SlideShare a Scribd company logo

CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries

NowSecure
NowSecure

Originally Presenter October 18, 2018 Enterprise-grade ephemeral messaging provider Vaporstream knows firsthand that security needs to be built into the software development lifecycle rather than bolted on. Serving highly regulated industries such as federal government, energy, financial services and healthcare, Vaporstream’s leakproof communication platform provides the highest level of assurance that compliance professionals require. Vaporstream partners with NowSecure to test and certify its Android and iOS mobile messaging apps. This case study webinar covers how Vaporstream adheres to a rigorous secure app lifecycle in order to meet customer expectations for secure communications: + Designing a secure app architecture & development process + Incorporating security testing into the release cycle + Comprehensive penetration testing

Technology
1 of 27
Download to read offline
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. CASE STUDY: IRONCLAD MESSAGING & SECURE APP DEV FOR REGULATED INDUSTRIES
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.3 #MOBSEC5 - A WEEKLY MOBILE SECURITY NEWS UPDATE www.nowsecure.com/go/subscribe
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. AGENDA INTRODUCTIONS MOBILE APP SECURITY LANDSCAPE VAPORSTREAM CASE STUDY NOWSECURE SOLUTIONS RECOMMENDATIONS Q&A 4 SPEAKERS AVI ELKONI COO/CTO VAPORSTREAM KRISTI PERDUE HINKLE VAPORSTREAM BRIAN REED NOWSECURE
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.5 HOW SAFE ARE YOUR MOBILE APPS? Web and App Breached of PII & Credit Card Mobile App Breach Exposing 20,000 Customers Data Breach Reveals Military Training Sites
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. NOWSECURE BENCHMARKS: BANKING & FINANCE 0 59 60-69 70-79 80-89 90-100 *Scoring algorithm based on Industry Standard CVSS Scored findings Low RiskHgh Risk Caution A significant 10 of 100 Apps (10%) fail w/ critical & high risks Identified Failures: Man in Middle Attack, Invalid Certificate, Known Vulnerable 3rd Party Libraries, Unencrypted credentials/PII in local files or over HTTP NowSecure Score Risk Range 46-100
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. NOWSECURE BENCHMARKS: RETAIL 0 59 60-69 70-79 80-89 90-100 *Scoring algorithm based on Industry Standard CVSS Scored findings Low RiskHgh Risk Caution NowSecure Score Risk Range 6-100 A shocking 27 of 80 Apps (34%) fail w/ critical & high risks Identified Failures: Man in Middle Attack, Invalid Certificate, Known Vulnerable 3rd Party Libraries, Unencrypted credentials/PII in local files or over HTTP
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.9 INSIDE THE MOBILE ATTACK SURFACE iOS APPS iOS FRAMEWORKS iOS NATIVE LIBRARIES iOS Mach/XNU KERNEL iOS HAL HARDWARE CODE FUNCTIONALITY DATA AT REST DATA IN MOTION Data Center & App Backend Network & Cloud Services TEST APP GPS spoofing Buffer overflow allowBackup Flag allowDebug Flag Code Obfuscation Configuration manipulation Escalated privileges URL schemes GPS Leaking Integrity/tampering/repacking Side channel attacks App signing key unprotected JSON-RPC Automatic Reference Counting Dynamic runtime injection Unintended permissions UI overlay/pin stealing Intent hijacking Zip directory traversal Clipboard data World Readable Files Data caching Data stored in application directory Decryption of keychain Data stored in log files Data cached in memory/RAM Data stored in SD card OS data caching Passwords & data accessible No/Weak encryption TEE/Secure Enclave Processor Side channel leak SQLite database Emulator variance Wi-Fi (no/weak encryption) Rogue access point Packet sniffing Man-in-the-middle Session hijacking DNS poisoning TLS Downgrade Fake TLS certificate Improper TLS validation HTTP Proxies VPNs Weak/No Local authentication App transport security Transmitted to insecure server Zip files in transit Cookie “httpOnly” flag Cookie “secure” flag Android rooting/iOS jailbreak User-initiated code Confused deputy attack Media/file format parsers Insecure 3rd party libraries World Writable Files World Writable Executables
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. § Founded in 2008 § Based in Chicago, IL § Privately owned and backed by investors and VC funding § Clients in Healthcare, Financial Services, Energy & Utilities, Higher Education, Government and more § Vaporstream is a comprehensive and configurable platform that addresses a wide variety of use cases for secure communication 10 ABOUT VAPORSTREAM
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. THE VAPORSTREAM SECURE COMMUNICATION PLATFORM 11 Vaporstream delivers a secure, ephemeral, compliant platform built to increase efficiency and revenue opportunities for the enterprise. While uniquely protecting sensitive data, Vaporstream automates processes to increase work team efficiency and create new levels of service delivery. Analytics Compliance Engage Secure Messaging Vaporstream Platform
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. § Healthcare § Patient Care Coordination § Patient Engagement § Surgical workflow/Instruction delivery § Billing/Insurance submission § All Industries § Incident notification and response § Mass communications § Compliant, secure, leak-proof business messaging § Crisis and reputation management § Executive and Board communication § Strategy, IP, Legal, M&A, HR/ Recruiting § Financial transactions § International travel § Others 12 SECURE COMMUNICATION USE CASES
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. VAPORSTREAM’S MULTI-LAYERED SECURITY MODEL 13 § Automated message expiration based on enterprise policy, group and user § No footprint left on any device, nor server § Shred on demand gives ultimate sender control Ephemerality Encryption § Encryption of data in transit and at rest § Keys and data always kept separate Governance & Compliance § Archive a single copy of messages to client-specified repository to safeguard information for legal, regulatory and business requirements. § Client data remains under client control; never stored with vendor § Comprehensive audit logging and reporting Advanced Controls § Unique Sender Controls prevent data propagation to unintended recipients § In-app camera keeps all images from upload to iCloud, Google, never stored on devices § Screenshot detection and protection § Message Body / Header separation
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. 1. Extensive black-box penetration testing § Apps § Platform 2. Dedicated staff for each platform § iOS § Android 3. Dedicated equipment § Jailbroken iOS devices § Rooted Android devices 4. Detailed reports with actionable findings 14 VAPORSTREAM MOBILE APPSEC TESTING REQUIREMENTS
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. § Known and reputable (Strong reputation) § Dedicated and experienced teams § Black box testing minimizes stress on development team § Continuous testing keeps us protected between certifications 15 VAPORSTREAM CHOOSES NOWSECURE
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. § Started with initial certification in 2014 § Recertify every year § Work certification recommendations into product releases § Apply NowSecure AUTO to every store release as part of our standard QA process § Use our NowSecure Certification as third-party validation § Vaporstream differentiation 16 HOW VAPORSTREAM USES NOWSECURE TODAY
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.17 VAPORSTREAM NOWSECURE CERTIFIED
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. 1. Design for security 2. Test from first prototype 3. Incorporate security testing into your regular QA cycle 4. Prepare for enterprise customer security audits § Document internal procedures § Hoard certifications 18 VAPORSTREAM RECOMMENDED BEST PRACTICES
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.19 NOWSECURE – DELIVERING SECURE MOBILE APPS FASTER Automated Mobile AppSec Testing Optimized for Speed, Accuracy, Integration Powers Security in Agile & DevOps Teams Expert Pen Testing, App Certification & Training Advanced Expert Research & Engineering Teams Wrote the book on mobile forensics Trusted by world’s highest security organizations
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.20 NOWSECURE APPSEC TESTING COVERAGE CHECKLIST ✓ Man in the Middle: Cert Validation ✓ Man in the Middle: Cert Pinning ✓ Man in the Middle: HTTP Connections ✓ SSL Downgrade ✓ Unprotected TLS traffic ✓ Cookie integrity ✓ Certificate Validity ✓ App Transport Security ✓ … ✓ App files & Log Files ✓ Keychain ✓ SD Card ✓ World Writable Files ✓ World Readable Files ✓ RAM ✓ Unencrypted credential storage ✓ SQLite Databases ✓ Secure Enclave Processor ✓ … ✓ Development flags ✓ Automatic Reference Counting ✓ Stack Smashing ✓ Bad Authentication/Authorization ✓ Root access ✓ Path Traversal ✓ SQL Injection ✓ Vulnerable 3rd party libraries ✓ Heartbleed ✓ Bad cryptography ✓ Obfuscation ✓ … CODE FUNCTIONALITY DATA IN MOTIONDATA AT REST Data Center & App Backend Network & Cloud Services iOS APPS iOS FRAMEWORKS iOS NATIVE LIBRARIES iOS Mach/XNU KERNEL iOS HAL HARDWARE TEST APP AUTOMATED MOBILE APP SECURITY TESTING PLATFORM
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.21 NOWSECURE AUTOMATION PLATFORM NowSecure AUTO NowSecure WORKSTATION NowSecure INTEL NowSecure SERVICES Continuous Integration Continuous Monitoring Automated Security Testing in SDLC for Dev, QA & Security Teams Deep Pen Testing Analysis of Complex, High Risk Mobile Apps for Security Analysts Public App Store Risk Data for EMM, Threat & Security Teams Expert Pen Testing, Training & Mobile App Security Programs for App Owners, Dev & Security Teams Data Repository Dashboards & Reports Advanced Configuration Device Farm Compliance Mapping Analysis Engine
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.22 PHASES OF SHIFTING LEFT WITH NOWSECURE Dev Cycle Auto-Generate Issue Tickets Build Binary Code Commit Test Binary </> Stage Deploy Auto-Test Every Build Monitor App Store Production On-Demand Auto Test Annual /Periodic PEN Test
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.23 INSIDE NOWSECURE MOBILE APP RISK SCORING
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.24 INSIDE NOWSECURE MOBILE APP RISK SCORING
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. Fully automated mobile app security testing solution for Agile & DevOps Shorten time-to-release with security baked in Full "hands-free" automation Rapid test results in minutes Real-world tests on real iOS & Android devices Highly accurate findings & developer-friendly remediation tips Plug-in integration to the SDLC with no new tools for developers to learn Auto test every build Auto generate security tickets Auto route info to all stakeholders 25 NOWSECURE AUTO POWERS SECURE DEV TOOLCHAIN
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. Leverage Our Years of Collective Expertise in Mobile App Security Accelerate Your Mobile App Security Program Expert Setup & Guidance MAST Program Development Dev & Security Quarterly MAST Training Mobile AppSec Staff Augmentation Expert Pen Testing & Certification +100 Man Years Experience +1000 Mobile Apps Tested Advanced MAST Forensic Skills 26 NOWSECURE SERVICES EXPERTISE FOR SUCCESS
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.27 NOWSECURE INTEGRATES WITH YOUR DEV TOOLCHAIN APP MANAGEMENT TOOLS BUILD TOOLS MOBILE APP STORES VULNERABILITY MANAGEMENT ISSUE TRACKING MDM/EMM … … … … … … Application Binary Security Assessment Build Status Monitored Applications Notifications Data Repository Dashboards & Reports Advanced Configuration Device Farm Compliance Mapping Analysis Engine ARCHER GITHUB MS VSTS MOBILE IRONMS VSTSCIRCLE CI XAMARIN HOCKEYAPPTESTFLIGHT APP STORE PLAY STORE
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.28 THE PATH TO CONTINUOUS SECURITY Manual Testing PEN Test PRE RELEASE Test ON DEMAND Full CI/CD Integration Integrate with SDLC infrastructure Test every build every day Auto-generate tickets from findings in local ticketing tool Auto-route reports to risk & compliance stakeholders Auto-route results & trends to management dashboard Perform deep-dive investigations when needed 1 mo 3 mo 6 mo 12 mo Maximizing Value & Performance
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.30 OPEN Q&A Use the “Ask a Question” tab below the slides AVI ELKONI COO/CTO VAPORSTREAM KRISTI PERDUE HINKLE VAPORSTREAM BRIAN REED NOWSECURE

Recommended

Android P Security Updates: What You Need to Know
Android P Security Updates: What You Need to KnowAndroid P Security Updates: What You Need to Know
Android P Security Updates: What You Need to Know
NowSecure
 
Debunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSecDebunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSec
NowSecure
 
Building a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing BlueprintBuilding a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing Blueprint
NowSecure
 
A Risk-Based Mobile App Security Testing Strategy
A Risk-Based Mobile App Security Testing StrategyA Risk-Based Mobile App Security Testing Strategy
A Risk-Based Mobile App Security Testing Strategy
NowSecure
 
OSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2fridaOSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2frida
NowSecure
 
Android Q & iOS 13 Privacy Enhancements
Android Q & iOS 13 Privacy EnhancementsAndroid Q & iOS 13 Privacy Enhancements
Android Q & iOS 13 Privacy Enhancements
NowSecure
 
Mobile App Security Predictions 2019
Mobile App Security Predictions 2019Mobile App Security Predictions 2019
Mobile App Security Predictions 2019
NowSecure
 
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference ArchitectureFrom Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
NowSecure
 

Recommended

Android P Security Updates: What You Need to Know
Android P Security Updates: What You Need to KnowAndroid P Security Updates: What You Need to Know
Android P Security Updates: What You Need to Know
NowSecure
 
Debunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSecDebunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSec
NowSecure
 
Building a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing BlueprintBuilding a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing Blueprint
NowSecure
 
A Risk-Based Mobile App Security Testing Strategy
A Risk-Based Mobile App Security Testing StrategyA Risk-Based Mobile App Security Testing Strategy
A Risk-Based Mobile App Security Testing Strategy
NowSecure
 
OSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2fridaOSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2frida
NowSecure
 
Android Q & iOS 13 Privacy Enhancements
Android Q & iOS 13 Privacy EnhancementsAndroid Q & iOS 13 Privacy Enhancements
Android Q & iOS 13 Privacy Enhancements
NowSecure
 
Mobile App Security Predictions 2019
Mobile App Security Predictions 2019Mobile App Security Predictions 2019
Mobile App Security Predictions 2019
NowSecure
 
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference ArchitectureFrom Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
NowSecure
 
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDATop OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
NowSecure
 
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
NowSecure
 
5 Tips for Agile Mobile App Security Testing
5 Tips for Agile Mobile App Security Testing5 Tips for Agile Mobile App Security Testing
5 Tips for Agile Mobile App Security Testing
NowSecure
 
5 Mobile App Security MUST-DOs in 2018
5 Mobile App Security MUST-DOs in 20185 Mobile App Security MUST-DOs in 2018
5 Mobile App Security MUST-DOs in 2018
NowSecure
 
Mobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the CodeMobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the Code
NowSecure
 
Mobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic MenaceMobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic Menace
NowSecure
 
How Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat DetectionHow Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat Detection
NowSecure
 
iOS recon with Radare2
iOS recon with Radare2iOS recon with Radare2
iOS recon with Radare2
NowSecure
 
Backstage Tour of Identity - London Identity Summit
Backstage Tour of Identity - London Identity SummitBackstage Tour of Identity - London Identity Summit
Backstage Tour of Identity - London Identity Summit
ForgeRock
 
Compliance in the mobile enterprise: 5 tips to prepare for your next audit
Compliance in the mobile enterprise: 5 tips to prepare for your next auditCompliance in the mobile enterprise: 5 tips to prepare for your next audit
Compliance in the mobile enterprise: 5 tips to prepare for your next audit
NowSecure
 
Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)
Prathan Phongthiproek
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10
NowSecure
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017
TecsyntSolutions
 
OWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-DiveOWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-Dive
Prathan Phongthiproek
 
I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2drewz lin
 
Mobile App Hacking In A Nutshell
Mobile App Hacking In A NutshellMobile App Hacking In A Nutshell
Mobile App Hacking In A Nutshell
Prathan Phongthiproek
 
Jump-Start The MASVS
Jump-Start The MASVSJump-Start The MASVS
Jump-Start The MASVS
Prathan Phongthiproek
 
Addressing the OWASP Mobile Security Threats using Xamarin
Addressing the OWASP Mobile Security Threats using XamarinAddressing the OWASP Mobile Security Threats using Xamarin
Addressing the OWASP Mobile Security Threats using Xamarin
Alec Tucker
 
Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices
Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile DevicesDecrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices
Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices
Blueboxer2014
 
Cyber Security Coverage heat map
Cyber Security Coverage heat map Cyber Security Coverage heat map
Cyber Security Coverage heat map
Moti Sagey מוטי שגיא
 
Secure enterprise mobility
Secure enterprise mobilitySecure enterprise mobility
Secure enterprise mobility
DATA SECURITY SOLUTIONS
 
The fundamentals of Android and iOS app security
The fundamentals of Android and iOS app securityThe fundamentals of Android and iOS app security
The fundamentals of Android and iOS app security
NowSecure
 

More Related Content

What's hot

Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDATop OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
NowSecure
 
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
NowSecure
 
5 Tips for Agile Mobile App Security Testing
5 Tips for Agile Mobile App Security Testing5 Tips for Agile Mobile App Security Testing
5 Tips for Agile Mobile App Security Testing
NowSecure
 
5 Mobile App Security MUST-DOs in 2018
5 Mobile App Security MUST-DOs in 20185 Mobile App Security MUST-DOs in 2018
5 Mobile App Security MUST-DOs in 2018
NowSecure
 
Mobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the CodeMobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the Code
NowSecure
 
Mobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic MenaceMobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic Menace
NowSecure
 
How Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat DetectionHow Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat Detection
NowSecure
 
iOS recon with Radare2
iOS recon with Radare2iOS recon with Radare2
iOS recon with Radare2
NowSecure
 
Backstage Tour of Identity - London Identity Summit
Backstage Tour of Identity - London Identity SummitBackstage Tour of Identity - London Identity Summit
Backstage Tour of Identity - London Identity Summit
ForgeRock
 
Compliance in the mobile enterprise: 5 tips to prepare for your next audit
Compliance in the mobile enterprise: 5 tips to prepare for your next auditCompliance in the mobile enterprise: 5 tips to prepare for your next audit
Compliance in the mobile enterprise: 5 tips to prepare for your next audit
NowSecure
 
Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)
Prathan Phongthiproek
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10
NowSecure
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017
TecsyntSolutions
 
OWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-DiveOWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-Dive
Prathan Phongthiproek
 
I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2drewz lin
 
Mobile App Hacking In A Nutshell
Mobile App Hacking In A NutshellMobile App Hacking In A Nutshell
Mobile App Hacking In A Nutshell
Prathan Phongthiproek
 
Jump-Start The MASVS
Jump-Start The MASVSJump-Start The MASVS
Jump-Start The MASVS
Prathan Phongthiproek
 
Addressing the OWASP Mobile Security Threats using Xamarin
Addressing the OWASP Mobile Security Threats using XamarinAddressing the OWASP Mobile Security Threats using Xamarin
Addressing the OWASP Mobile Security Threats using Xamarin
Alec Tucker
 
Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices
Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile DevicesDecrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices
Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices
Blueboxer2014
 
Cyber Security Coverage heat map
Cyber Security Coverage heat map Cyber Security Coverage heat map
Cyber Security Coverage heat map
Moti Sagey מוטי שגיא
 

What's hot (20)

Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDATop OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
 
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
 
5 Tips for Agile Mobile App Security Testing
5 Tips for Agile Mobile App Security Testing5 Tips for Agile Mobile App Security Testing
5 Tips for Agile Mobile App Security Testing
 
5 Mobile App Security MUST-DOs in 2018
5 Mobile App Security MUST-DOs in 20185 Mobile App Security MUST-DOs in 2018
5 Mobile App Security MUST-DOs in 2018
 
Mobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the CodeMobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the Code
 
Mobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic MenaceMobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic Menace
 
How Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat DetectionHow Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat Detection
 
iOS recon with Radare2
iOS recon with Radare2iOS recon with Radare2
iOS recon with Radare2
 
Backstage Tour of Identity - London Identity Summit
Backstage Tour of Identity - London Identity SummitBackstage Tour of Identity - London Identity Summit
Backstage Tour of Identity - London Identity Summit
 
Compliance in the mobile enterprise: 5 tips to prepare for your next audit
Compliance in the mobile enterprise: 5 tips to prepare for your next auditCompliance in the mobile enterprise: 5 tips to prepare for your next audit
Compliance in the mobile enterprise: 5 tips to prepare for your next audit
 
Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017
 
OWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-DiveOWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-Dive
 
I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2
 
Mobile App Hacking In A Nutshell
Mobile App Hacking In A NutshellMobile App Hacking In A Nutshell
Mobile App Hacking In A Nutshell
 
Jump-Start The MASVS
Jump-Start The MASVSJump-Start The MASVS
Jump-Start The MASVS
 
Addressing the OWASP Mobile Security Threats using Xamarin
Addressing the OWASP Mobile Security Threats using XamarinAddressing the OWASP Mobile Security Threats using Xamarin
Addressing the OWASP Mobile Security Threats using Xamarin
 
Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices
Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile DevicesDecrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices
Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices
 
Cyber Security Coverage heat map
Cyber Security Coverage heat map Cyber Security Coverage heat map
Cyber Security Coverage heat map
 

Similar to CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries

Secure enterprise mobility
Secure enterprise mobilitySecure enterprise mobility
Secure enterprise mobility
DATA SECURITY SOLUTIONS
 
The fundamentals of Android and iOS app security
The fundamentals of Android and iOS app securityThe fundamentals of Android and iOS app security
The fundamentals of Android and iOS app security
NowSecure
 
Proteja sus datos en cualquier servicio Cloud y Web de forma unificada
Proteja sus datos en cualquier servicio Cloud y Web de forma unificadaProteja sus datos en cualquier servicio Cloud y Web de forma unificada
Proteja sus datos en cualquier servicio Cloud y Web de forma unificada
Cristian Garcia G.
 
"IoT Security - Make vs Buy?" - IoT Data Analytics & Visualization Summit 2016
"IoT Security - Make vs Buy?" - IoT Data Analytics & Visualization Summit 2016"IoT Security - Make vs Buy?" - IoT Data Analytics & Visualization Summit 2016
"IoT Security - Make vs Buy?" - IoT Data Analytics & Visualization Summit 2016
Verimatrix
 
How to make Android apps secure: dos and don’ts
How to make Android apps secure: dos and don’tsHow to make Android apps secure: dos and don’ts
How to make Android apps secure: dos and don’ts
NowSecure
 
Thales e-Security corporate presentation
Thales e-Security corporate presentationThales e-Security corporate presentation
Thales e-Security corporate presentation
Thales e-Security
 
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Amazon Web Services
 
AWS Summit Auckland Platinum Sponsor presentation - Trend Micro
AWS Summit Auckland Platinum Sponsor presentation - Trend MicroAWS Summit Auckland Platinum Sponsor presentation - Trend Micro
AWS Summit Auckland Platinum Sponsor presentation - Trend Micro
Amazon Web Services
 
Palo Alto Networks Soc Ent Okt2009
Palo Alto Networks Soc Ent Okt2009Palo Alto Networks Soc Ent Okt2009
Palo Alto Networks Soc Ent Okt2009
Zernike College
 
SecurityWhitepaper 7-1-2015
SecurityWhitepaper 7-1-2015SecurityWhitepaper 7-1-2015
SecurityWhitepaper 7-1-2015Francisco Anes
 
Tips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile AppsTips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile Apps
TechWell
 
Adaptive Trust for Strong Network Security
Adaptive Trust for Strong Network SecurityAdaptive Trust for Strong Network Security
Adaptive Trust for Strong Network Security
Aruba, a Hewlett Packard Enterprise company
 
Securing Beyond the Cloud Generation
Securing Beyond the Cloud GenerationSecuring Beyond the Cloud Generation
Securing Beyond the Cloud Generation
Forcepoint LLC
 
The Future of Mobile Application Security
The Future of Mobile Application SecurityThe Future of Mobile Application Security
The Future of Mobile Application Security
SecureAuth
 
Conf2013 bchristensen thebig_t
Conf2013 bchristensen thebig_tConf2013 bchristensen thebig_t
Conf2013 bchristensen thebig_t
Beau Christensen
 
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp
 
Palo alto networks next generation firewalls
Palo alto networks next generation firewallsPalo alto networks next generation firewalls
Palo alto networks next generation firewallsCastleforce
 
Keeping the Edge Secure - Synchronoss
Keeping the Edge Secure - SynchronossKeeping the Edge Secure - Synchronoss
Keeping the Edge Secure - Synchronoss
Symphony.com
 
Безопасность данных мобильных приложений. Мифы и реальность.
Безопасность данных мобильных приложений. Мифы и реальность.Безопасность данных мобильных приложений. Мифы и реальность.
Безопасность данных мобильных приложений. Мифы и реальность.
Advanced monitoring
 
Intel SaaS Security Playbook
Intel SaaS Security PlaybookIntel SaaS Security Playbook
Intel SaaS Security Playbook
Intel IT Center
 

Similar to CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries (20)

Secure enterprise mobility
Secure enterprise mobilitySecure enterprise mobility
Secure enterprise mobility
 
The fundamentals of Android and iOS app security
The fundamentals of Android and iOS app securityThe fundamentals of Android and iOS app security
The fundamentals of Android and iOS app security
 
Proteja sus datos en cualquier servicio Cloud y Web de forma unificada
Proteja sus datos en cualquier servicio Cloud y Web de forma unificadaProteja sus datos en cualquier servicio Cloud y Web de forma unificada
Proteja sus datos en cualquier servicio Cloud y Web de forma unificada
 
"IoT Security - Make vs Buy?" - IoT Data Analytics & Visualization Summit 2016
"IoT Security - Make vs Buy?" - IoT Data Analytics & Visualization Summit 2016"IoT Security - Make vs Buy?" - IoT Data Analytics & Visualization Summit 2016
"IoT Security - Make vs Buy?" - IoT Data Analytics & Visualization Summit 2016
 
How to make Android apps secure: dos and don’ts
How to make Android apps secure: dos and don’tsHow to make Android apps secure: dos and don’ts
How to make Android apps secure: dos and don’ts
 
Thales e-Security corporate presentation
Thales e-Security corporate presentationThales e-Security corporate presentation
Thales e-Security corporate presentation
 
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
 
AWS Summit Auckland Platinum Sponsor presentation - Trend Micro
AWS Summit Auckland Platinum Sponsor presentation - Trend MicroAWS Summit Auckland Platinum Sponsor presentation - Trend Micro
AWS Summit Auckland Platinum Sponsor presentation - Trend Micro
 
Palo Alto Networks Soc Ent Okt2009
Palo Alto Networks Soc Ent Okt2009Palo Alto Networks Soc Ent Okt2009
Palo Alto Networks Soc Ent Okt2009
 
SecurityWhitepaper 7-1-2015
SecurityWhitepaper 7-1-2015SecurityWhitepaper 7-1-2015
SecurityWhitepaper 7-1-2015
 
Tips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile AppsTips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile Apps
 
Adaptive Trust for Strong Network Security
Adaptive Trust for Strong Network SecurityAdaptive Trust for Strong Network Security
Adaptive Trust for Strong Network Security
 
Securing Beyond the Cloud Generation
Securing Beyond the Cloud GenerationSecuring Beyond the Cloud Generation
Securing Beyond the Cloud Generation
 
The Future of Mobile Application Security
The Future of Mobile Application SecurityThe Future of Mobile Application Security
The Future of Mobile Application Security
 
Conf2013 bchristensen thebig_t
Conf2013 bchristensen thebig_tConf2013 bchristensen thebig_t
Conf2013 bchristensen thebig_t
 
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
 
Palo alto networks next generation firewalls
Palo alto networks next generation firewallsPalo alto networks next generation firewalls
Palo alto networks next generation firewalls
 
Keeping the Edge Secure - Synchronoss
Keeping the Edge Secure - SynchronossKeeping the Edge Secure - Synchronoss
Keeping the Edge Secure - Synchronoss
 
Безопасность данных мобильных приложений. Мифы и реальность.
Безопасность данных мобильных приложений. Мифы и реальность.Безопасность данных мобильных приложений. Мифы и реальность.
Безопасность данных мобильных приложений. Мифы и реальность.
 
Intel SaaS Security Playbook
Intel SaaS Security PlaybookIntel SaaS Security Playbook
Intel SaaS Security Playbook
 

More from NowSecure

Jeff's Journey: Best Practices for Securing Mobile App DevOps
Jeff's Journey: Best Practices for Securing Mobile App DevOpsJeff's Journey: Best Practices for Securing Mobile App DevOps
Jeff's Journey: Best Practices for Securing Mobile App DevOps
NowSecure
 
iOS 12 Preview - What You Need To Know
iOS 12 Preview - What You Need To KnowiOS 12 Preview - What You Need To Know
iOS 12 Preview - What You Need To Know
NowSecure
 
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App RiskMobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
NowSecure
 
What attackers know about your mobile apps that you don’t: Banking & FinTech
What attackers know about your mobile apps that you don’t: Banking & FinTechWhat attackers know about your mobile apps that you don’t: Banking & FinTech
What attackers know about your mobile apps that you don’t: Banking & FinTech
NowSecure
 
Solving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial servicesSolving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial services
NowSecure
 
Leaky Mobile Apps: What You Need to Know
Leaky Mobile Apps: What You Need to KnowLeaky Mobile Apps: What You Need to Know
Leaky Mobile Apps: What You Need to Know
NowSecure
 
Vetting Mobile Apps for Corporate Use: Security Essentials
Vetting Mobile Apps for Corporate Use: Security EssentialsVetting Mobile Apps for Corporate Use: Security Essentials
Vetting Mobile Apps for Corporate Use: Security Essentials
NowSecure
 
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
NowSecure
 
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligence
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligenceDelivering secure mobile financial services (MFS) - "Frictionless" vs diligence
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligence
NowSecure
 
Next-level mobile app security: A programmatic approach
Next-level mobile app security: A programmatic approachNext-level mobile app security: A programmatic approach
Next-level mobile app security: A programmatic approach
NowSecure
 
Mobile App Crashworthiness - Securing Vehicle-to-Device (V2D) Interfaces and ...
Mobile App Crashworthiness - Securing Vehicle-to-Device (V2D) Interfaces and ...Mobile App Crashworthiness - Securing Vehicle-to-Device (V2D) Interfaces and ...
Mobile App Crashworthiness - Securing Vehicle-to-Device (V2D) Interfaces and ...
NowSecure
 
Cybersecurity Fundamentals for Bar Associations
Cybersecurity Fundamentals for Bar AssociationsCybersecurity Fundamentals for Bar Associations
Cybersecurity Fundamentals for Bar Associations
NowSecure
 
Mobile Penetration Testing: Episode II - Attack of the Code
Mobile Penetration Testing: Episode II - Attack of the CodeMobile Penetration Testing: Episode II - Attack of the Code
Mobile Penetration Testing: Episode II - Attack of the Code
NowSecure
 

More from NowSecure (13)

Jeff's Journey: Best Practices for Securing Mobile App DevOps
Jeff's Journey: Best Practices for Securing Mobile App DevOpsJeff's Journey: Best Practices for Securing Mobile App DevOps
Jeff's Journey: Best Practices for Securing Mobile App DevOps
 
iOS 12 Preview - What You Need To Know
iOS 12 Preview - What You Need To KnowiOS 12 Preview - What You Need To Know
iOS 12 Preview - What You Need To Know
 
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App RiskMobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
 
What attackers know about your mobile apps that you don’t: Banking & FinTech
What attackers know about your mobile apps that you don’t: Banking & FinTechWhat attackers know about your mobile apps that you don’t: Banking & FinTech
What attackers know about your mobile apps that you don’t: Banking & FinTech
 
Solving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial servicesSolving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial services
 
Leaky Mobile Apps: What You Need to Know
Leaky Mobile Apps: What You Need to KnowLeaky Mobile Apps: What You Need to Know
Leaky Mobile Apps: What You Need to Know
 
Vetting Mobile Apps for Corporate Use: Security Essentials
Vetting Mobile Apps for Corporate Use: Security EssentialsVetting Mobile Apps for Corporate Use: Security Essentials
Vetting Mobile Apps for Corporate Use: Security Essentials
 
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
 
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligence
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligenceDelivering secure mobile financial services (MFS) - "Frictionless" vs diligence
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligence
 
Next-level mobile app security: A programmatic approach
Next-level mobile app security: A programmatic approachNext-level mobile app security: A programmatic approach
Next-level mobile app security: A programmatic approach
 
Mobile App Crashworthiness - Securing Vehicle-to-Device (V2D) Interfaces and ...
Mobile App Crashworthiness - Securing Vehicle-to-Device (V2D) Interfaces and ...Mobile App Crashworthiness - Securing Vehicle-to-Device (V2D) Interfaces and ...
Mobile App Crashworthiness - Securing Vehicle-to-Device (V2D) Interfaces and ...
 
Cybersecurity Fundamentals for Bar Associations
Cybersecurity Fundamentals for Bar AssociationsCybersecurity Fundamentals for Bar Associations
Cybersecurity Fundamentals for Bar Associations
 
Mobile Penetration Testing: Episode II - Attack of the Code
Mobile Penetration Testing: Episode II - Attack of the CodeMobile Penetration Testing: Episode II - Attack of the Code
Mobile Penetration Testing: Episode II - Attack of the Code
 

Recently uploaded

Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
Peter Spielvogel
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
Neo4j
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
nkrafacyberclub
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
ThomasParaiso2
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
Pierluigi Pugliese
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 

Recently uploaded (20)

Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 

CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries

  • 1. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. CASE STUDY: IRONCLAD MESSAGING & SECURE APP DEV FOR REGULATED INDUSTRIES
  • 2. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.3 #MOBSEC5 - A WEEKLY MOBILE SECURITY NEWS UPDATE www.nowsecure.com/go/subscribe
  • 3. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. AGENDA INTRODUCTIONS MOBILE APP SECURITY LANDSCAPE VAPORSTREAM CASE STUDY NOWSECURE SOLUTIONS RECOMMENDATIONS Q&A 4 SPEAKERS AVI ELKONI COO/CTO VAPORSTREAM KRISTI PERDUE HINKLE VAPORSTREAM BRIAN REED NOWSECURE
  • 4. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.5 HOW SAFE ARE YOUR MOBILE APPS? Web and App Breached of PII & Credit Card Mobile App Breach Exposing 20,000 Customers Data Breach Reveals Military Training Sites
  • 5. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. NOWSECURE BENCHMARKS: BANKING & FINANCE 0 59 60-69 70-79 80-89 90-100 *Scoring algorithm based on Industry Standard CVSS Scored findings Low RiskHgh Risk Caution A significant 10 of 100 Apps (10%) fail w/ critical & high risks Identified Failures: Man in Middle Attack, Invalid Certificate, Known Vulnerable 3rd Party Libraries, Unencrypted credentials/PII in local files or over HTTP NowSecure Score Risk Range 46-100
  • 6. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. NOWSECURE BENCHMARKS: RETAIL 0 59 60-69 70-79 80-89 90-100 *Scoring algorithm based on Industry Standard CVSS Scored findings Low RiskHgh Risk Caution NowSecure Score Risk Range 6-100 A shocking 27 of 80 Apps (34%) fail w/ critical & high risks Identified Failures: Man in Middle Attack, Invalid Certificate, Known Vulnerable 3rd Party Libraries, Unencrypted credentials/PII in local files or over HTTP
  • 7. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.9 INSIDE THE MOBILE ATTACK SURFACE iOS APPS iOS FRAMEWORKS iOS NATIVE LIBRARIES iOS Mach/XNU KERNEL iOS HAL HARDWARE CODE FUNCTIONALITY DATA AT REST DATA IN MOTION Data Center & App Backend Network & Cloud Services TEST APP GPS spoofing Buffer overflow allowBackup Flag allowDebug Flag Code Obfuscation Configuration manipulation Escalated privileges URL schemes GPS Leaking Integrity/tampering/repacking Side channel attacks App signing key unprotected JSON-RPC Automatic Reference Counting Dynamic runtime injection Unintended permissions UI overlay/pin stealing Intent hijacking Zip directory traversal Clipboard data World Readable Files Data caching Data stored in application directory Decryption of keychain Data stored in log files Data cached in memory/RAM Data stored in SD card OS data caching Passwords & data accessible No/Weak encryption TEE/Secure Enclave Processor Side channel leak SQLite database Emulator variance Wi-Fi (no/weak encryption) Rogue access point Packet sniffing Man-in-the-middle Session hijacking DNS poisoning TLS Downgrade Fake TLS certificate Improper TLS validation HTTP Proxies VPNs Weak/No Local authentication App transport security Transmitted to insecure server Zip files in transit Cookie “httpOnly” flag Cookie “secure” flag Android rooting/iOS jailbreak User-initiated code Confused deputy attack Media/file format parsers Insecure 3rd party libraries World Writable Files World Writable Executables
  • 8. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. § Founded in 2008 § Based in Chicago, IL § Privately owned and backed by investors and VC funding § Clients in Healthcare, Financial Services, Energy & Utilities, Higher Education, Government and more § Vaporstream is a comprehensive and configurable platform that addresses a wide variety of use cases for secure communication 10 ABOUT VAPORSTREAM
  • 9. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. THE VAPORSTREAM SECURE COMMUNICATION PLATFORM 11 Vaporstream delivers a secure, ephemeral, compliant platform built to increase efficiency and revenue opportunities for the enterprise. While uniquely protecting sensitive data, Vaporstream automates processes to increase work team efficiency and create new levels of service delivery. Analytics Compliance Engage Secure Messaging Vaporstream Platform
  • 10. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. § Healthcare § Patient Care Coordination § Patient Engagement § Surgical workflow/Instruction delivery § Billing/Insurance submission § All Industries § Incident notification and response § Mass communications § Compliant, secure, leak-proof business messaging § Crisis and reputation management § Executive and Board communication § Strategy, IP, Legal, M&A, HR/ Recruiting § Financial transactions § International travel § Others 12 SECURE COMMUNICATION USE CASES
  • 11. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. VAPORSTREAM’S MULTI-LAYERED SECURITY MODEL 13 § Automated message expiration based on enterprise policy, group and user § No footprint left on any device, nor server § Shred on demand gives ultimate sender control Ephemerality Encryption § Encryption of data in transit and at rest § Keys and data always kept separate Governance & Compliance § Archive a single copy of messages to client-specified repository to safeguard information for legal, regulatory and business requirements. § Client data remains under client control; never stored with vendor § Comprehensive audit logging and reporting Advanced Controls § Unique Sender Controls prevent data propagation to unintended recipients § In-app camera keeps all images from upload to iCloud, Google, never stored on devices § Screenshot detection and protection § Message Body / Header separation
  • 12. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. 1. Extensive black-box penetration testing § Apps § Platform 2. Dedicated staff for each platform § iOS § Android 3. Dedicated equipment § Jailbroken iOS devices § Rooted Android devices 4. Detailed reports with actionable findings 14 VAPORSTREAM MOBILE APPSEC TESTING REQUIREMENTS
  • 13. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. § Known and reputable (Strong reputation) § Dedicated and experienced teams § Black box testing minimizes stress on development team § Continuous testing keeps us protected between certifications 15 VAPORSTREAM CHOOSES NOWSECURE
  • 14. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. § Started with initial certification in 2014 § Recertify every year § Work certification recommendations into product releases § Apply NowSecure AUTO to every store release as part of our standard QA process § Use our NowSecure Certification as third-party validation § Vaporstream differentiation 16 HOW VAPORSTREAM USES NOWSECURE TODAY
  • 15. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.17 VAPORSTREAM NOWSECURE CERTIFIED
  • 16. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. 1. Design for security 2. Test from first prototype 3. Incorporate security testing into your regular QA cycle 4. Prepare for enterprise customer security audits § Document internal procedures § Hoard certifications 18 VAPORSTREAM RECOMMENDED BEST PRACTICES
  • 17. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.19 NOWSECURE – DELIVERING SECURE MOBILE APPS FASTER Automated Mobile AppSec Testing Optimized for Speed, Accuracy, Integration Powers Security in Agile & DevOps Teams Expert Pen Testing, App Certification & Training Advanced Expert Research & Engineering Teams Wrote the book on mobile forensics Trusted by world’s highest security organizations
  • 18. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.20 NOWSECURE APPSEC TESTING COVERAGE CHECKLIST ✓ Man in the Middle: Cert Validation ✓ Man in the Middle: Cert Pinning ✓ Man in the Middle: HTTP Connections ✓ SSL Downgrade ✓ Unprotected TLS traffic ✓ Cookie integrity ✓ Certificate Validity ✓ App Transport Security ✓ … ✓ App files & Log Files ✓ Keychain ✓ SD Card ✓ World Writable Files ✓ World Readable Files ✓ RAM ✓ Unencrypted credential storage ✓ SQLite Databases ✓ Secure Enclave Processor ✓ … ✓ Development flags ✓ Automatic Reference Counting ✓ Stack Smashing ✓ Bad Authentication/Authorization ✓ Root access ✓ Path Traversal ✓ SQL Injection ✓ Vulnerable 3rd party libraries ✓ Heartbleed ✓ Bad cryptography ✓ Obfuscation ✓ … CODE FUNCTIONALITY DATA IN MOTIONDATA AT REST Data Center & App Backend Network & Cloud Services iOS APPS iOS FRAMEWORKS iOS NATIVE LIBRARIES iOS Mach/XNU KERNEL iOS HAL HARDWARE TEST APP AUTOMATED MOBILE APP SECURITY TESTING PLATFORM
  • 19. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.21 NOWSECURE AUTOMATION PLATFORM NowSecure AUTO NowSecure WORKSTATION NowSecure INTEL NowSecure SERVICES Continuous Integration Continuous Monitoring Automated Security Testing in SDLC for Dev, QA & Security Teams Deep Pen Testing Analysis of Complex, High Risk Mobile Apps for Security Analysts Public App Store Risk Data for EMM, Threat & Security Teams Expert Pen Testing, Training & Mobile App Security Programs for App Owners, Dev & Security Teams Data Repository Dashboards & Reports Advanced Configuration Device Farm Compliance Mapping Analysis Engine
  • 20. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.22 PHASES OF SHIFTING LEFT WITH NOWSECURE Dev Cycle Auto-Generate Issue Tickets Build Binary Code Commit Test Binary </> Stage Deploy Auto-Test Every Build Monitor App Store Production On-Demand Auto Test Annual /Periodic PEN Test
  • 21. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.23 INSIDE NOWSECURE MOBILE APP RISK SCORING
  • 22. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.24 INSIDE NOWSECURE MOBILE APP RISK SCORING
  • 23. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. Fully automated mobile app security testing solution for Agile & DevOps Shorten time-to-release with security baked in Full "hands-free" automation Rapid test results in minutes Real-world tests on real iOS & Android devices Highly accurate findings & developer-friendly remediation tips Plug-in integration to the SDLC with no new tools for developers to learn Auto test every build Auto generate security tickets Auto route info to all stakeholders 25 NOWSECURE AUTO POWERS SECURE DEV TOOLCHAIN
  • 24. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. Leverage Our Years of Collective Expertise in Mobile App Security Accelerate Your Mobile App Security Program Expert Setup & Guidance MAST Program Development Dev & Security Quarterly MAST Training Mobile AppSec Staff Augmentation Expert Pen Testing & Certification +100 Man Years Experience +1000 Mobile Apps Tested Advanced MAST Forensic Skills 26 NOWSECURE SERVICES EXPERTISE FOR SUCCESS
  • 25. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.27 NOWSECURE INTEGRATES WITH YOUR DEV TOOLCHAIN APP MANAGEMENT TOOLS BUILD TOOLS MOBILE APP STORES VULNERABILITY MANAGEMENT ISSUE TRACKING MDM/EMM … … … … … … Application Binary Security Assessment Build Status Monitored Applications Notifications Data Repository Dashboards & Reports Advanced Configuration Device Farm Compliance Mapping Analysis Engine ARCHER GITHUB MS VSTS MOBILE IRONMS VSTSCIRCLE CI XAMARIN HOCKEYAPPTESTFLIGHT APP STORE PLAY STORE
  • 26. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.28 THE PATH TO CONTINUOUS SECURITY Manual Testing PEN Test PRE RELEASE Test ON DEMAND Full CI/CD Integration Integrate with SDLC infrastructure Test every build every day Auto-generate tickets from findings in local ticketing tool Auto-route reports to risk & compliance stakeholders Auto-route results & trends to management dashboard Perform deep-dive investigations when needed 1 mo 3 mo 6 mo 12 mo Maximizing Value & Performance
  • 27. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.30 OPEN Q&A Use the “Ask a Question” tab below the slides AVI ELKONI COO/CTO VAPORSTREAM KRISTI PERDUE HINKLE VAPORSTREAM BRIAN REED NOWSECURE