SlideShare a Scribd company logo

Mobile Application Assessment - Don't Cheat Yourself

Denim Group
Denim Group

The document summarizes the findings from mobile application security assessments conducted on 61 applications. It found a total of 957 vulnerabilities across the applications. The most prevalent types of vulnerabilities were related to SQL injection and information leaks. Most vulnerabilities were found in the corporate web services that supported the mobile applications, rather than in the mobile applications themselves or third party web services. Both automated and manual testing techniques identified vulnerabilities, but manual testing found more high-risk issues while automated tools identified more lower-risk vulnerabilities. The document provides recommendations for effective mobile application security assessment strategies.

Technology
1 of 37
Download to read offline
Mobile Application Assessment: Don’t Cheat Yourself! ! Dan Cornell! CTO, Denim Group! @danielcornell © Copyright 2014 Denim Group - All Rights Reserved
Agenda • Background – Mobile Application Threat Model – Assessment Methodology – Data Collected • Findings – Types of Vulnerabilities Identified – Where Vulnerabilities Were Identified – How Vulnerabilities Were Identified © Copyright 2014 Denim Group - All Rights Reserved 2
Introduction • Data comes from: – 61 Assessments – 20 Applications • What we found: – 957 Vulnerabilities • Assessment with the most vulnerabilities: 3 assessments had 10 Critical vulnerabilities • Assessments with the least vulnerabilities: only three assessments had one vulnerability (all others had more) © Copyright 2014 Denim Group - All Rights Reserved 3
Research Background • Mobile application threat model • Assessment methodology – Static versus dynamic testing – Automated versus manual testing • Why CWE? • Assessment data © Copyright 2014 Denim Group - All Rights Reserved 4
Mobile Application Threat Model • More complicated than a “typical” web application threat model • Not just about code running on the device • Main components: – Mobile application – Enterprise web services – 3rd party web services © Copyright 2014 Denim Group - All Rights Reserved 5
Assessment Methodology • Testing activities – Combination of both static and dynamic activities – Combination of automated tools, manual review of automated test results and manual testing • Scope can include: – Code running on the device itself – Enterprise services – 3rd party supporting services © Copyright 2014 Denim Group - All Rights Reserved 6
Determining Severity Based on customized DREAD model • Damage potential • Reproducibility • Exploitability • Affected users • Discoverability • Each factor ranked 1-3 © Copyright 2014 Denim Group - All Rights Reserved Collapsed to single dimension • Critical: > 2.6 • High: 2.3 – 2.6 • Medium: 2.0 – 2.3 • Low: < 2 7
Why CWE? • Vulnerability taxonomy used was MITRE’s Common Weakness Enumeration (CWE) – http://cwe.mitre.org/ • Every tool has its own “spin” on naming vulnerabilities • OWASP Top 10 / WASC 24 are helpful but not comprehensive • CWE is exhaustive (though a bit sprawling at times) • Reasonably well-adopted standard • Many tools have mappings to CWE for their results © Copyright 2014 Denim Group - All Rights Reserved 8
Assessment Data • Subset of mobile assessments • Mostly customer-facing applications from financial services organizations • Primarily iOS and Android applications – Some WAP, Windows Phone 7 © Copyright 2014 Denim Group - All Rights Reserved 9
Types of Vulnerabilities Found • Top 10 Most Prevalent CWEs – Overall • Top 10 Most Prevalent CWEs – Critical/High Risk © Copyright 2014 Denim Group - All Rights Reserved 10
Top 10 Most Prevalent CWEs – Overall Information Leak Through Log Files - LOW RISK Information Exposure - LOW RISK Cleartext Transmission of Sensitive Information - LOW RISK Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection') - CRITICAL Improper Input Validation - LOW RISK External Control of System or Configuration Setting - LOW RISK Information Leak Through Debug Information - LOW RISK Cross-Site Request Forgery (CSRF) - LOW RISK Information Exposure Through an Error Message - LOW RISK © Copyright 2014 Denim Group - All Rights Reserved 26 22 21 21 16 14 14 11 20 284 271 0 50 100 150 200 250 300 Use of a Broken or Risky Cryptographic Algorithm - LOW RISK
Top 10 Most Prevalent CWEs – Critical/High Risk Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection') - CRITICAL Information Leak Through Caching - HIGH Access Control Bypass Through User-Controlled Key - CRITICAL Access Control (Authorization) Issues - CRITICAL Exposure of Access Control List Files to an Unauthorized Control Sphere - CRITICAL Incorrect User Management - CRITICAL Uncontrolled Resource Consumption ('Resource Exhaustion') - CRITICAL Missing XML Validation - CRITICAL Failure to Preserve Web Page Structure ('Cross-Site Scripting') - CRITICAL © Copyright 2014 Denim Group - All Rights Reserved 12 6 4 3 3 3 2 1 1 6 22 0 50 100 150 200 250 300 Uncontrolled Resource Consumption ('Resource Exhaustion') - CRITICAL
OWASP Top 10 Mobile Risks • Similar to the OWASP Top 10 Web Application Risks, but targeted at mobile applications (obviously) • Top risks to mobile applications: – https://www.owasp.org/index.php/ OWASP_Mobile_Security_Project#tab=Top_Ten_Mobile_Risks • Work in progress to update this based on industry-contributed data © Copyright 2014 Denim Group - All Rights Reserved 13
OWASP Top 10 Mobile Risks M1: Insecure Data Storage M2: Weak Server Side Controls M3: Insufficient Transport Layer Protection M4: Client Side Injection M5: Poor Authorization and Authentication © Copyright 2014 Denim Group - All Rights Reserved M6: Improper Session Handling M7: Security Decisions Via Untrusted Inputs M8: Side Channel Data Leakage M9: Broken Cryptography M10: Sensitive Information Disclosure 14
Compare to OWASP Top 10 Mobile Risks © Copyright 2014 Denim Group - All Rights Reserved 15 Strong Overlap • Weak server-side controls • Poor authentication and authorization • Security decisions via untrusted inputs • Sensitive information disclosure Overlap • Insecure data storage • Insufficient transport layer data protection • Improper session handling • Side channel data leakage • Broken cryptography Weak Overlap • Client-side injection
Where Did We Find Overall Vulnerabilities? © Copyright 2014 Denim Group - All Rights Reserved 16 Corporate Web Service 591 62% Device 342 36% Third-Party Web Service 24 2%
Where Did We Find Critical/High Risk Vulnerabilities? © Copyright 2014 Denim Group - All Rights Reserved 17 Corporate Web Service 41 70% Device 15 25% ThirdParty Web Service 3 5%
Analysis of “Where” Data • Mobile security is about more than the code running on the device • The things we really care about (Critical, High) are most frequently found on corporate web services – Then on the device – Then on 3rd party web services • Reflects the “scale” benefits of finding web services vulnerabilities © Copyright 2014 Denim Group - All Rights Reserved 18
How Did We Find Vulnerabilities? • Static vs. dynamic testing • Automated vs. manual testing • What techniques identified the most vulnerabilities? • What techniques identified the most serious vulnerabilities? © Copyright 2014 Denim Group - All Rights Reserved 19
Static vs. Dynamic Method of Finding Vulnerabilities Medium Risk, 9 High Risk, 2 Critical, 33 Medium Risk, 84 High Risk, 14 Static © Copyright 2014 Denim Group - All Rights Reserved 20 Critical, 10 Low Risk, 206 Low Risk, 599 0 100 200 300 400 500 600 700 Dynamic
Static vs. Dynamic Method of Finding Vulnerabilities Static © Copyright 2014 Denim Group - All Rights Reserved 21 Critical 5% High Risk 0% Medium Risk 2% Low Risk 93% Critical 3% High Risk Dynamic Low Risk 66% Medium 4% Risk 27%
Critical and High Risk Vulnerabilities • Static testing was more effective when finding serious (Critical and High) vulnerabilities • But it also found a lot of lower-risk vulnerabilities (as well as results that had to be filtered out) © Copyright 2014 Denim Group - All Rights Reserved 22 Critical/High Risk Vulnerabilities Found Found with Dynamic Testing 24 41% Found with Static Testing 35 59%
Automated vs. Manual Method of Finding Vulnerabilities Medium Risk, 89 High Risk, 15 Critical, 10 Medium Risk, 4 High Risk, 1 Manual © Copyright 2014 Denim Group - All Rights Reserved 23 Critical, 33 Low Risk, 526 Low Risk, 279 0 100 200 300 400 500 600 Automatic
Automated vs. Manual Method of Finding Vulnerabilities Automatic © Copyright 2014 Denim Group - All Rights Reserved 24 Critical 6% High Risk 0% Medium Risk 1% Low Risk 93% Critical 2% High Risk Manual Medium 4% Risk 23% Low Risk 71%
Automated vs. Manual Method of Finding Vulnerabilities (Critical and High) • Automated testing was more effective when finding serious (Critical and High) vulnerabilities © Copyright 2014 Denim Group - All Rights Reserved Critical/High Risk Vulnerabilities Found 25 Found with Automated Testing 34 58% Found with Manual Testing 25 42%
Automated vs. Manual, Static vs. Dynamic Methods Medium Risk, 73 High Risk, 1 Critical, 0 Medium Risk, 84 High Risk, 14 Critical, 10 Medium Risk, 4 High Risk, 1 Manual / Static Manual / Dynamic © Copyright 2014 Denim Group - All Rights Reserved 26 Critical, 33 Low Risk, 526 Low Risk, 206 Low Risk, 5 0 100 200 300 400 500 600 Automatic / Static Automatic / Static Manual / Dynamic Manual / Static Low Risk 526 206 5 Medium Risk 4 84 73 High Risk 1 14 1 Critical 33 10 0
Automated vs. Manual, Static vs. Dynamic Methods Dynamic © Copyright 2014 Denim Group - All Rights Reserved 27 Automatic, 564 Automatic, 0 Manual, 79 Manual, 314 0 100 200 300 400 500 600 Static Static Dynamic Manual 79 314 Automatic 564 0
Automated vs. Manual, Static vs. Dynamic for Critical and High Vulnerabilities Dynamic © Copyright 2014 Denim Group - All Rights Reserved 28 Automatic, 34 Automatic, 0 Manual, 1 Manual, 24 0 5 10 15 20 25 30 35 40 Static Static Dynamic Manual 1 24 Automatic 34 0
Analysis of “How” Data • A comprehensive mobile application security assessment program must incorporate a significant manual testing component • Automated tools for testing mobile applications are not as mature as those for testing web applications • Web services can be challenging to test in an automated manner © Copyright 2014 Denim Group - All Rights Reserved 29
On-Device Vulnerabilities By Platform Platforms Number of Assessments on Device © Copyright 2014 Denim Group - All Rights Reserved Number of Total Vulnerabilities on Device Average Number of Vulnerabilities Found per Assessment iOS 39 252 6.5 Android 19 84 4.4 Windows Phone 1 3 3 7 WAP 1 3 3 30
Other Observations • We also include “other observations” as part of our assessments • These reflect: – Application weaknesses – Coding flaws or behavior that are not “best practice” but do not reflect an immediate, exploitable vulnerability • We had 1,948 “other observations” – Roughly twice as many as actual vulnerabilities © Copyright 2014 Denim Group - All Rights Reserved 31
Other Observations – Where Were They Found? © Copyright 2014 Denim Group - All Rights Reserved 32 Corporate Web Service 55 3% Device 1892 97% Third-Party Web Service 1 0%
What Does This Mean? • Most of these “other observations” are about code on the device – Mobile application developers need help building better code – AND automated code scanning tools need to be better about filtering less valuable results • Something that is not a problem today could be later on – Identification of new platform vulnerabilities – Changes coming along with a new application release © Copyright 2014 Denim Group - All Rights Reserved 33
Conclusions • What To Test? – Mobile “apps” are not standalone applications – They are systems of applications – Serious vulnerabilities can exist in any system component • How To Test? – Mobile application testing does benefit from automation – Manual review and testing is required to find the most serious issues – A combination of static and dynamic testing is required for coverage © Copyright 2014 Denim Group - All Rights Reserved 34
Recommendations • Plan your mobile application assessment strategy with coverage in mind • Evaluate the value of automation for your testing – More “cost” than simply licensing – deployment time and results culling • Look for opportunities to streamline – Fast application release cycles can require frequent assessments – Control scope: • Assess application changes (versus entire applications) • Manage cost of reporting © Copyright 2014 Denim Group - All Rights Reserved 35
Next Steps (For Us) • Incorporate more assessment data • Possible collaboration with OWASP Top 10 Mobile Risks – Currently being reworked based on data sets such as ours • Better analysis of applications over time • Updated release of Secure Mobile Application Development Reference – Previous (outdated) release available online http://www.denimgroup.com/media/pdfs/MobileDevReference.pdf © Copyright 2014 Denim Group - All Rights Reserved 36
Questions? Dan Cornell dan@denimgroup.com Twitter: @danielcornell www.denimgroup.com blog.denimgroup.com (210) 572-4400 © Copyright 2014 Denim Group - All Rights Reserved 37

Recommended

Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)
Denim Group
 
Mobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic ViewMobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic View
Denim Group
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
Denim Group
 
ThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security ProgramThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security Program
Denim Group
 
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
Denim Group
 
ThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan Cornell
Denim Group
 
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on DataAppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
Denim Group
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security Pros
Denim Group
 

Recommended

Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)
Denim Group
 
Mobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic ViewMobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic View
Denim Group
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
Denim Group
 
ThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security ProgramThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security Program
Denim Group
 
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
Denim Group
 
ThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan Cornell
Denim Group
 
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on DataAppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
Denim Group
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security Pros
Denim Group
 
Using ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesUsing ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application Vulnerabilities
Denim Group
 
Running a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsRunning a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source Tools
Denim Group
 
Structuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramStructuring and Scaling an Application Security Program
Structuring and Scaling an Application Security Program
Denim Group
 
Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3
Denim Group
 
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Denim Group
 
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Denim Group
 
Security Training: Necessary Evil, Waste of Time, or Genius Move?
Security Training: Necessary Evil, Waste of Time, or Genius Move?Security Training: Necessary Evil, Waste of Time, or Genius Move?
Security Training: Necessary Evil, Waste of Time, or Genius Move?
Denim Group
 
Blending Automated and Manual Testing
Blending Automated and Manual TestingBlending Automated and Manual Testing
Blending Automated and Manual Testing
Denim Group
 
Application Assessment Techniques
Application Assessment TechniquesApplication Assessment Techniques
Application Assessment Techniques
Denim Group
 
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
Denim Group
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSA
Denim Group
 
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Denim Group
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR Organization
Denim Group
 
How-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability RemediationHow-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability Remediation
Denim Group
 
Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011Denim Group
 
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
Denim Group
 
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and VersionsThe ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
Denim Group
 
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneBuilding an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
weaveraaaron
 
Monitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesMonitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps Pipelines
Denim Group
 
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?
Denim Group
 
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App SecWhat the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
IBM Security
 
Application Security - Making It Work
Application Security - Making It WorkApplication Security - Making It Work
Application Security - Making It Work
IANS
 

More Related Content

What's hot

Using ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesUsing ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application Vulnerabilities
Denim Group
 
Running a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsRunning a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source Tools
Denim Group
 
Structuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramStructuring and Scaling an Application Security Program
Structuring and Scaling an Application Security Program
Denim Group
 
Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3
Denim Group
 
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Denim Group
 
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Denim Group
 
Security Training: Necessary Evil, Waste of Time, or Genius Move?
Security Training: Necessary Evil, Waste of Time, or Genius Move?Security Training: Necessary Evil, Waste of Time, or Genius Move?
Security Training: Necessary Evil, Waste of Time, or Genius Move?
Denim Group
 
Blending Automated and Manual Testing
Blending Automated and Manual TestingBlending Automated and Manual Testing
Blending Automated and Manual Testing
Denim Group
 
Application Assessment Techniques
Application Assessment TechniquesApplication Assessment Techniques
Application Assessment Techniques
Denim Group
 
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
Denim Group
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSA
Denim Group
 
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Denim Group
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR Organization
Denim Group
 
How-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability RemediationHow-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability Remediation
Denim Group
 
Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011Denim Group
 
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
Denim Group
 
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and VersionsThe ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
Denim Group
 
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneBuilding an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
weaveraaaron
 
Monitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesMonitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps Pipelines
Denim Group
 
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?
Denim Group
 

What's hot (20)

Using ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesUsing ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application Vulnerabilities
 
Running a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsRunning a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source Tools
 
Structuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramStructuring and Scaling an Application Security Program
Structuring and Scaling an Application Security Program
 
Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3
 
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
 
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
 
Security Training: Necessary Evil, Waste of Time, or Genius Move?
Security Training: Necessary Evil, Waste of Time, or Genius Move?Security Training: Necessary Evil, Waste of Time, or Genius Move?
Security Training: Necessary Evil, Waste of Time, or Genius Move?
 
Blending Automated and Manual Testing
Blending Automated and Manual TestingBlending Automated and Manual Testing
Blending Automated and Manual Testing
 
Application Assessment Techniques
Application Assessment TechniquesApplication Assessment Techniques
Application Assessment Techniques
 
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSA
 
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR Organization
 
How-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability RemediationHow-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability Remediation
 
Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011
 
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
 
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and VersionsThe ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
 
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneBuilding an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
 
Monitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesMonitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps Pipelines
 
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?
 

Similar to Mobile Application Assessment - Don't Cheat Yourself

What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App SecWhat the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
IBM Security
 
Application Security - Making It Work
Application Security - Making It WorkApplication Security - Making It Work
Application Security - Making It Work
IANS
 
Pivotal Data Lake Architecture & its role in security analytics
Pivotal Data Lake Architecture & its role in security analyticsPivotal Data Lake Architecture & its role in security analytics
Pivotal Data Lake Architecture & its role in security analyticsEMC
 
Web Application Security For Small and Medium Businesses
Web Application Security For Small and Medium BusinessesWeb Application Security For Small and Medium Businesses
Web Application Security For Small and Medium BusinessesSasha Nunke
 
The road towards better automotive cybersecurity
The road towards better automotive cybersecurityThe road towards better automotive cybersecurity
The road towards better automotive cybersecurity
Rogue Wave Software
 
The state of web applications (in)security @ ITDays 2016
The state of web applications (in)security @ ITDays 2016The state of web applications (in)security @ ITDays 2016
The state of web applications (in)security @ ITDays 2016
Tudor Damian
 
Developing Secure Mobile Applications
Developing Secure Mobile ApplicationsDeveloping Secure Mobile Applications
Developing Secure Mobile Applications
Denim Group
 
Mobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging RisksMobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging Risks
IBM Security
 
DOES14 - Joshua Corman - Sonatype
DOES14 - Joshua Corman - SonatypeDOES14 - Joshua Corman - Sonatype
DOES14 - Joshua Corman - Sonatype
Gene Kim
 
Enterprise on the Go - Devon Winkworth, Snr. Principal Consultant, Layer 7 @ ...
Enterprise on the Go - Devon Winkworth, Snr. Principal Consultant, Layer 7 @ ...Enterprise on the Go - Devon Winkworth, Snr. Principal Consultant, Layer 7 @ ...
Enterprise on the Go - Devon Winkworth, Snr. Principal Consultant, Layer 7 @ ...
CA API Management
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetup
pbink
 
SANS Report: The State of Security in Control Systems Today
SANS Report: The State of Security in Control Systems TodaySANS Report: The State of Security in Control Systems Today
SANS Report: The State of Security in Control Systems Today
SurfWatch Labs
 
Application Control - Maintenance Headache or Manageable Solution?
Application Control - Maintenance Headache or Manageable Solution?Application Control - Maintenance Headache or Manageable Solution?
Application Control - Maintenance Headache or Manageable Solution?
Ivanti
 
Webinar–5 ways to risk rank your vulnerabilities
Webinar–5 ways to risk rank your vulnerabilitiesWebinar–5 ways to risk rank your vulnerabilities
Webinar–5 ways to risk rank your vulnerabilities
Synopsys Software Integrity Group
 
Every cloud cloud risk assessment 2018
Every cloud cloud risk assessment 2018Every cloud cloud risk assessment 2018
Every cloud cloud risk assessment 2018
soniamcpherson11
 
LSI Spring Agent Open House 2014
LSI Spring Agent Open House 2014LSI Spring Agent Open House 2014
LSI Spring Agent Open House 2014Ashlie Steele
 
Threat modelling & apps testing
Threat modelling & apps testingThreat modelling & apps testing
Threat modelling & apps testing
Adrian Munteanu
 
Application Whitelisting - Complementing Threat centric with Trust centric se...
Application Whitelisting - Complementing Threat centric with Trust centric se...Application Whitelisting - Complementing Threat centric with Trust centric se...
Application Whitelisting - Complementing Threat centric with Trust centric se...
Osama Salah
 

Similar to Mobile Application Assessment - Don't Cheat Yourself (20)

What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App SecWhat the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
 
Application Security - Making It Work
Application Security - Making It WorkApplication Security - Making It Work
Application Security - Making It Work
 
Pivotal Data Lake Architecture & its role in security analytics
Pivotal Data Lake Architecture & its role in security analyticsPivotal Data Lake Architecture & its role in security analytics
Pivotal Data Lake Architecture & its role in security analytics
 
Web Application Security For Small and Medium Businesses
Web Application Security For Small and Medium BusinessesWeb Application Security For Small and Medium Businesses
Web Application Security For Small and Medium Businesses
 
Application Hackers Have A Handbook. Why Shouldn't You?
Application Hackers Have A Handbook. Why Shouldn't You?Application Hackers Have A Handbook. Why Shouldn't You?
Application Hackers Have A Handbook. Why Shouldn't You?
 
The road towards better automotive cybersecurity
The road towards better automotive cybersecurityThe road towards better automotive cybersecurity
The road towards better automotive cybersecurity
 
The state of web applications (in)security @ ITDays 2016
The state of web applications (in)security @ ITDays 2016The state of web applications (in)security @ ITDays 2016
The state of web applications (in)security @ ITDays 2016
 
Developing Secure Mobile Applications
Developing Secure Mobile ApplicationsDeveloping Secure Mobile Applications
Developing Secure Mobile Applications
 
Mobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging RisksMobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging Risks
 
DOES14 - Joshua Corman - Sonatype
DOES14 - Joshua Corman - SonatypeDOES14 - Joshua Corman - Sonatype
DOES14 - Joshua Corman - Sonatype
 
Enterprise on the Go - Devon Winkworth, Snr. Principal Consultant, Layer 7 @ ...
Enterprise on the Go - Devon Winkworth, Snr. Principal Consultant, Layer 7 @ ...Enterprise on the Go - Devon Winkworth, Snr. Principal Consultant, Layer 7 @ ...
Enterprise on the Go - Devon Winkworth, Snr. Principal Consultant, Layer 7 @ ...
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetup
 
SANS Report: The State of Security in Control Systems Today
SANS Report: The State of Security in Control Systems TodaySANS Report: The State of Security in Control Systems Today
SANS Report: The State of Security in Control Systems Today
 
Application Control - Maintenance Headache or Manageable Solution?
Application Control - Maintenance Headache or Manageable Solution?Application Control - Maintenance Headache or Manageable Solution?
Application Control - Maintenance Headache or Manageable Solution?
 
Secure Iowa Oct 2016
Secure Iowa Oct 2016Secure Iowa Oct 2016
Secure Iowa Oct 2016
 
Webinar–5 ways to risk rank your vulnerabilities
Webinar–5 ways to risk rank your vulnerabilitiesWebinar–5 ways to risk rank your vulnerabilities
Webinar–5 ways to risk rank your vulnerabilities
 
Every cloud cloud risk assessment 2018
Every cloud cloud risk assessment 2018Every cloud cloud risk assessment 2018
Every cloud cloud risk assessment 2018
 
LSI Spring Agent Open House 2014
LSI Spring Agent Open House 2014LSI Spring Agent Open House 2014
LSI Spring Agent Open House 2014
 
Threat modelling & apps testing
Threat modelling & apps testingThreat modelling & apps testing
Threat modelling & apps testing
 
Application Whitelisting - Complementing Threat centric with Trust centric se...
Application Whitelisting - Complementing Threat centric with Trust centric se...Application Whitelisting - Complementing Threat centric with Trust centric se...
Application Whitelisting - Complementing Threat centric with Trust centric se...
 

More from Denim Group

Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4J
Denim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Denim Group
 
Application Asset Management with ThreadFix
Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFix
Denim Group
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20
Denim Group
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
Denim Group
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team Sport
Denim Group
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Denim Group
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Denim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
Denim Group
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT Systems
Denim Group
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Denim Group
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFix
Denim Group
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
Denim Group
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationAppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
Denim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
Denim Group
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
Denim Group
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
Denim Group
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
Denim Group
 

More from Denim Group (20)

Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4J
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
 
Application Asset Management with ThreadFix
Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFix
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team Sport
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your Organization
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT Systems
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFix
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationAppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
 

Recently uploaded

Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
DianaGray10
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 

Recently uploaded (20)

Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 

Mobile Application Assessment - Don't Cheat Yourself

  • 1. Mobile Application Assessment: Don’t Cheat Yourself! ! Dan Cornell! CTO, Denim Group! @danielcornell © Copyright 2014 Denim Group - All Rights Reserved
  • 2. Agenda • Background – Mobile Application Threat Model – Assessment Methodology – Data Collected • Findings – Types of Vulnerabilities Identified – Where Vulnerabilities Were Identified – How Vulnerabilities Were Identified © Copyright 2014 Denim Group - All Rights Reserved 2
  • 3. Introduction • Data comes from: – 61 Assessments – 20 Applications • What we found: – 957 Vulnerabilities • Assessment with the most vulnerabilities: 3 assessments had 10 Critical vulnerabilities • Assessments with the least vulnerabilities: only three assessments had one vulnerability (all others had more) © Copyright 2014 Denim Group - All Rights Reserved 3
  • 4. Research Background • Mobile application threat model • Assessment methodology – Static versus dynamic testing – Automated versus manual testing • Why CWE? • Assessment data © Copyright 2014 Denim Group - All Rights Reserved 4
  • 5. Mobile Application Threat Model • More complicated than a “typical” web application threat model • Not just about code running on the device • Main components: – Mobile application – Enterprise web services – 3rd party web services © Copyright 2014 Denim Group - All Rights Reserved 5
  • 6. Assessment Methodology • Testing activities – Combination of both static and dynamic activities – Combination of automated tools, manual review of automated test results and manual testing • Scope can include: – Code running on the device itself – Enterprise services – 3rd party supporting services © Copyright 2014 Denim Group - All Rights Reserved 6
  • 7. Determining Severity Based on customized DREAD model • Damage potential • Reproducibility • Exploitability • Affected users • Discoverability • Each factor ranked 1-3 © Copyright 2014 Denim Group - All Rights Reserved Collapsed to single dimension • Critical: > 2.6 • High: 2.3 – 2.6 • Medium: 2.0 – 2.3 • Low: < 2 7
  • 8. Why CWE? • Vulnerability taxonomy used was MITRE’s Common Weakness Enumeration (CWE) – http://cwe.mitre.org/ • Every tool has its own “spin” on naming vulnerabilities • OWASP Top 10 / WASC 24 are helpful but not comprehensive • CWE is exhaustive (though a bit sprawling at times) • Reasonably well-adopted standard • Many tools have mappings to CWE for their results © Copyright 2014 Denim Group - All Rights Reserved 8
  • 9. Assessment Data • Subset of mobile assessments • Mostly customer-facing applications from financial services organizations • Primarily iOS and Android applications – Some WAP, Windows Phone 7 © Copyright 2014 Denim Group - All Rights Reserved 9
  • 10. Types of Vulnerabilities Found • Top 10 Most Prevalent CWEs – Overall • Top 10 Most Prevalent CWEs – Critical/High Risk © Copyright 2014 Denim Group - All Rights Reserved 10
  • 11. Top 10 Most Prevalent CWEs – Overall Information Leak Through Log Files - LOW RISK Information Exposure - LOW RISK Cleartext Transmission of Sensitive Information - LOW RISK Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection') - CRITICAL Improper Input Validation - LOW RISK External Control of System or Configuration Setting - LOW RISK Information Leak Through Debug Information - LOW RISK Cross-Site Request Forgery (CSRF) - LOW RISK Information Exposure Through an Error Message - LOW RISK © Copyright 2014 Denim Group - All Rights Reserved 26 22 21 21 16 14 14 11 20 284 271 0 50 100 150 200 250 300 Use of a Broken or Risky Cryptographic Algorithm - LOW RISK
  • 12. Top 10 Most Prevalent CWEs – Critical/High Risk Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection') - CRITICAL Information Leak Through Caching - HIGH Access Control Bypass Through User-Controlled Key - CRITICAL Access Control (Authorization) Issues - CRITICAL Exposure of Access Control List Files to an Unauthorized Control Sphere - CRITICAL Incorrect User Management - CRITICAL Uncontrolled Resource Consumption ('Resource Exhaustion') - CRITICAL Missing XML Validation - CRITICAL Failure to Preserve Web Page Structure ('Cross-Site Scripting') - CRITICAL © Copyright 2014 Denim Group - All Rights Reserved 12 6 4 3 3 3 2 1 1 6 22 0 50 100 150 200 250 300 Uncontrolled Resource Consumption ('Resource Exhaustion') - CRITICAL
  • 13. OWASP Top 10 Mobile Risks • Similar to the OWASP Top 10 Web Application Risks, but targeted at mobile applications (obviously) • Top risks to mobile applications: – https://www.owasp.org/index.php/ OWASP_Mobile_Security_Project#tab=Top_Ten_Mobile_Risks • Work in progress to update this based on industry-contributed data © Copyright 2014 Denim Group - All Rights Reserved 13
  • 14. OWASP Top 10 Mobile Risks M1: Insecure Data Storage M2: Weak Server Side Controls M3: Insufficient Transport Layer Protection M4: Client Side Injection M5: Poor Authorization and Authentication © Copyright 2014 Denim Group - All Rights Reserved M6: Improper Session Handling M7: Security Decisions Via Untrusted Inputs M8: Side Channel Data Leakage M9: Broken Cryptography M10: Sensitive Information Disclosure 14
  • 15. Compare to OWASP Top 10 Mobile Risks © Copyright 2014 Denim Group - All Rights Reserved 15 Strong Overlap • Weak server-side controls • Poor authentication and authorization • Security decisions via untrusted inputs • Sensitive information disclosure Overlap • Insecure data storage • Insufficient transport layer data protection • Improper session handling • Side channel data leakage • Broken cryptography Weak Overlap • Client-side injection
  • 16. Where Did We Find Overall Vulnerabilities? © Copyright 2014 Denim Group - All Rights Reserved 16 Corporate Web Service 591 62% Device 342 36% Third-Party Web Service 24 2%
  • 17. Where Did We Find Critical/High Risk Vulnerabilities? © Copyright 2014 Denim Group - All Rights Reserved 17 Corporate Web Service 41 70% Device 15 25% ThirdParty Web Service 3 5%
  • 18. Analysis of “Where” Data • Mobile security is about more than the code running on the device • The things we really care about (Critical, High) are most frequently found on corporate web services – Then on the device – Then on 3rd party web services • Reflects the “scale” benefits of finding web services vulnerabilities © Copyright 2014 Denim Group - All Rights Reserved 18
  • 19. How Did We Find Vulnerabilities? • Static vs. dynamic testing • Automated vs. manual testing • What techniques identified the most vulnerabilities? • What techniques identified the most serious vulnerabilities? © Copyright 2014 Denim Group - All Rights Reserved 19
  • 20. Static vs. Dynamic Method of Finding Vulnerabilities Medium Risk, 9 High Risk, 2 Critical, 33 Medium Risk, 84 High Risk, 14 Static © Copyright 2014 Denim Group - All Rights Reserved 20 Critical, 10 Low Risk, 206 Low Risk, 599 0 100 200 300 400 500 600 700 Dynamic
  • 21. Static vs. Dynamic Method of Finding Vulnerabilities Static © Copyright 2014 Denim Group - All Rights Reserved 21 Critical 5% High Risk 0% Medium Risk 2% Low Risk 93% Critical 3% High Risk Dynamic Low Risk 66% Medium 4% Risk 27%
  • 22. Critical and High Risk Vulnerabilities • Static testing was more effective when finding serious (Critical and High) vulnerabilities • But it also found a lot of lower-risk vulnerabilities (as well as results that had to be filtered out) © Copyright 2014 Denim Group - All Rights Reserved 22 Critical/High Risk Vulnerabilities Found Found with Dynamic Testing 24 41% Found with Static Testing 35 59%
  • 23. Automated vs. Manual Method of Finding Vulnerabilities Medium Risk, 89 High Risk, 15 Critical, 10 Medium Risk, 4 High Risk, 1 Manual © Copyright 2014 Denim Group - All Rights Reserved 23 Critical, 33 Low Risk, 526 Low Risk, 279 0 100 200 300 400 500 600 Automatic
  • 24. Automated vs. Manual Method of Finding Vulnerabilities Automatic © Copyright 2014 Denim Group - All Rights Reserved 24 Critical 6% High Risk 0% Medium Risk 1% Low Risk 93% Critical 2% High Risk Manual Medium 4% Risk 23% Low Risk 71%
  • 25. Automated vs. Manual Method of Finding Vulnerabilities (Critical and High) • Automated testing was more effective when finding serious (Critical and High) vulnerabilities © Copyright 2014 Denim Group - All Rights Reserved Critical/High Risk Vulnerabilities Found 25 Found with Automated Testing 34 58% Found with Manual Testing 25 42%
  • 26. Automated vs. Manual, Static vs. Dynamic Methods Medium Risk, 73 High Risk, 1 Critical, 0 Medium Risk, 84 High Risk, 14 Critical, 10 Medium Risk, 4 High Risk, 1 Manual / Static Manual / Dynamic © Copyright 2014 Denim Group - All Rights Reserved 26 Critical, 33 Low Risk, 526 Low Risk, 206 Low Risk, 5 0 100 200 300 400 500 600 Automatic / Static Automatic / Static Manual / Dynamic Manual / Static Low Risk 526 206 5 Medium Risk 4 84 73 High Risk 1 14 1 Critical 33 10 0
  • 27. Automated vs. Manual, Static vs. Dynamic Methods Dynamic © Copyright 2014 Denim Group - All Rights Reserved 27 Automatic, 564 Automatic, 0 Manual, 79 Manual, 314 0 100 200 300 400 500 600 Static Static Dynamic Manual 79 314 Automatic 564 0
  • 28. Automated vs. Manual, Static vs. Dynamic for Critical and High Vulnerabilities Dynamic © Copyright 2014 Denim Group - All Rights Reserved 28 Automatic, 34 Automatic, 0 Manual, 1 Manual, 24 0 5 10 15 20 25 30 35 40 Static Static Dynamic Manual 1 24 Automatic 34 0
  • 29. Analysis of “How” Data • A comprehensive mobile application security assessment program must incorporate a significant manual testing component • Automated tools for testing mobile applications are not as mature as those for testing web applications • Web services can be challenging to test in an automated manner © Copyright 2014 Denim Group - All Rights Reserved 29
  • 30. On-Device Vulnerabilities By Platform Platforms Number of Assessments on Device © Copyright 2014 Denim Group - All Rights Reserved Number of Total Vulnerabilities on Device Average Number of Vulnerabilities Found per Assessment iOS 39 252 6.5 Android 19 84 4.4 Windows Phone 1 3 3 7 WAP 1 3 3 30
  • 31. Other Observations • We also include “other observations” as part of our assessments • These reflect: – Application weaknesses – Coding flaws or behavior that are not “best practice” but do not reflect an immediate, exploitable vulnerability • We had 1,948 “other observations” – Roughly twice as many as actual vulnerabilities © Copyright 2014 Denim Group - All Rights Reserved 31
  • 32. Other Observations – Where Were They Found? © Copyright 2014 Denim Group - All Rights Reserved 32 Corporate Web Service 55 3% Device 1892 97% Third-Party Web Service 1 0%
  • 33. What Does This Mean? • Most of these “other observations” are about code on the device – Mobile application developers need help building better code – AND automated code scanning tools need to be better about filtering less valuable results • Something that is not a problem today could be later on – Identification of new platform vulnerabilities – Changes coming along with a new application release © Copyright 2014 Denim Group - All Rights Reserved 33
  • 34. Conclusions • What To Test? – Mobile “apps” are not standalone applications – They are systems of applications – Serious vulnerabilities can exist in any system component • How To Test? – Mobile application testing does benefit from automation – Manual review and testing is required to find the most serious issues – A combination of static and dynamic testing is required for coverage © Copyright 2014 Denim Group - All Rights Reserved 34
  • 35. Recommendations • Plan your mobile application assessment strategy with coverage in mind • Evaluate the value of automation for your testing – More “cost” than simply licensing – deployment time and results culling • Look for opportunities to streamline – Fast application release cycles can require frequent assessments – Control scope: • Assess application changes (versus entire applications) • Manage cost of reporting © Copyright 2014 Denim Group - All Rights Reserved 35
  • 36. Next Steps (For Us) • Incorporate more assessment data • Possible collaboration with OWASP Top 10 Mobile Risks – Currently being reworked based on data sets such as ours • Better analysis of applications over time • Updated release of Secure Mobile Application Development Reference – Previous (outdated) release available online http://www.denimgroup.com/media/pdfs/MobileDevReference.pdf © Copyright 2014 Denim Group - All Rights Reserved 36
  • 37. Questions? Dan Cornell dan@denimgroup.com Twitter: @danielcornell www.denimgroup.com blog.denimgroup.com (210) 572-4400 © Copyright 2014 Denim Group - All Rights Reserved 37