Jeff's Journey: Best Practices for Securing Mobile App DevOps
•
0 likes•412 views
Originally Presented December 6, 2018 As DevOps teams seek to accelerate the mobile app dev pipeline, they rely on tools and best practices to gain speed. Because our engineering leader Jeff Fairman previously ran software development for a top online brokerage, he understands the challenges of scaling security testing to meet current demands. After discovering the NowSecure automated testing platform, Jeff Fairman was so impressed with the tech that he joined the company to help DevOps and security teams build and release safe mobile apps. Listen this webinar to learn: + Why you need dynamic application security (DAST) testing to flag vulnerabilities in the post-build phase + The unique requirements, toolchain options and best practices for secure mobile DevOps + How to combine continuous daily testing with outsourced pen testing.
Report
Share
Report
Share
Download to read offline
Recommended
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
Originally Recorded March 18, 2020
DevSecOps enthusiast D.J. Schleen unveils the latest updates to the DevSecOps Reference Architecture, an extensive chart of open-source tools and third-party applications that now includes mobile app pipelines. Join us to score your own copy and learn:
+ The most popular tools and integrations to automate and scale your pipeline
+ How and where mobile DevSecOps differs from web
+ Where to apply dynamic and interactive application security testing to speed app delivery
Android Q & iOS 13 Privacy Enhancements
Originally Recorded July 19, 2019
Apple and Google’s forthcoming mobile operating systems boast a bevy of privacy features that enable users to seize more control of their personal data.
NowSecure Mobile Security Analyst Tony Ramirez will dives into Android and iOS application security and privacy enhancements and what they mean for mobile DevSecOps teams. Join us to learn about:
+ Increased transparency and granularity over location tracking
+ New protections for sensitive information
+ Safer data exchanges in Android Q through TLS 1.3 encryption
Debunking the Top 5 Myths About Mobile AppSec
Originally presented June 24, 2019
https://www.nowsecure.com/resource/debunking-the-top-5-myths-about-mobile-appsec/
It’s hard to believe that mobile app stores are more than a decade old yet some crazy misconceptions about mobile application security still linger.
Have you heard these before?
- Testing mobile apps is the same as web apps
- SAST is good enough for mobile, you don’t need DAST
- Mobile apps are secure because Apple and Google security test them
- Outsourcing a penetration test once per year is sufficient to mitigate risk
Sort fact from fiction and learn how to ensure your mobile appsec program is on the right track. You may discover some surprising things about modern mobile application security.
OSS Tools: Creating a Reverse Engineering Plug-in for r2frida
Hear Radare creator Sergi (Pancake) Alvarez conduct a deep dive of r2frida, a framework that combines the best of Frida and Radare. Frida and Radare are leading open-source reverse engineering tools sponsored by NowSecure. Targeting intermediate to advanced users and security analysts, this overview will highlight the r2frida plug-in architecture.
Watch the webinar: http://bit.ly/2DBHt7M
Watch this webinar to learn:
+ What dynamic and static techniques the individual tools provide to assist security analysts with reverse engineering;
+ Why r2frida’s plugin architecture eases the task of performing reverse engineering workflows;
+ How to create your own new plug-in.
Building a Mobile App Pen Testing Blueprint
Mobile penetration testing helps uncover app exploits and vulnerabilities and is a crucial component of risk assessment. However, many people fear the complexity and don’t know where to get started.
It all begins with a solid plan of attack. NowSecure veterans of hundreds of mobile app pen tests will walk you through the process of assembling a pen testing playbook to hack your app.
This webinar covers:
+Tips and tricks for targeting common issues
+The best tools for the job
+How to document findings to close the loop on vulnerabilities.
Mobile App Security Predictions 2019
Originally presented January 23, 2019 -https://www.brighttalk.com/webcast/15139/344870?utm_source=Slideshare&utm_medium=referral&utm_campaign=344870
2019 is already shaping up to be a standout year for mobile appsec and secure DevOps. If we can say anything with certainty, it’s that cybersecurity is unpredictable and the wave of DevSecOps is unstoppable. But we foresee intensifying concerns about digital privacy amidst high-profile breaches.
This deck lists our predictions about what’s in store for our customers and the community in the year ahead. Our veteran industry leaders will prognosticate about developments in these areas:
+ Mobile ecosystem: OSes, devices, apps and app stores
+ Evolving mobile security threats
+ The rise of DevSecOps and the automation of everything
+ The disruptive economics of automating manual pen testing
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
Originally Presenter October 18, 2018
Enterprise-grade ephemeral messaging provider Vaporstream knows firsthand that security needs to be built into the software development lifecycle rather than bolted on. Serving highly regulated industries such as federal government, energy, financial services and healthcare, Vaporstream’s leakproof communication platform provides the highest level of assurance that compliance professionals require. Vaporstream partners with NowSecure to test and certify its Android and iOS mobile messaging apps.
This case study webinar covers how Vaporstream adheres to a rigorous secure app lifecycle in order to meet customer expectations for secure communications:
+ Designing a secure app architecture & development process
+ Incorporating security testing into the release cycle
+ Comprehensive penetration testing
Recommended
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
Originally Recorded March 18, 2020
DevSecOps enthusiast D.J. Schleen unveils the latest updates to the DevSecOps Reference Architecture, an extensive chart of open-source tools and third-party applications that now includes mobile app pipelines. Join us to score your own copy and learn:
+ The most popular tools and integrations to automate and scale your pipeline
+ How and where mobile DevSecOps differs from web
+ Where to apply dynamic and interactive application security testing to speed app delivery
Android Q & iOS 13 Privacy Enhancements
Originally Recorded July 19, 2019
Apple and Google’s forthcoming mobile operating systems boast a bevy of privacy features that enable users to seize more control of their personal data.
NowSecure Mobile Security Analyst Tony Ramirez will dives into Android and iOS application security and privacy enhancements and what they mean for mobile DevSecOps teams. Join us to learn about:
+ Increased transparency and granularity over location tracking
+ New protections for sensitive information
+ Safer data exchanges in Android Q through TLS 1.3 encryption
Debunking the Top 5 Myths About Mobile AppSec
Originally presented June 24, 2019
https://www.nowsecure.com/resource/debunking-the-top-5-myths-about-mobile-appsec/
It’s hard to believe that mobile app stores are more than a decade old yet some crazy misconceptions about mobile application security still linger.
Have you heard these before?
- Testing mobile apps is the same as web apps
- SAST is good enough for mobile, you don’t need DAST
- Mobile apps are secure because Apple and Google security test them
- Outsourcing a penetration test once per year is sufficient to mitigate risk
Sort fact from fiction and learn how to ensure your mobile appsec program is on the right track. You may discover some surprising things about modern mobile application security.
OSS Tools: Creating a Reverse Engineering Plug-in for r2frida
Hear Radare creator Sergi (Pancake) Alvarez conduct a deep dive of r2frida, a framework that combines the best of Frida and Radare. Frida and Radare are leading open-source reverse engineering tools sponsored by NowSecure. Targeting intermediate to advanced users and security analysts, this overview will highlight the r2frida plug-in architecture.
Watch the webinar: http://bit.ly/2DBHt7M
Watch this webinar to learn:
+ What dynamic and static techniques the individual tools provide to assist security analysts with reverse engineering;
+ Why r2frida’s plugin architecture eases the task of performing reverse engineering workflows;
+ How to create your own new plug-in.
Building a Mobile App Pen Testing Blueprint
Mobile penetration testing helps uncover app exploits and vulnerabilities and is a crucial component of risk assessment. However, many people fear the complexity and don’t know where to get started.
It all begins with a solid plan of attack. NowSecure veterans of hundreds of mobile app pen tests will walk you through the process of assembling a pen testing playbook to hack your app.
This webinar covers:
+Tips and tricks for targeting common issues
+The best tools for the job
+How to document findings to close the loop on vulnerabilities.
Mobile App Security Predictions 2019
Originally presented January 23, 2019 -https://www.brighttalk.com/webcast/15139/344870?utm_source=Slideshare&utm_medium=referral&utm_campaign=344870
2019 is already shaping up to be a standout year for mobile appsec and secure DevOps. If we can say anything with certainty, it’s that cybersecurity is unpredictable and the wave of DevSecOps is unstoppable. But we foresee intensifying concerns about digital privacy amidst high-profile breaches.
This deck lists our predictions about what’s in store for our customers and the community in the year ahead. Our veteran industry leaders will prognosticate about developments in these areas:
+ Mobile ecosystem: OSes, devices, apps and app stores
+ Evolving mobile security threats
+ The rise of DevSecOps and the automation of everything
+ The disruptive economics of automating manual pen testing
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
Originally Presenter October 18, 2018
Enterprise-grade ephemeral messaging provider Vaporstream knows firsthand that security needs to be built into the software development lifecycle rather than bolted on. Serving highly regulated industries such as federal government, energy, financial services and healthcare, Vaporstream’s leakproof communication platform provides the highest level of assurance that compliance professionals require. Vaporstream partners with NowSecure to test and certify its Android and iOS mobile messaging apps.
This case study webinar covers how Vaporstream adheres to a rigorous secure app lifecycle in order to meet customer expectations for secure communications:
+ Designing a secure app architecture & development process
+ Incorporating security testing into the release cycle
+ Comprehensive penetration testing
A Risk-Based Mobile App Security Testing Strategy
Originally presented on September 19, 2018
Given the volume and velocity of mobile apps, there simply aren’t enough resources to test them all in the same manner. There has to be a better way. NowSecure introduces a new framework to help organizations craft a Risk-Based Mobile App Security Testing strategy.
Watch the presentation here: https://www.nowsecure.com/webinars/a-risk-based-mobile-app-security-testing-strategy/
Android P Security Updates: What You Need to Know
Originally presented August 23, 2018
2018 seems to be the year of privacy updates for both iOS and Android. In this webinar, Mobile Security Analyst Tony Ramirez takes a deeper look at security updates for Android including learnings from Android 8, what to expect for Android 9, and the implications for mobile app security.
iOS 12 Preview - What You Need To Know
Originally presented on June 12, 2018
Much of the improvements for iOS 12 focused on privacy and reliability. What prompted these changes and how will it affect the path forward? In this discussion, Tony Ramirez, Mobile Security Analyst, shares about the following:
+ Learnings & remediations from iOS 11
+ Predictions coming out of WWDC
+ How we see the newest software update, iOS 12, affecting mobile app security testing
5 Tips for Agile Mobile App Security Testing
Originally Presented March 21, 2018
Most mobile app penetration tests or vulnerability assessments take anywhere from a couple of days to two weeks to deliver because of the manual approaches, brittle open source stacks in homegrown testing rigs and legacy application security testing (AST) tools. The shift to agile development common in mobile app development teams has left appsec testing behind. New mobile app builds are pushed daily, weekly or monthly, and appsec testing teams struggle to keep up. Each new build brings new code, including 3rd-party libraries, and with that code comes new potential vulnerabilities.
Application security & testing teams - this one’s for you. If you’re looking for ways to join the agile approach and keep pace with the speed of your development team’s CI/CD pipeline, take stock of these 5 tips for mobile appsec testing and integrate them into your company’s workflow.
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
From the creators behind top mobile tools R2 and FRIDA, get the inside scoop on the R2 and FRIDA OSS projects. Led by NowSecure Research Team including David Weinstein, Ole André and Pancake (Sergi Àlvarez), this webinar speaks to our favorite mobile AST OSS projects. Peek behind the curtain on these tools, check out on their latest updates, and learn about potential future enhancements.
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
Originally presented on January 23, 2018
A comprehensive analysis of iOS and Android apps found that a staggering 85% of those apps fail one or more of the OWASP Mobile Top 10 criteria. Given that the average mobile device has over 89 mobile apps on it, what are the odds your employees have one or more of the apps and what’s the real risk to your business?
Mobile apps power productivity in the modern business; don’t let a few bad apps bring it down.
5 Mobile App Security MUST-DOs in 2018
Originally presented on 12/5/2017
To close out the 2017 webinar season, our mobile security expert panel will review the top mobile threats of 2017 (e.g., Cloudbleed, Bootstomp, Broadpwn, and more) and then debate what’s next in mobile app security and mobile app security testing for 2018. See the slides from this spirited discussion of the security ramifications of the new iPhone X, iOS 11, Android 8, the latest innovations in the mobile app security testing, and more. Compare your mobile app security and mobile app security testing initiatives with what our experts say should be your top priorities in 2018.
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
Originally presented on 11/30/2017 at the 2017 NH-ISAC Third Party Risk Governance Summit
What attackers know about your mobile apps that you don’t: Banking & FinTech
Our threat research team spends every waking moment reverse-engineering and cracking mobile apps and devices to help organizations reduce mobile risk. Originally presented on October 24, 2017, mobile security expert and NowSecure founder Andrew Hoog explains the attacker’s point-of-view, what attackers are looking for in mobile banking or financial services apps, and what makes your mobile app an appetizing target. He then provides tips for deploying a mobile app security testing program to ensure you proactively plug security holes, squash privacy leaks, and fill compliance gaps in your mobile apps.
Solving for Compliance: Mobile app security for banking and financial services
Mobile apps fall in scope for a number of regulatory requirements that govern the banking and financial services industries, such as: guidelines from the Federal Financial Institutions Examination Council (FFIEC), the Gramm–Leach–Bliley Act (GLBA), New York State cybersecurity requirements for financial services companies, the Payment Card Industry Data Security Standard (PCI DSS), the Sarbanes-Oxley Act, and more. Luckily, a repeatable mobile app security assessment program and standardized reporting go a long way in both achieving compliance objectives and securing mobile apps and data.
Originally presented on August 22, 2017, NowSecure Security Solutions Engineer Brian Lawrence explains:
-- How and where exactly mobile apps fall in scope for various compliance regimes
-- Mobile app security issues financial institutions must identify and fix for compliance purposes
-- How assessment reports can be used to demonstrate due diligence
Leaky Mobile Apps: What You Need to Know
The amount of data collected by mobile devices and apps is shocking, and vulnerable mobile apps expose that data to compromise. In our static and dynamic analysis of hundreds-of-thousands of mobile apps, we found that 25 percent of them harbor at least one high-risk vulnerability such as collecting/transmitting location data, credentials, and more in cleartext. Mobile data may only be as secure as the weakest app on someone’s device. Mobile app developers need to protect the users of their apps by building high quality, secure apps. This presentation covers the most common mobile app vulnerabilities (including a real-world demonstration), how to identify those vulnerabilities, and what to do to remediate them.
Slides from NowSecure Senior Solutions Engineer Jon Porter's talk at the OWASP Denver Chapter's July 2017 meeting.
Vetting Mobile Apps for Corporate Use: Security Essentials
What does a sensible approach to approving and denying Android and iOS apps for use by staff look like? It starts with accurate, up-to-date security assessment data. NowSecure VP of Customer Success and Services Katie Strzempka covers how to take a data-driven approach to evaluating mobile apps for use at your organization.
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
A mobile app that’s vulnerable to man-in-the-middle (MITM) attacks can allow an attacker to capture, view, and modify sensitive traffic sent and received between the app and backend servers. At NowSecure, Michael Krueger and Tony Ramirez spend their days performing penetration tests on Android and iOS apps, which include exploiting MITM vulnerabilities and helping developers fix them. These slides are from a 30-minute webinar with Michael & Tony about MITM attacks on mobile apps and how to prevent them that will cover:
-- Identifying man-in-the-middle vulnerabilities in mobile apps
-- How to execute a mobile man-in-the-middle attack
-- Right and wrong ways to implement certificate validation and certificate pinning
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligence
How do you balance UX and security for mobile banking apps? Check out the slides originally presented on May 2 sharing FFIEC guidance and a study of vulnerabilities 30 mobile banking apps (15 iOS and 15 Android) from 15 financial institutions.
Next-level mobile app security: A programmatic approach
Katie Stzempka, VP of Customer Success & Services, shares some helpful guidance on how to launch and improve an internal mobile app security program. You'll learn:
-- How to unite a disarray of tasks into a mobile app security testing process
-- How to choose the right mobile app security testing tools for your maturity
-- How to establish buy-in and collaborate with developers and your DevOps team
Mobile App Crashworthiness - Securing Vehicle-to-Device (V2D) Interfaces and ...
+ How do vulnerable mobile apps and insecure V2D communications put drivers and manufacturers at risk?
+ Applying crashworthiness and safety ratings concepts to mobile app and connected car cybersecurity
+ How to manage mobile app security defects and vulnerabilities in the connected car and mobile app development process
How Android and iOS Security Enhancements Complicate Threat Detection
This is an encore presentation of NowSecure CEO Andrew Hoog’s talk “How Android and iOS Security Enhancements Complicate Threat Detection” from RSA Conference 2017. You'll learn about:
+ Five security enhancements in the Android and iOS platforms that present obstacles to defenders and incident responders
+ Tips on overcoming those challenges
+ The open-source Mobile Triage toolset that facilitates the collection of mobile threat and vulnerability data
Mobile Penetration Testing: Episode III - Attack of the Code
In the final installment of our mobile penetration testing trilogy, we dive deep to find security flaws in mobile apps by dissecting the code with reverse-engineering and code analysis.
Mobile Penetration Testing: Episode II - Attack of the Code
In this, the second, episode of our mobile penetration testing trilogy, NowSecure Solutions Engineer Michael Krueger takes you beyond the device. Michael will explain how to perform network and web services/API testing to capture data exposed in transit between apps and backend services -- some of the highest risk security flaws around.
This high intensity 30-minute crash course covers:
+ Man-in-the-middle (MITM) attacks
+ Taking advantage of improper certificate validation
+ Demonstration of a privilege escalation exploit of a web back-end vulnerability
Watch it here: https://youtu.be/bT1-7ZkSdNY
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
More Related Content
More from NowSecure
A Risk-Based Mobile App Security Testing Strategy
Originally presented on September 19, 2018
Given the volume and velocity of mobile apps, there simply aren’t enough resources to test them all in the same manner. There has to be a better way. NowSecure introduces a new framework to help organizations craft a Risk-Based Mobile App Security Testing strategy.
Watch the presentation here: https://www.nowsecure.com/webinars/a-risk-based-mobile-app-security-testing-strategy/
Android P Security Updates: What You Need to Know
Originally presented August 23, 2018
2018 seems to be the year of privacy updates for both iOS and Android. In this webinar, Mobile Security Analyst Tony Ramirez takes a deeper look at security updates for Android including learnings from Android 8, what to expect for Android 9, and the implications for mobile app security.
iOS 12 Preview - What You Need To Know
Originally presented on June 12, 2018
Much of the improvements for iOS 12 focused on privacy and reliability. What prompted these changes and how will it affect the path forward? In this discussion, Tony Ramirez, Mobile Security Analyst, shares about the following:
+ Learnings & remediations from iOS 11
+ Predictions coming out of WWDC
+ How we see the newest software update, iOS 12, affecting mobile app security testing
5 Tips for Agile Mobile App Security Testing
Originally Presented March 21, 2018
Most mobile app penetration tests or vulnerability assessments take anywhere from a couple of days to two weeks to deliver because of the manual approaches, brittle open source stacks in homegrown testing rigs and legacy application security testing (AST) tools. The shift to agile development common in mobile app development teams has left appsec testing behind. New mobile app builds are pushed daily, weekly or monthly, and appsec testing teams struggle to keep up. Each new build brings new code, including 3rd-party libraries, and with that code comes new potential vulnerabilities.
Application security & testing teams - this one’s for you. If you’re looking for ways to join the agile approach and keep pace with the speed of your development team’s CI/CD pipeline, take stock of these 5 tips for mobile appsec testing and integrate them into your company’s workflow.
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
From the creators behind top mobile tools R2 and FRIDA, get the inside scoop on the R2 and FRIDA OSS projects. Led by NowSecure Research Team including David Weinstein, Ole André and Pancake (Sergi Àlvarez), this webinar speaks to our favorite mobile AST OSS projects. Peek behind the curtain on these tools, check out on their latest updates, and learn about potential future enhancements.
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
Originally presented on January 23, 2018
A comprehensive analysis of iOS and Android apps found that a staggering 85% of those apps fail one or more of the OWASP Mobile Top 10 criteria. Given that the average mobile device has over 89 mobile apps on it, what are the odds your employees have one or more of the apps and what’s the real risk to your business?
Mobile apps power productivity in the modern business; don’t let a few bad apps bring it down.
5 Mobile App Security MUST-DOs in 2018
Originally presented on 12/5/2017
To close out the 2017 webinar season, our mobile security expert panel will review the top mobile threats of 2017 (e.g., Cloudbleed, Bootstomp, Broadpwn, and more) and then debate what’s next in mobile app security and mobile app security testing for 2018. See the slides from this spirited discussion of the security ramifications of the new iPhone X, iOS 11, Android 8, the latest innovations in the mobile app security testing, and more. Compare your mobile app security and mobile app security testing initiatives with what our experts say should be your top priorities in 2018.
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
Originally presented on 11/30/2017 at the 2017 NH-ISAC Third Party Risk Governance Summit
What attackers know about your mobile apps that you don’t: Banking & FinTech
Our threat research team spends every waking moment reverse-engineering and cracking mobile apps and devices to help organizations reduce mobile risk. Originally presented on October 24, 2017, mobile security expert and NowSecure founder Andrew Hoog explains the attacker’s point-of-view, what attackers are looking for in mobile banking or financial services apps, and what makes your mobile app an appetizing target. He then provides tips for deploying a mobile app security testing program to ensure you proactively plug security holes, squash privacy leaks, and fill compliance gaps in your mobile apps.
Solving for Compliance: Mobile app security for banking and financial services
Mobile apps fall in scope for a number of regulatory requirements that govern the banking and financial services industries, such as: guidelines from the Federal Financial Institutions Examination Council (FFIEC), the Gramm–Leach–Bliley Act (GLBA), New York State cybersecurity requirements for financial services companies, the Payment Card Industry Data Security Standard (PCI DSS), the Sarbanes-Oxley Act, and more. Luckily, a repeatable mobile app security assessment program and standardized reporting go a long way in both achieving compliance objectives and securing mobile apps and data.
Originally presented on August 22, 2017, NowSecure Security Solutions Engineer Brian Lawrence explains:
-- How and where exactly mobile apps fall in scope for various compliance regimes
-- Mobile app security issues financial institutions must identify and fix for compliance purposes
-- How assessment reports can be used to demonstrate due diligence
Leaky Mobile Apps: What You Need to Know
The amount of data collected by mobile devices and apps is shocking, and vulnerable mobile apps expose that data to compromise. In our static and dynamic analysis of hundreds-of-thousands of mobile apps, we found that 25 percent of them harbor at least one high-risk vulnerability such as collecting/transmitting location data, credentials, and more in cleartext. Mobile data may only be as secure as the weakest app on someone’s device. Mobile app developers need to protect the users of their apps by building high quality, secure apps. This presentation covers the most common mobile app vulnerabilities (including a real-world demonstration), how to identify those vulnerabilities, and what to do to remediate them.
Slides from NowSecure Senior Solutions Engineer Jon Porter's talk at the OWASP Denver Chapter's July 2017 meeting.
Vetting Mobile Apps for Corporate Use: Security Essentials
What does a sensible approach to approving and denying Android and iOS apps for use by staff look like? It starts with accurate, up-to-date security assessment data. NowSecure VP of Customer Success and Services Katie Strzempka covers how to take a data-driven approach to evaluating mobile apps for use at your organization.
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
A mobile app that’s vulnerable to man-in-the-middle (MITM) attacks can allow an attacker to capture, view, and modify sensitive traffic sent and received between the app and backend servers. At NowSecure, Michael Krueger and Tony Ramirez spend their days performing penetration tests on Android and iOS apps, which include exploiting MITM vulnerabilities and helping developers fix them. These slides are from a 30-minute webinar with Michael & Tony about MITM attacks on mobile apps and how to prevent them that will cover:
-- Identifying man-in-the-middle vulnerabilities in mobile apps
-- How to execute a mobile man-in-the-middle attack
-- Right and wrong ways to implement certificate validation and certificate pinning
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligence
How do you balance UX and security for mobile banking apps? Check out the slides originally presented on May 2 sharing FFIEC guidance and a study of vulnerabilities 30 mobile banking apps (15 iOS and 15 Android) from 15 financial institutions.
Next-level mobile app security: A programmatic approach
Katie Stzempka, VP of Customer Success & Services, shares some helpful guidance on how to launch and improve an internal mobile app security program. You'll learn:
-- How to unite a disarray of tasks into a mobile app security testing process
-- How to choose the right mobile app security testing tools for your maturity
-- How to establish buy-in and collaborate with developers and your DevOps team
Mobile App Crashworthiness - Securing Vehicle-to-Device (V2D) Interfaces and ...
+ How do vulnerable mobile apps and insecure V2D communications put drivers and manufacturers at risk?
+ Applying crashworthiness and safety ratings concepts to mobile app and connected car cybersecurity
+ How to manage mobile app security defects and vulnerabilities in the connected car and mobile app development process
How Android and iOS Security Enhancements Complicate Threat Detection
This is an encore presentation of NowSecure CEO Andrew Hoog’s talk “How Android and iOS Security Enhancements Complicate Threat Detection” from RSA Conference 2017. You'll learn about:
+ Five security enhancements in the Android and iOS platforms that present obstacles to defenders and incident responders
+ Tips on overcoming those challenges
+ The open-source Mobile Triage toolset that facilitates the collection of mobile threat and vulnerability data
Mobile Penetration Testing: Episode III - Attack of the Code
In the final installment of our mobile penetration testing trilogy, we dive deep to find security flaws in mobile apps by dissecting the code with reverse-engineering and code analysis.
Mobile Penetration Testing: Episode II - Attack of the Code
In this, the second, episode of our mobile penetration testing trilogy, NowSecure Solutions Engineer Michael Krueger takes you beyond the device. Michael will explain how to perform network and web services/API testing to capture data exposed in transit between apps and backend services -- some of the highest risk security flaws around.
This high intensity 30-minute crash course covers:
+ Man-in-the-middle (MITM) attacks
+ Taking advantage of improper certificate validation
+ Demonstration of a privilege escalation exploit of a web back-end vulnerability
Watch it here: https://youtu.be/bT1-7ZkSdNY
More from NowSecure (20)
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
What attackers know about your mobile apps that you don’t: Banking & FinTech
What attackers know about your mobile apps that you don’t: Banking & FinTech
Solving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial services
Vetting Mobile Apps for Corporate Use: Security Essentials
Vetting Mobile Apps for Corporate Use: Security Essentials
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligence
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligence
Next-level mobile app security: A programmatic approach
Next-level mobile app security: A programmatic approach
Mobile App Crashworthiness - Securing Vehicle-to-Device (V2D) Interfaces and ...
Mobile App Crashworthiness - Securing Vehicle-to-Device (V2D) Interfaces and ...
How Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat Detection
Mobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode II - Attack of the Code
Mobile Penetration Testing: Episode II - Attack of the Code
Recently uploaded
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
Video Streaming: Then, Now, and in the Future
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Epistemic Interaction - tuning interfaces to provide information for AI support
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
A tale of scale & speed: How the US Navy is enabling software delivery from l...
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
National Security Agency - NSA mobile device best practices
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Communications Mining Series - Zero to Hero - Session 1
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
Pushing the limits of ePRTC: 100ns holdover for 100 days
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
GridMate - End to end testing is a critical piece to ensure quality and avoid...
End to end testing is a critical piece to ensure quality and avoid regressions. In this session, we share our journey building an E2E testing pipeline for GridMate components (LWC and Aura) using Cypress, JSForce, FakerJS…
Essentials of Automations: The Art of Triggers and Actions in FME
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
DevOps and Testing slides at DASA Connect
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Recently uploaded (20)
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Jeff's Journey: Best Practices for Securing Mobile App DevOps
- 6. iOS APPS iOS FRAMEWORKS iOS NATIVE LIBRARIES iOS Mach/XNU KERNEL iOS HAL HARDWARE TEST APP ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪
- 16. ... ...