 Training
Global Online Trainings
 
SAPUI5 for everything
SAPUI5 for everythingSAPUI5 for everything
SAPUI5 for everything
Mauricio Lauffer
 
20141128 sap #sit nl slidedeck
20141128 sap #sit nl slidedeck20141128 sap #sit nl slidedeck
20141128 sap #sit nl slidedeck
Twan van den Broek
 

Recommended

SAP communties rock!
SAP communties rock!SAP communties rock!
SAP communties rock!
Twan van den Broek
 
Custom Visualizations: What, How and Why
Custom Visualizations: What, How and WhyCustom Visualizations: What, How and Why
Custom Visualizations: What, How and Why
Jeroen Van Der A
 
SAP HANA native development
SAP HANA native developmentSAP HANA native development
SAP HANA native development
tamas_szirtes
 
SAP Teched && dcode 2014 Recap (@SITNL, 29 Nov 2014)
SAP Teched && dcode 2014 Recap (@SITNL, 29 Nov 2014)SAP Teched && dcode 2014 Recap (@SITNL, 29 Nov 2014)
SAP Teched && dcode 2014 Recap (@SITNL, 29 Nov 2014)
Jan Penninkhof
 
Building an SAP HANA Cloud app, a travel report (#sitFRA)
Building an SAP HANA Cloud app, a travel report (#sitFRA)Building an SAP HANA Cloud app, a travel report (#sitFRA)
Building an SAP HANA Cloud app, a travel report (#sitFRA)
Twan van den Broek
 
SAP UI5 Training
SAP UI5 TrainingSAP UI5 Training
SAP UI5 Training
Global Online Trainings
 
SAPUI5 for everything
SAPUI5 for everythingSAPUI5 for everything
SAPUI5 for everything
Mauricio Lauffer
 
20141128 sap #sit nl slidedeck
20141128 sap #sit nl slidedeck20141128 sap #sit nl slidedeck
20141128 sap #sit nl slidedeck
Twan van den Broek
 
CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...
CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...
CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...
Neo4j
 
Test Automation Design Patterns_ A Comprehensive Guide.pdf
Test Automation Design Patterns_ A Comprehensive Guide.pdfTest Automation Design Patterns_ A Comprehensive Guide.pdf
Test Automation Design Patterns_ A Comprehensive Guide.pdf
kalichargn70th171
 
Abortion Pill Prices Turfloop ](+27832195400*)[ 🏥 Women's Abortion Clinic in ...
Abortion Pill Prices Turfloop ](+27832195400*)[ 🏥 Women's Abortion Clinic in ...Abortion Pill Prices Turfloop ](+27832195400*)[ 🏥 Women's Abortion Clinic in ...
Abortion Pill Prices Turfloop ](+27832195400*)[ 🏥 Women's Abortion Clinic in ...
Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg
 
BusinessGPT - Security and Governance for Generative AI
BusinessGPT - Security and Governance for Generative AIBusinessGPT - Security and Governance for Generative AI
BusinessGPT - Security and Governance for Generative AI
AGATSoftware
 
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit MilanWorkshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
Neo4j
 
Evolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI EraEvolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI Era
confluent
 
OpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCAOpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCA
Shane Coughlan
 
A Deep Dive into Secure Product Development Frameworks.pdf
A Deep Dive into Secure Product Development Frameworks.pdfA Deep Dive into Secure Product Development Frameworks.pdf
A Deep Dive into Secure Product Development Frameworks.pdf
ICS
 
Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024
Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024
Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024
MulesoftMunichMeetup
 
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Lisi Hocke
 
Abortion Pill Prices Mthatha (@](+27832195400*)[ 🏥 Women's Abortion Clinic In...
Abortion Pill Prices Mthatha (@](+27832195400*)[ 🏥 Women's Abortion Clinic In...Abortion Pill Prices Mthatha (@](+27832195400*)[ 🏥 Women's Abortion Clinic In...
Abortion Pill Prices Mthatha (@](+27832195400*)[ 🏥 Women's Abortion Clinic In...
Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg
 
Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...
Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...
Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...
Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg
 
Abortion Clinic In Pongola ](+27832195400*)[ 🏥 Safe Abortion Pills In Pongola...
Abortion Clinic In Pongola ](+27832195400*)[ 🏥 Safe Abortion Pills In Pongola...Abortion Clinic In Pongola ](+27832195400*)[ 🏥 Safe Abortion Pills In Pongola...
Abortion Clinic In Pongola ](+27832195400*)[ 🏥 Safe Abortion Pills In Pongola...
Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg
 
Weeding your micro service landscape.pdf
Weeding your micro service landscape.pdfWeeding your micro service landscape.pdf
Weeding your micro service landscape.pdf
timtebeek1
 
Abortion Pill Prices Germiston ](+27832195400*)[ 🏥 Women's Abortion Clinic in...
Abortion Pill Prices Germiston ](+27832195400*)[ 🏥 Women's Abortion Clinic in...Abortion Pill Prices Germiston ](+27832195400*)[ 🏥 Women's Abortion Clinic in...
Abortion Pill Prices Germiston ](+27832195400*)[ 🏥 Women's Abortion Clinic in...
Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg
 
Abortion Clinic In Stanger ](+27832195400*)[ 🏥 Safe Abortion Pills In Stanger...
Abortion Clinic In Stanger ](+27832195400*)[ 🏥 Safe Abortion Pills In Stanger...Abortion Clinic In Stanger ](+27832195400*)[ 🏥 Safe Abortion Pills In Stanger...
Abortion Clinic In Stanger ](+27832195400*)[ 🏥 Safe Abortion Pills In Stanger...
Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg
 
From Theory to Practice: Utilizing SpiraPlan's REST API
From Theory to Practice: Utilizing SpiraPlan's REST APIFrom Theory to Practice: Utilizing SpiraPlan's REST API
From Theory to Practice: Utilizing SpiraPlan's REST API
Inflectra
 
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
SimonedeGijt
 
GraphSummit Milan - Neo4j: The Art of the Possible with Graph
GraphSummit Milan - Neo4j: The Art of the Possible with GraphGraphSummit Milan - Neo4j: The Art of the Possible with Graph
GraphSummit Milan - Neo4j: The Art of the Possible with Graph
Neo4j
 
Transformer Neural Network Use Cases with Links
Transformer Neural Network Use Cases with LinksTransformer Neural Network Use Cases with Links
Transformer Neural Network Use Cases with Links
JinanKordab
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
Marius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
Expeed Software
 

More Related Content

Recently uploaded

Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Lisi Hocke
 
From Theory to Practice: Utilizing SpiraPlan's REST API
From Theory to Practice: Utilizing SpiraPlan's REST APIFrom Theory to Practice: Utilizing SpiraPlan's REST API
From Theory to Practice: Utilizing SpiraPlan's REST API
Inflectra
 

Recently uploaded (20)

CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...
CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...
CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...
 
Test Automation Design Patterns_ A Comprehensive Guide.pdf
Test Automation Design Patterns_ A Comprehensive Guide.pdfTest Automation Design Patterns_ A Comprehensive Guide.pdf
Test Automation Design Patterns_ A Comprehensive Guide.pdf
 
Abortion Pill Prices Turfloop ](+27832195400*)[ 🏥 Women's Abortion Clinic in ...
Abortion Pill Prices Turfloop ](+27832195400*)[ 🏥 Women's Abortion Clinic in ...Abortion Pill Prices Turfloop ](+27832195400*)[ 🏥 Women's Abortion Clinic in ...
Abortion Pill Prices Turfloop ](+27832195400*)[ 🏥 Women's Abortion Clinic in ...
 
BusinessGPT - Security and Governance for Generative AI
BusinessGPT - Security and Governance for Generative AIBusinessGPT - Security and Governance for Generative AI
BusinessGPT - Security and Governance for Generative AI
 
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit MilanWorkshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
 
Evolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI EraEvolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI Era
 
OpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCAOpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCA
 
A Deep Dive into Secure Product Development Frameworks.pdf
A Deep Dive into Secure Product Development Frameworks.pdfA Deep Dive into Secure Product Development Frameworks.pdf
A Deep Dive into Secure Product Development Frameworks.pdf
 
Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024
Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024
Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024
 
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
 
Abortion Pill Prices Mthatha (@](+27832195400*)[ 🏥 Women's Abortion Clinic In...
Abortion Pill Prices Mthatha (@](+27832195400*)[ 🏥 Women's Abortion Clinic In...Abortion Pill Prices Mthatha (@](+27832195400*)[ 🏥 Women's Abortion Clinic In...
Abortion Pill Prices Mthatha (@](+27832195400*)[ 🏥 Women's Abortion Clinic In...
 
Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...
Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...
Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...
 
Abortion Clinic In Pongola ](+27832195400*)[ 🏥 Safe Abortion Pills In Pongola...
Abortion Clinic In Pongola ](+27832195400*)[ 🏥 Safe Abortion Pills In Pongola...Abortion Clinic In Pongola ](+27832195400*)[ 🏥 Safe Abortion Pills In Pongola...
Abortion Clinic In Pongola ](+27832195400*)[ 🏥 Safe Abortion Pills In Pongola...
 
Weeding your micro service landscape.pdf
Weeding your micro service landscape.pdfWeeding your micro service landscape.pdf
Weeding your micro service landscape.pdf
 
Abortion Pill Prices Germiston ](+27832195400*)[ 🏥 Women's Abortion Clinic in...
Abortion Pill Prices Germiston ](+27832195400*)[ 🏥 Women's Abortion Clinic in...Abortion Pill Prices Germiston ](+27832195400*)[ 🏥 Women's Abortion Clinic in...
Abortion Pill Prices Germiston ](+27832195400*)[ 🏥 Women's Abortion Clinic in...
 
Abortion Clinic In Stanger ](+27832195400*)[ 🏥 Safe Abortion Pills In Stanger...
Abortion Clinic In Stanger ](+27832195400*)[ 🏥 Safe Abortion Pills In Stanger...Abortion Clinic In Stanger ](+27832195400*)[ 🏥 Safe Abortion Pills In Stanger...
Abortion Clinic In Stanger ](+27832195400*)[ 🏥 Safe Abortion Pills In Stanger...
 
From Theory to Practice: Utilizing SpiraPlan's REST API
From Theory to Practice: Utilizing SpiraPlan's REST APIFrom Theory to Practice: Utilizing SpiraPlan's REST API
From Theory to Practice: Utilizing SpiraPlan's REST API
 
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
 
GraphSummit Milan - Neo4j: The Art of the Possible with Graph
GraphSummit Milan - Neo4j: The Art of the Possible with GraphGraphSummit Milan - Neo4j: The Art of the Possible with Graph
GraphSummit Milan - Neo4j: The Art of the Possible with Graph
 
Transformer Neural Network Use Cases with Links
Transformer Neural Network Use Cases with LinksTransformer Neural Network Use Cases with Links
Transformer Neural Network Use Cases with Links
 

Featured

How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
ThinkNow
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
Kurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
SpeakerHub
 

Featured (20)

2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 

2014 #sitnl Mobile Security Bug Parade

  • 1. Mobile Security Bug Parade Frank Köhntopp November 2014
  • 2. WhoAmI frank.koehntopp@sap.com I work in SAP’s Products & Innovation Group, in the Security Validation Team – Perform independent security assessments on our products from a customer’s point of view – Assess product security quality and integration aspects of security under real-world conditions – Find security vulnerabilities before shipment © 2014 SAP AG or an SAP affiliate company. All rights reserved. 2
  • 3. Mobile Security Why do we need to talk? http://media.kaspersky.com/en/IT_Security_Risks_Survey_2014_Global_report.pdf http://www.net-security.org/secworld.php?id=17358 © 2014 SAP AG or an SAP affiliate company. All rights reserved. 3
  • 4. Mobile Security The attack surface © 2014 SAP AG or an SAP affiliate company. All rights reserved. 4
  • 5. Old school security Testing at the end of development Development of functionality Static Analysis Dynamic Analysis Penetration Testing Customer Testing © 2014 SAP AG or an SAP affiliate company. All rights reserved. 5
  • 6. Automated Security Testing Helpful, but not enough Static Analysis Dynamic Analysis Architecture Flaws TOP 10 Software Security Design Flaws • Earn or give, but never assume, trust • Use an authentication mechanism that cannot be bypassed or tampered with • Authorize after you authenticate • Strictly separate data and control instructions • Define an approach that ensures all data are explicitly validated • Use cryptography correctly • Identify sensitive data and how they should be handled • Always consider the users • Understand how integrating external components changes your attack surface • Be flexible when considering future changes to objects and actors http://cybersecurity.ieee.org/center-for-secure-design.html © 2014 SAP AG or an SAP affiliate company. All rights reserved. 6
  • 7. Old school security Welcome to 2014 Broken Application Bad People © 2014 SAP AG or an SAP affiliate company. All rights reserved. 7
  • 8. Old school security Magic Crypto Fairy Dust • Shamir’s Law: Crypto is bypassed, not penetrated https://www.flickr.com/photos/chelseamcnamara/4058966236 © 2014 SAP AG or an SAP affiliate company. All rights reserved. 8
  • 9. Open Source Free != Secure © 2014 SAP AG or an SAP affiliate company. All rights reserved. 9
  • 10. Geers‘s Law Any security technology whose effectiveness can’t be empirically determined is indistinguishable from blind luck — Dan Geer © 2014 SAP AG or an SAP affiliate company. All rights reserved. 10
  • 11. Bug Parade Stuff we found in SAP and Partner Products (Don‘t worry – it‘s all fixed now…) © 2014 SAP AG or an SAP affiliate company. All rights reserved. 11
  • 12. Connecting to the server SSL for beginners © 2014 SAP AG or an SAP affiliate company. All rights reserved. 12
  • 13. Don’t let the users make security decisions They’re not particularly good at it… © 2014 SAP AG or an SAP affiliate company. All rights reserved. 13
  • 14. Flaws in login mechanisms 30 years in, password handling is still difficult… OK button can only be pressed if password is correct == endless retries Issues we found in several apps:  No password complexity – “qqqqqqqq”  Unlimited retries  No lock on device lock  Password change w/o old password  Hints on logon errors © 2014 SAP AG or an SAP affiliate company. All rights reserved. 14
  • 15. Storing the password Local storage is not the best idea © 2014 SAP AG or an SAP affiliate company. All rights reserved. 15
  • 16. Don’t trust the client They’re all liars! © 2014 SAP AG or an SAP affiliate company. All rights reserved. 16
  • 17. Sending the password to the server © 2014 SAP AG or an SAP affiliate company. All rights reserved. 17
  • 18. Inventing your own cryptography Those people thinking cryptography is hard? They’re right, actually… © 2014 SAP AG or an SAP affiliate company. All rights reserved. 18
  • 19. Developers *love* log files! Subtitle © 2014 SAP AG or an SAP affiliate company. All rights reserved. 19
  • 20. Too much information No need to be overly specific http://www.cvedetails.com/vulnerability-list. php?vendor_id=45&product_id=887&version_id=89269&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0 &opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=0&cvssscoremax=0&year=0&month=0&cweid=0&order=3&trc=3 3&sha=f2380b70216e338e4fcf75882a55606c6b46cddc © 2014 SAP AG or an SAP affiliate company. All rights reserved. 20
  • 21. Red Flags Favourite development quotes „But why would anybody do that…?“ „On the server we store the password encrypted with 2048 bits“ „It‘s BASE64 encrypted“ © 2014 SAP AG or an SAP affiliate company. All rights reserved. 21
  • 22. What SAP does Help developers avoid bugs & flaws Understand Risk & Threats Build it securely Abuse, try to break & verify React © 2014 SAP AG or an SAP affiliate company. All rights reserved. 22
  • 23. How do do security the right way  Consider the full solution  Do Architecture Risk Analysis  Defense in depth != do/buy EVERYTHING  Each activity must add value in the context of the threat model  Let your technology stack guide you, not a checklist  It’s the only thing that works – think continuous delivery © 2014 SAP AG or an SAP affiliate company. All rights reserved. 23
  • 24. Thank you Contact information: Frank Köhntopp SAP SE frank.koehntopp@sap.com © 2014 SAP AG or an SAP affiliate company. All rights reserved.