SlideShare a Scribd company logo

Best Effort Security Testing for Mobile Applications - 2015 #ISC2CONGRESS

Download as PPTX, PDF
Lostar
Lostar

The presentation used at ISC2 2015 EMEA Security Congress

Technology
1 of 23
B.E.S.T.-Mobile Best Effort Security Testing for Mobile Apps Murat Lostar
About Murat Lostar @muratlostar • IT since 1986 • Full time security since 1998 • Based in Istanbul & Turkey • ISC2 - CISSP, ISSMP, CSSLP, CCSP
Extracted Data from Apple AppStore • 3 Industries: Finance, eCommerce, Social Media • 50 Applications: • Finance: Akbank, Bloomberg, Chase, ING, PayPal… • eCommerce: AliBaba, Amazon, eBay, Kliksa, n11… • Social Media: Ask.fm, BIP, Facebook, Instagram, Tango… • 1051 Revisions
Revision Age of Mobile Apps 0.00% 5.00% 10.00% 15.00% 20.00% 25.00% 30.00% 35.00% 0-3 4-7 8-15 16-31 32-63 64-127 128-255 256-511 512- eCommerce Finance Social Media Source: Apple n=1051
Average App Revision Count = 21.02 - 5.00 10.00 15.00 20.00 25.00 30.00 2009 2010 2011 2012 2013 2014 2015 Avg.TotalNumberofVersions First version relase year Source: Apple n=50 (1051)
App update period (days) 2 4 8 16 32 64 128 256 512 1024 2010 2011 2012 2013 2014 2015 2016 Source: Apple n=1051
The Situation • Mobile app development • Agile is ad-hoc standard • New app release is under pressure • Competition • OS updates & new devices • New version every … 16-31 days (& decreasing)
The Requirement • Detailed manual penetration testing for each version (before release) • If possible, source code review
The Situation for Mobile App Security • Testing (mobile) applications are • Expensive • Takes time & resources • Mostly perfomed periodically • Once a year • 4 times a year
Problem • Detailed penetration NOT POSSIBLE (each time) • Not enough time • Not enough resources • Not needed! • Most of the app is the same • Is it? • Each new version is subject to • Developer mistakes, • Security vulnerabilities (including re-appear) • Time pressure • Less user acceptance testing • Less developer & unit testing • Less code review
BEST-Mobile • Best Effort Security Testing for Mobile Applications • Continue periodical, detailed pen-testing... • For each new version: Perform mobile application security tests with best effort and best efficiency • Use: Automated tools & Security Testing as a Service
Question • Can we trust automated testing? • Is there enough investment on automated mobile vulnerability
Tool / Research Staff Counts 3 4 5 6 7 8 9 10 11 12 13 5 15 25 35 45 55 65 75 85 95 105 2010 2011 2012 2013 2014 2015 Staff Counts Tool Counts Data gathered from projects’ offical websites and GitHub accounts.
Data From Mobile App Testers • Source • OWASP – WhiteHat, Pure Hacking, Lostar, BugCrowd, SecureNetwork, Metaintelli • 2014 – Detected and reported issues, n=1065 • Overall 54% found by automated tools • How about risk level?
Top 10 Mobile Risks Exploitability Prevalence Detectability Impact BEST Capability* 1 Weak Server Side Controls Easy Common Average Severe 61% 2 Insecure Data Storage Easy Common Average Severe 64% 3 Insufficient Transport Layer Protection Difficult Common Easy Moderate 91% 4 Unintended Data Leakage Easy Common Easy Severe 24% 5 Poor Authorization and Authentication Easy Common Easy Severe %14
Top 10 Mobile Risks Exploitability Prevalence Detectability Impact BEST Capability* 6 Broken Cryptography Easy Common Easy Severe 90% 7 Client Side Injection Easy Common Easy Moderate No data 8 Security Decisions Via Untrusted Inputs Easy Common Easy Severe No data 9 Improper Session Handling Easy Common Easy Severe 16% 10 Lack of Binary Protections Medium Common Easy Severe 82%
Verdict • Automated testing can NOT replace manual mobile penetration testing and code review. • It can however, can be used to see the basics (i.e.Usefull in the sence of pareto rule)
Proposed Testing Process 1. Classify Mobile Applications • High, Medium, Low
Proposed Testing Process 2. Use Classification for Pre-Relase Security TestingClass Major Release Minor Release Regular Reviews High Pre: PenTest + Code Review Pre: PenTest (Opt/Post: Code Review) External (PenTest+Code Review) Medium Pre: PenTest (Opt/Post: Code Review) Pre: BEST (Opt/Post: PenTest) PenTest + Code Review Low Pre: BEST (Post PenTest) Pre/Post: BEST PenTest
Proposed Testing Process 3. Decision Matrix App Class Major Issue Minor Issue High Postpone to fix Postpone for Risk Advisory Board Medium Postpone for Risk Advisory Board Postpone to verify and decide Low Issue verification Deploy, then fix
Thank You @muratlostar
Next Step • Put BEST into mobile SDLC • Strategies • Send the beta product to BEST tool • Integrate BEST tool with Bug Tracking System • Create automated bug/issue entries for each finding • When • Ath the end of each sprint • Part of testing process

Recommended

Application Security - Making It Work
Application Security - Making It WorkApplication Security - Making It Work
Application Security - Making It WorkIANS
 
Positive Technologies Application Inspector
Positive Technologies Application InspectorPositive Technologies Application Inspector
Positive Technologies Application Inspectorqqlan
 
Just4Meeting 2012 - How to protect your web applications
Just4Meeting 2012 - How to protect your web applicationsJust4Meeting 2012 - How to protect your web applications
Just4Meeting 2012 - How to protect your web applicationsMagno Logan
 
Continuous Quality For a 5 Star Mobile Apps Delivery
Continuous Quality For a 5 Star Mobile Apps DeliveryContinuous Quality For a 5 Star Mobile Apps Delivery
Continuous Quality For a 5 Star Mobile Apps DeliveryPerfecto Mobile
 
Mobile App Testing Checklist
Mobile App Testing ChecklistMobile App Testing Checklist
Mobile App Testing ChecklistManoj Lonar
 
Mobile App Testing by Mark Wilson
Mobile App Testing by Mark WilsonMobile App Testing by Mark Wilson
Mobile App Testing by Mark Wilsonphpwgtn
 
Supply Chain Solutions for Modern Software Development
Supply Chain Solutions for Modern Software DevelopmentSupply Chain Solutions for Modern Software Development
Supply Chain Solutions for Modern Software DevelopmentSonatype
 
Penetration testing services
Penetration testing servicesPenetration testing services
Penetration testing servicesAlisha Henderson
 

Recommended

Application Security - Making It Work
Application Security - Making It WorkApplication Security - Making It Work
Application Security - Making It WorkIANS
 
Positive Technologies Application Inspector
Positive Technologies Application InspectorPositive Technologies Application Inspector
Positive Technologies Application Inspectorqqlan
 
Just4Meeting 2012 - How to protect your web applications
Just4Meeting 2012 - How to protect your web applicationsJust4Meeting 2012 - How to protect your web applications
Just4Meeting 2012 - How to protect your web applicationsMagno Logan
 
Continuous Quality For a 5 Star Mobile Apps Delivery
Continuous Quality For a 5 Star Mobile Apps DeliveryContinuous Quality For a 5 Star Mobile Apps Delivery
Continuous Quality For a 5 Star Mobile Apps DeliveryPerfecto Mobile
 
Mobile App Testing Checklist
Mobile App Testing ChecklistMobile App Testing Checklist
Mobile App Testing ChecklistManoj Lonar
 
Mobile App Testing by Mark Wilson
Mobile App Testing by Mark WilsonMobile App Testing by Mark Wilson
Mobile App Testing by Mark Wilsonphpwgtn
 
Supply Chain Solutions for Modern Software Development
Supply Chain Solutions for Modern Software DevelopmentSupply Chain Solutions for Modern Software Development
Supply Chain Solutions for Modern Software DevelopmentSonatype
 
Penetration testing services
Penetration testing servicesPenetration testing services
Penetration testing servicesAlisha Henderson
 
Agile and Secure Development
Agile and Secure DevelopmentAgile and Secure Development
Agile and Secure DevelopmentNazar Tymoshyk, CEH, Ph.D.
 
The State of Open Source Vulnerabilities - A WhiteSource Webinar
The State of Open Source Vulnerabilities - A WhiteSource WebinarThe State of Open Source Vulnerabilities - A WhiteSource Webinar
The State of Open Source Vulnerabilities - A WhiteSource WebinarWhiteSource
 
Roland van leusden mobile performance testing rtc 2014 v0.6
Roland van leusden mobile performance testing rtc 2014 v0.6Roland van leusden mobile performance testing rtc 2014 v0.6
Roland van leusden mobile performance testing rtc 2014 v0.6Romania Testing
 
Stephen janaway mobile testing - that's just a smaller screen, right
Stephen janaway mobile testing - that's just a smaller screen, rightStephen janaway mobile testing - that's just a smaller screen, right
Stephen janaway mobile testing - that's just a smaller screen, rightRomania Testing
 
Accelerating Innovation with Software Supply Chain Management
Accelerating Innovation with Software Supply Chain ManagementAccelerating Innovation with Software Supply Chain Management
Accelerating Innovation with Software Supply Chain ManagementSonatype
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...Kevin Fealey
 
Continuous Acceleration with a Software Supply Chain Approach
Continuous Acceleration with a Software Supply Chain ApproachContinuous Acceleration with a Software Supply Chain Approach
Continuous Acceleration with a Software Supply Chain ApproachSonatype
 
Application Hackers Have A Handbook. Why Shouldn't You?
Application Hackers Have A Handbook. Why Shouldn't You?Application Hackers Have A Handbook. Why Shouldn't You?
Application Hackers Have A Handbook. Why Shouldn't You?London School of Cyber Security
 
A "Firewall" for Bad Binaries
A "Firewall" for Bad BinariesA "Firewall" for Bad Binaries
A "Firewall" for Bad BinariesSonatype
 
User Sentiment to Determine App Quality
User Sentiment to Determine App QualityUser Sentiment to Determine App Quality
User Sentiment to Determine App QualityApigee | Google Cloud
 
Mobile Test Coverage- Israel 4th meetup
Mobile Test Coverage- Israel 4th meetupMobile Test Coverage- Israel 4th meetup
Mobile Test Coverage- Israel 4th meetupPerfecto Mobile
 
Anomaly detection and root cause analysis in distributed application transact...
Anomaly detection and root cause analysis in distributed application transact...Anomaly detection and root cause analysis in distributed application transact...
Anomaly detection and root cause analysis in distributed application transact...Yuchen Zhao
 
Webinar - Developers Are Your Greatest AppSec Resource
Webinar - Developers Are Your Greatest AppSec ResourceWebinar - Developers Are Your Greatest AppSec Resource
Webinar - Developers Are Your Greatest AppSec ResourceSynopsys Software Integrity Group
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?Cigital
 
Good Security Starts with Software Assurance - Software Assurance Market Plac...
Good Security Starts with Software Assurance - Software Assurance Market Plac...Good Security Starts with Software Assurance - Software Assurance Market Plac...
Good Security Starts with Software Assurance - Software Assurance Market Plac...Phil Agcaoili
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemRogue Wave Software
 
OWASP Knoxville Inaugural Chapter Meeting
OWASP Knoxville Inaugural Chapter MeetingOWASP Knoxville Inaugural Chapter Meeting
OWASP Knoxville Inaugural Chapter MeetingPhil Agcaoili
 
Applicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit ProgramApplicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit ProgramMichael Davis
 
Using Cognitive Dimensions Questionnaire to Evaluate the Usability of Securit...
Using Cognitive Dimensions Questionnaire to Evaluate the Usability of Securit...Using Cognitive Dimensions Questionnaire to Evaluate the Usability of Securit...
Using Cognitive Dimensions Questionnaire to Evaluate the Usability of Securit...Chamila Wijayarathna
 
Juc oct 2014 final
Juc oct 2014 finalJuc oct 2014 final
Juc oct 2014 finalPerfecto Mobile
 
Mobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic MenaceMobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic MenaceNowSecure
 
Mobile Penetration Testing: Episode II - Attack of the Code
Mobile Penetration Testing: Episode II - Attack of the CodeMobile Penetration Testing: Episode II - Attack of the Code
Mobile Penetration Testing: Episode II - Attack of the CodeNowSecure
 

More Related Content

What's hot

The State of Open Source Vulnerabilities - A WhiteSource Webinar
The State of Open Source Vulnerabilities - A WhiteSource WebinarThe State of Open Source Vulnerabilities - A WhiteSource Webinar
The State of Open Source Vulnerabilities - A WhiteSource WebinarWhiteSource
 
Roland van leusden mobile performance testing rtc 2014 v0.6
Roland van leusden mobile performance testing rtc 2014 v0.6Roland van leusden mobile performance testing rtc 2014 v0.6
Roland van leusden mobile performance testing rtc 2014 v0.6Romania Testing
 
Stephen janaway mobile testing - that's just a smaller screen, right
Stephen janaway mobile testing - that's just a smaller screen, rightStephen janaway mobile testing - that's just a smaller screen, right
Stephen janaway mobile testing - that's just a smaller screen, rightRomania Testing
 
Accelerating Innovation with Software Supply Chain Management
Accelerating Innovation with Software Supply Chain ManagementAccelerating Innovation with Software Supply Chain Management
Accelerating Innovation with Software Supply Chain ManagementSonatype
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...Kevin Fealey
 
Continuous Acceleration with a Software Supply Chain Approach
Continuous Acceleration with a Software Supply Chain ApproachContinuous Acceleration with a Software Supply Chain Approach
Continuous Acceleration with a Software Supply Chain ApproachSonatype
 
A "Firewall" for Bad Binaries
A "Firewall" for Bad BinariesA "Firewall" for Bad Binaries
A "Firewall" for Bad BinariesSonatype
 
User Sentiment to Determine App Quality
User Sentiment to Determine App QualityUser Sentiment to Determine App Quality
User Sentiment to Determine App QualityApigee | Google Cloud
 
Mobile Test Coverage- Israel 4th meetup
Mobile Test Coverage- Israel 4th meetupMobile Test Coverage- Israel 4th meetup
Mobile Test Coverage- Israel 4th meetupPerfecto Mobile
 
Anomaly detection and root cause analysis in distributed application transact...
Anomaly detection and root cause analysis in distributed application transact...Anomaly detection and root cause analysis in distributed application transact...
Anomaly detection and root cause analysis in distributed application transact...Yuchen Zhao
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?Cigital
 
Good Security Starts with Software Assurance - Software Assurance Market Plac...
Good Security Starts with Software Assurance - Software Assurance Market Plac...Good Security Starts with Software Assurance - Software Assurance Market Plac...
Good Security Starts with Software Assurance - Software Assurance Market Plac...Phil Agcaoili
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemRogue Wave Software
 
OWASP Knoxville Inaugural Chapter Meeting
OWASP Knoxville Inaugural Chapter MeetingOWASP Knoxville Inaugural Chapter Meeting
OWASP Knoxville Inaugural Chapter MeetingPhil Agcaoili
 
Applicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit ProgramApplicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit ProgramMichael Davis
 
Using Cognitive Dimensions Questionnaire to Evaluate the Usability of Securit...
Using Cognitive Dimensions Questionnaire to Evaluate the Usability of Securit...Using Cognitive Dimensions Questionnaire to Evaluate the Usability of Securit...
Using Cognitive Dimensions Questionnaire to Evaluate the Usability of Securit...Chamila Wijayarathna
 

What's hot (20)

Agile and Secure Development
Agile and Secure DevelopmentAgile and Secure Development
Agile and Secure Development
 
The State of Open Source Vulnerabilities - A WhiteSource Webinar
The State of Open Source Vulnerabilities - A WhiteSource WebinarThe State of Open Source Vulnerabilities - A WhiteSource Webinar
The State of Open Source Vulnerabilities - A WhiteSource Webinar
 
Roland van leusden mobile performance testing rtc 2014 v0.6
Roland van leusden mobile performance testing rtc 2014 v0.6Roland van leusden mobile performance testing rtc 2014 v0.6
Roland van leusden mobile performance testing rtc 2014 v0.6
 
Stephen janaway mobile testing - that's just a smaller screen, right
Stephen janaway mobile testing - that's just a smaller screen, rightStephen janaway mobile testing - that's just a smaller screen, right
Stephen janaway mobile testing - that's just a smaller screen, right
 
Accelerating Innovation with Software Supply Chain Management
Accelerating Innovation with Software Supply Chain ManagementAccelerating Innovation with Software Supply Chain Management
Accelerating Innovation with Software Supply Chain Management
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
 
Continuous Acceleration with a Software Supply Chain Approach
Continuous Acceleration with a Software Supply Chain ApproachContinuous Acceleration with a Software Supply Chain Approach
Continuous Acceleration with a Software Supply Chain Approach
 
Application Hackers Have A Handbook. Why Shouldn't You?
Application Hackers Have A Handbook. Why Shouldn't You?Application Hackers Have A Handbook. Why Shouldn't You?
Application Hackers Have A Handbook. Why Shouldn't You?
 
A "Firewall" for Bad Binaries
A "Firewall" for Bad BinariesA "Firewall" for Bad Binaries
A "Firewall" for Bad Binaries
 
User Sentiment to Determine App Quality
User Sentiment to Determine App QualityUser Sentiment to Determine App Quality
User Sentiment to Determine App Quality
 
Mobile Test Coverage- Israel 4th meetup
Mobile Test Coverage- Israel 4th meetupMobile Test Coverage- Israel 4th meetup
Mobile Test Coverage- Israel 4th meetup
 
Anomaly detection and root cause analysis in distributed application transact...
Anomaly detection and root cause analysis in distributed application transact...Anomaly detection and root cause analysis in distributed application transact...
Anomaly detection and root cause analysis in distributed application transact...
 
Webinar - Developers Are Your Greatest AppSec Resource
Webinar - Developers Are Your Greatest AppSec ResourceWebinar - Developers Are Your Greatest AppSec Resource
Webinar - Developers Are Your Greatest AppSec Resource
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?
 
Good Security Starts with Software Assurance - Software Assurance Market Plac...
Good Security Starts with Software Assurance - Software Assurance Market Plac...Good Security Starts with Software Assurance - Software Assurance Market Plac...
Good Security Starts with Software Assurance - Software Assurance Market Plac...
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
 
OWASP Knoxville Inaugural Chapter Meeting
OWASP Knoxville Inaugural Chapter MeetingOWASP Knoxville Inaugural Chapter Meeting
OWASP Knoxville Inaugural Chapter Meeting
 
Applicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit ProgramApplicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit Program
 
Using Cognitive Dimensions Questionnaire to Evaluate the Usability of Securit...
Using Cognitive Dimensions Questionnaire to Evaluate the Usability of Securit...Using Cognitive Dimensions Questionnaire to Evaluate the Usability of Securit...
Using Cognitive Dimensions Questionnaire to Evaluate the Usability of Securit...
 
Juc oct 2014 final
Juc oct 2014 finalJuc oct 2014 final
Juc oct 2014 final
 

Viewers also liked

Mobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic MenaceMobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic MenaceNowSecure
 
Mobile Penetration Testing: Episode II - Attack of the Code
Mobile Penetration Testing: Episode II - Attack of the CodeMobile Penetration Testing: Episode II - Attack of the Code
Mobile Penetration Testing: Episode II - Attack of the CodeNowSecure
 
Mobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the CodeMobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the CodeNowSecure
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile ApplicationsDenim Group
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration TestingBGA Cyber Security
 
Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applicationsGTestClub
 

Viewers also liked (7)

Mobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic MenaceMobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic Menace
 
Mobile Penetration Testing: Episode II - Attack of the Code
Mobile Penetration Testing: Episode II - Attack of the CodeMobile Penetration Testing: Episode II - Attack of the Code
Mobile Penetration Testing: Episode II - Attack of the Code
 
Mobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the CodeMobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the Code
 
Security testing in mobile applications
Security testing in mobile applicationsSecurity testing in mobile applications
Security testing in mobile applications
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration Testing
 
Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applications
 

Similar to Best Effort Security Testing for Mobile Applications - 2015 #ISC2CONGRESS

Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016Stefan Streichsbier
 
Why You’ll Care More About Mobile Security in 2020 - Tom Bain
Why You’ll Care More About Mobile Security in 2020 - Tom BainWhy You’ll Care More About Mobile Security in 2020 - Tom Bain
Why You’ll Care More About Mobile Security in 2020 - Tom BainEC-Council
 
Why You'll Care More About Mobile Security in 2020
Why You'll Care More About Mobile Security in 2020Why You'll Care More About Mobile Security in 2020
Why You'll Care More About Mobile Security in 2020tmbainjr131
 
Step by-step mobile testing approaches and strategies
Step by-step mobile testing approaches and strategiesStep by-step mobile testing approaches and strategies
Step by-step mobile testing approaches and strategiesAlisha Henderson
 
Best Practices for a Mature Application Security Program Webinar - February 2016
Best Practices for a Mature Application Security Program Webinar - February 2016Best Practices for a Mature Application Security Program Webinar - February 2016
Best Practices for a Mature Application Security Program Webinar - February 2016Security Innovation
 
Mobile Testing Trends and Innovations
Mobile Testing Trends and InnovationsMobile Testing Trends and Innovations
Mobile Testing Trends and InnovationsTechWell
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityAnne Oikarinen
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended CutMike Spaulding
 
Mike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security ProgramMike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security Programcentralohioissa
 
Building an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineBuilding an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineMatt Tesauro
 
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestBuilding an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestMatt Tesauro
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Mykhailo Antonishyn
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
TestElf Informational Presentation
TestElf Informational PresentationTestElf Informational Presentation
TestElf Informational PresentationTestElf
 
Scalar Security Roadshow April 2015
Scalar Security Roadshow April 2015Scalar Security Roadshow April 2015
Scalar Security Roadshow April 2015Scalar Decisions
 

Similar to Best Effort Security Testing for Mobile Applications - 2015 #ISC2CONGRESS (20)

Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016
 
Why You’ll Care More About Mobile Security in 2020 - Tom Bain
Why You’ll Care More About Mobile Security in 2020 - Tom BainWhy You’ll Care More About Mobile Security in 2020 - Tom Bain
Why You’ll Care More About Mobile Security in 2020 - Tom Bain
 
Why You'll Care More About Mobile Security in 2020
Why You'll Care More About Mobile Security in 2020Why You'll Care More About Mobile Security in 2020
Why You'll Care More About Mobile Security in 2020
 
Step by-step mobile testing approaches and strategies
Step by-step mobile testing approaches and strategiesStep by-step mobile testing approaches and strategies
Step by-step mobile testing approaches and strategies
 
Best Practices for a Mature Application Security Program Webinar - February 2016
Best Practices for a Mature Application Security Program Webinar - February 2016Best Practices for a Mature Application Security Program Webinar - February 2016
Best Practices for a Mature Application Security Program Webinar - February 2016
 
Mobile Testing Trends and Innovations
Mobile Testing Trends and InnovationsMobile Testing Trends and Innovations
Mobile Testing Trends and Innovations
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software Security
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended Cut
 
Mike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security ProgramMike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security Program
 
Building an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineBuilding an Open Source AppSec Pipeline
Building an Open Source AppSec Pipeline
 
Mobile Apps Security Testing -1
Mobile Apps Security Testing -1Mobile Apps Security Testing -1
Mobile Apps Security Testing -1
 
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestBuilding an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
TestElf Informational Presentation
TestElf Informational PresentationTestElf Informational Presentation
TestElf Informational Presentation
 
Scalar Security Roadshow April 2015
Scalar Security Roadshow April 2015Scalar Security Roadshow April 2015
Scalar Security Roadshow April 2015
 
Many products-no-security (1)
Many products-no-security (1)Many products-no-security (1)
Many products-no-security (1)
 
Digital Assurance - Today & Tomorrow
Digital Assurance - Today & TomorrowDigital Assurance - Today & Tomorrow
Digital Assurance - Today & Tomorrow
 

More from Lostar

VERBİS'e kayıt nasıl yapılacak? KVKK - Lostar
VERBİS'e kayıt nasıl yapılacak? KVKK - LostarVERBİS'e kayıt nasıl yapılacak? KVKK - Lostar
VERBİS'e kayıt nasıl yapılacak? KVKK - LostarLostar
 
KVKK ve GDPR'a BT Uyumu
KVKK ve GDPR'a BT UyumuKVKK ve GDPR'a BT Uyumu
KVKK ve GDPR'a BT UyumuLostar
 
DDoS - Dağıtık Hizmet Engelleme Saldırıları
DDoS - Dağıtık Hizmet Engelleme SaldırılarıDDoS - Dağıtık Hizmet Engelleme Saldırıları
DDoS - Dağıtık Hizmet Engelleme SaldırılarıLostar
 
Bulut & Güvenlik - Güvence Nasıl Sağlanır?
Bulut & Güvenlik - Güvence Nasıl Sağlanır?Bulut & Güvenlik - Güvence Nasıl Sağlanır?
Bulut & Güvenlik - Güvence Nasıl Sağlanır?Lostar
 
Endüstri 4.0 Güvenliği
Endüstri 4.0 GüvenliğiEndüstri 4.0 Güvenliği
Endüstri 4.0 GüvenliğiLostar
 
IoT ve Güvenlik Ekim2017
IoT ve Güvenlik Ekim2017IoT ve Güvenlik Ekim2017
IoT ve Güvenlik Ekim2017Lostar
 
Endüstri 4.0 / Güvenlik 4.0
Endüstri 4.0 / Güvenlik 4.0Endüstri 4.0 / Güvenlik 4.0
Endüstri 4.0 / Güvenlik 4.0Lostar
 
Wannacry.Lostar
Wannacry.LostarWannacry.Lostar
Wannacry.LostarLostar
 
BLOCKCHAIN
BLOCKCHAINBLOCKCHAIN
BLOCKCHAINLostar
 
Dijitalleşme çağında bilgi güvenliği'nin önemli ve alınabilecek önlemler
Dijitalleşme çağında bilgi güvenliği'nin önemli ve alınabilecek önlemlerDijitalleşme çağında bilgi güvenliği'nin önemli ve alınabilecek önlemler
Dijitalleşme çağında bilgi güvenliği'nin önemli ve alınabilecek önlemlerLostar
 
Kişisel Verileri Koruma Kanunu (KVKK) - BT Uyumu
Kişisel Verileri Koruma Kanunu (KVKK) - BT UyumuKişisel Verileri Koruma Kanunu (KVKK) - BT Uyumu
Kişisel Verileri Koruma Kanunu (KVKK) - BT UyumuLostar
 
Herşeyin Güvenliği - Murat Lostar - 2.Bilişim Hukuku Zirvesi
Herşeyin Güvenliği - Murat Lostar - 2.Bilişim Hukuku ZirvesiHerşeyin Güvenliği - Murat Lostar - 2.Bilişim Hukuku Zirvesi
Herşeyin Güvenliği - Murat Lostar - 2.Bilişim Hukuku ZirvesiLostar
 
Bulut Bilişim Güvenliği Nasıl Ölçülür? Cloud Controls Matrix - Lostar
Bulut Bilişim Güvenliği Nasıl Ölçülür? Cloud Controls Matrix - LostarBulut Bilişim Güvenliği Nasıl Ölçülür? Cloud Controls Matrix - Lostar
Bulut Bilişim Güvenliği Nasıl Ölçülür? Cloud Controls Matrix - LostarLostar
 
Lostar Microsoft Zirve 2007 Guvenlik
Lostar Microsoft Zirve 2007 GuvenlikLostar Microsoft Zirve 2007 Guvenlik
Lostar Microsoft Zirve 2007 GuvenlikLostar
 
Cloud Based Business Continuity - Murat Lostar @ ISACA EUROCACS 2013
Cloud Based Business Continuity - Murat Lostar @ ISACA EUROCACS 2013Cloud Based Business Continuity - Murat Lostar @ ISACA EUROCACS 2013
Cloud Based Business Continuity - Murat Lostar @ ISACA EUROCACS 2013Lostar
 
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013 Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013 Lostar
 
Tedarikçi Güvenliği için Yol Haritası
Tedarikçi Güvenliği için Yol HaritasıTedarikçi Güvenliği için Yol Haritası
Tedarikçi Güvenliği için Yol HaritasıLostar
 
Tedarikçi Kullanımı ve Riskler
Tedarikçi Kullanımı ve RisklerTedarikçi Kullanımı ve Riskler
Tedarikçi Kullanımı ve RisklerLostar
 
Yeni TTK Guvenlik
Yeni TTK GuvenlikYeni TTK Guvenlik
Yeni TTK GuvenlikLostar
 
Risk IT
Risk ITRisk IT
Risk ITLostar
 

More from Lostar (20)

VERBİS'e kayıt nasıl yapılacak? KVKK - Lostar
VERBİS'e kayıt nasıl yapılacak? KVKK - LostarVERBİS'e kayıt nasıl yapılacak? KVKK - Lostar
VERBİS'e kayıt nasıl yapılacak? KVKK - Lostar
 
KVKK ve GDPR'a BT Uyumu
KVKK ve GDPR'a BT UyumuKVKK ve GDPR'a BT Uyumu
KVKK ve GDPR'a BT Uyumu
 
DDoS - Dağıtık Hizmet Engelleme Saldırıları
DDoS - Dağıtık Hizmet Engelleme SaldırılarıDDoS - Dağıtık Hizmet Engelleme Saldırıları
DDoS - Dağıtık Hizmet Engelleme Saldırıları
 
Bulut & Güvenlik - Güvence Nasıl Sağlanır?
Bulut & Güvenlik - Güvence Nasıl Sağlanır?Bulut & Güvenlik - Güvence Nasıl Sağlanır?
Bulut & Güvenlik - Güvence Nasıl Sağlanır?
 
Endüstri 4.0 Güvenliği
Endüstri 4.0 GüvenliğiEndüstri 4.0 Güvenliği
Endüstri 4.0 Güvenliği
 
IoT ve Güvenlik Ekim2017
IoT ve Güvenlik Ekim2017IoT ve Güvenlik Ekim2017
IoT ve Güvenlik Ekim2017
 
Endüstri 4.0 / Güvenlik 4.0
Endüstri 4.0 / Güvenlik 4.0Endüstri 4.0 / Güvenlik 4.0
Endüstri 4.0 / Güvenlik 4.0
 
Wannacry.Lostar
Wannacry.LostarWannacry.Lostar
Wannacry.Lostar
 
BLOCKCHAIN
BLOCKCHAINBLOCKCHAIN
BLOCKCHAIN
 
Dijitalleşme çağında bilgi güvenliği'nin önemli ve alınabilecek önlemler
Dijitalleşme çağında bilgi güvenliği'nin önemli ve alınabilecek önlemlerDijitalleşme çağında bilgi güvenliği'nin önemli ve alınabilecek önlemler
Dijitalleşme çağında bilgi güvenliği'nin önemli ve alınabilecek önlemler
 
Kişisel Verileri Koruma Kanunu (KVKK) - BT Uyumu
Kişisel Verileri Koruma Kanunu (KVKK) - BT UyumuKişisel Verileri Koruma Kanunu (KVKK) - BT Uyumu
Kişisel Verileri Koruma Kanunu (KVKK) - BT Uyumu
 
Herşeyin Güvenliği - Murat Lostar - 2.Bilişim Hukuku Zirvesi
Herşeyin Güvenliği - Murat Lostar - 2.Bilişim Hukuku ZirvesiHerşeyin Güvenliği - Murat Lostar - 2.Bilişim Hukuku Zirvesi
Herşeyin Güvenliği - Murat Lostar - 2.Bilişim Hukuku Zirvesi
 
Bulut Bilişim Güvenliği Nasıl Ölçülür? Cloud Controls Matrix - Lostar
Bulut Bilişim Güvenliği Nasıl Ölçülür? Cloud Controls Matrix - LostarBulut Bilişim Güvenliği Nasıl Ölçülür? Cloud Controls Matrix - Lostar
Bulut Bilişim Güvenliği Nasıl Ölçülür? Cloud Controls Matrix - Lostar
 
Lostar Microsoft Zirve 2007 Guvenlik
Lostar Microsoft Zirve 2007 GuvenlikLostar Microsoft Zirve 2007 Guvenlik
Lostar Microsoft Zirve 2007 Guvenlik
 
Cloud Based Business Continuity - Murat Lostar @ ISACA EUROCACS 2013
Cloud Based Business Continuity - Murat Lostar @ ISACA EUROCACS 2013Cloud Based Business Continuity - Murat Lostar @ ISACA EUROCACS 2013
Cloud Based Business Continuity - Murat Lostar @ ISACA EUROCACS 2013
 
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013 Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013
 
Tedarikçi Güvenliği için Yol Haritası
Tedarikçi Güvenliği için Yol HaritasıTedarikçi Güvenliği için Yol Haritası
Tedarikçi Güvenliği için Yol Haritası
 
Tedarikçi Kullanımı ve Riskler
Tedarikçi Kullanımı ve RisklerTedarikçi Kullanımı ve Riskler
Tedarikçi Kullanımı ve Riskler
 
Yeni TTK Guvenlik
Yeni TTK GuvenlikYeni TTK Guvenlik
Yeni TTK Guvenlik
 
Risk IT
Risk ITRisk IT
Risk IT
 

Recently uploaded

Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetEnjoy Anytime
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 

Recently uploaded (20)

Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 

Best Effort Security Testing for Mobile Applications - 2015 #ISC2CONGRESS

  • 1. B.E.S.T.-Mobile Best Effort Security Testing for Mobile Apps Murat Lostar
  • 2. About Murat Lostar @muratlostar • IT since 1986 • Full time security since 1998 • Based in Istanbul & Turkey • ISC2 - CISSP, ISSMP, CSSLP, CCSP
  • 3.
  • 4. Extracted Data from Apple AppStore • 3 Industries: Finance, eCommerce, Social Media • 50 Applications: • Finance: Akbank, Bloomberg, Chase, ING, PayPal… • eCommerce: AliBaba, Amazon, eBay, Kliksa, n11… • Social Media: Ask.fm, BIP, Facebook, Instagram, Tango… • 1051 Revisions
  • 5. Revision Age of Mobile Apps 0.00% 5.00% 10.00% 15.00% 20.00% 25.00% 30.00% 35.00% 0-3 4-7 8-15 16-31 32-63 64-127 128-255 256-511 512- eCommerce Finance Social Media Source: Apple n=1051
  • 6. Average App Revision Count = 21.02 - 5.00 10.00 15.00 20.00 25.00 30.00 2009 2010 2011 2012 2013 2014 2015 Avg.TotalNumberofVersions First version relase year Source: Apple n=50 (1051)
  • 7. App update period (days) 2 4 8 16 32 64 128 256 512 1024 2010 2011 2012 2013 2014 2015 2016 Source: Apple n=1051
  • 8. The Situation • Mobile app development • Agile is ad-hoc standard • New app release is under pressure • Competition • OS updates & new devices • New version every … 16-31 days (& decreasing)
  • 9. The Requirement • Detailed manual penetration testing for each version (before release) • If possible, source code review
  • 10. The Situation for Mobile App Security • Testing (mobile) applications are • Expensive • Takes time & resources • Mostly perfomed periodically • Once a year • 4 times a year
  • 11. Problem • Detailed penetration NOT POSSIBLE (each time) • Not enough time • Not enough resources • Not needed! • Most of the app is the same • Is it? • Each new version is subject to • Developer mistakes, • Security vulnerabilities (including re-appear) • Time pressure • Less user acceptance testing • Less developer & unit testing • Less code review
  • 12. BEST-Mobile • Best Effort Security Testing for Mobile Applications • Continue periodical, detailed pen-testing... • For each new version: Perform mobile application security tests with best effort and best efficiency • Use: Automated tools & Security Testing as a Service
  • 13. Question • Can we trust automated testing? • Is there enough investment on automated mobile vulnerability
  • 14. Tool / Research Staff Counts 3 4 5 6 7 8 9 10 11 12 13 5 15 25 35 45 55 65 75 85 95 105 2010 2011 2012 2013 2014 2015 Staff Counts Tool Counts Data gathered from projects’ offical websites and GitHub accounts.
  • 15. Data From Mobile App Testers • Source • OWASP – WhiteHat, Pure Hacking, Lostar, BugCrowd, SecureNetwork, Metaintelli • 2014 – Detected and reported issues, n=1065 • Overall 54% found by automated tools • How about risk level?
  • 16. Top 10 Mobile Risks Exploitability Prevalence Detectability Impact BEST Capability* 1 Weak Server Side Controls Easy Common Average Severe 61% 2 Insecure Data Storage Easy Common Average Severe 64% 3 Insufficient Transport Layer Protection Difficult Common Easy Moderate 91% 4 Unintended Data Leakage Easy Common Easy Severe 24% 5 Poor Authorization and Authentication Easy Common Easy Severe %14
  • 17. Top 10 Mobile Risks Exploitability Prevalence Detectability Impact BEST Capability* 6 Broken Cryptography Easy Common Easy Severe 90% 7 Client Side Injection Easy Common Easy Moderate No data 8 Security Decisions Via Untrusted Inputs Easy Common Easy Severe No data 9 Improper Session Handling Easy Common Easy Severe 16% 10 Lack of Binary Protections Medium Common Easy Severe 82%
  • 18. Verdict • Automated testing can NOT replace manual mobile penetration testing and code review. • It can however, can be used to see the basics (i.e.Usefull in the sence of pareto rule)
  • 19. Proposed Testing Process 1. Classify Mobile Applications • High, Medium, Low
  • 20. Proposed Testing Process 2. Use Classification for Pre-Relase Security TestingClass Major Release Minor Release Regular Reviews High Pre: PenTest + Code Review Pre: PenTest (Opt/Post: Code Review) External (PenTest+Code Review) Medium Pre: PenTest (Opt/Post: Code Review) Pre: BEST (Opt/Post: PenTest) PenTest + Code Review Low Pre: BEST (Post PenTest) Pre/Post: BEST PenTest
  • 21. Proposed Testing Process 3. Decision Matrix App Class Major Issue Minor Issue High Postpone to fix Postpone for Risk Advisory Board Medium Postpone for Risk Advisory Board Postpone to verify and decide Low Issue verification Deploy, then fix
  • 23. Next Step • Put BEST into mobile SDLC • Strategies • Send the beta product to BEST tool • Integrate BEST tool with Bug Tracking System • Create automated bug/issue entries for each finding • When • Ath the end of each sprint • Part of testing process

Editor's Notes

  1. AppUse: https://appsec-labs.com/appuse/ iAnalyzer: https://appsec-labs.com/iNalyzer/ Anubis: https://anubis.iseclab.org/ Akana: http://akana.mobiseclab.org/index.jsp Drozer: https://www.mwrinfosecurity.com/products/drozer/ Droidbox: https://github.com/pjlantz/droidbox Androguard: https://github.com/androguard/androguard Android Hooker: https://github.com/AndroidHooker/hooker Androwarn: https://github.com/maaaaz/androwarn/ YSO-Mobile-Security-Framework: https://github.com/ajinabraham/YSO-Mobile-Security-Framework IDB: http://www.idbtool.com/ Selenium for Android: https://github.com/selendroid/selendroid Vezir-Project: https://github.com/oguzhantopgul/Vezir-Project