Fresh Digital Group addresses mobile security issues. There are vulnerabilities in operating systems, transport networks, and apps themselves. Apps are often rushed to market without proper security. Mobile devices expand the attack surface compared to desktops. The biggest security risks are from lost or stolen devices, where local data is insecurely stored, and insecure communications over open WiFi networks. Case studies show how credentials could be compromised from lost or exploited devices granting access to financial apps. Solutions include implementing input validation, authentication, authorization, and securing data at rest and in transit.
Gigamon U - Eye Of The Fire, Network Malware Control SystemGrant Swanson
FireEye, Inc. is the leader in network malware control, dedicated to eradicating malware from the world's networks. FireEye provides the world's only malware control system designed to secure networks from targeted malware. Our solutions bring advanced network security together with state-of-the-art virtualization technology to combat crimeware and protect customer data, intellectual property and company resources, solving critical business needs without taxing your IT administration. FireEye is based in Menlo Park, CA and backed by Sequoia Capital & Norwest Venture Partners.
A superset of the slides I presented on voice biometrics at SxSW Interactive. The session (in conjunction with CSIdentity was to raise awareness VB as a physical and behavioral biometric.
Symantec Ubiquity is an award-winning, next generation security technology that is built on community-based reputation for fighting evolving malware. A result of more than four years of development, Ubiquity enables Symantec to harness the anonymous software usage patterns of more than 100 million Symantec customer computers, and deliver protection against micro-distributed, mutating threats, that would otherwise completely evade traditional security solutions.
http://www.penrillian.com/'s white-paper, outlining the key issues to consider when creating a mobile money app, from the very basics, to complexities in mobile security.
As one of the leading mobile application development teams Penrillian.com are the UK's leading authority on mobile money, mobile wallet and mobile payment system applications.
For more information head to http://www.penrillian.com/
Gigamon U - Eye Of The Fire, Network Malware Control SystemGrant Swanson
FireEye, Inc. is the leader in network malware control, dedicated to eradicating malware from the world's networks. FireEye provides the world's only malware control system designed to secure networks from targeted malware. Our solutions bring advanced network security together with state-of-the-art virtualization technology to combat crimeware and protect customer data, intellectual property and company resources, solving critical business needs without taxing your IT administration. FireEye is based in Menlo Park, CA and backed by Sequoia Capital & Norwest Venture Partners.
A superset of the slides I presented on voice biometrics at SxSW Interactive. The session (in conjunction with CSIdentity was to raise awareness VB as a physical and behavioral biometric.
Symantec Ubiquity is an award-winning, next generation security technology that is built on community-based reputation for fighting evolving malware. A result of more than four years of development, Ubiquity enables Symantec to harness the anonymous software usage patterns of more than 100 million Symantec customer computers, and deliver protection against micro-distributed, mutating threats, that would otherwise completely evade traditional security solutions.
http://www.penrillian.com/'s white-paper, outlining the key issues to consider when creating a mobile money app, from the very basics, to complexities in mobile security.
As one of the leading mobile application development teams Penrillian.com are the UK's leading authority on mobile money, mobile wallet and mobile payment system applications.
For more information head to http://www.penrillian.com/
It's 2012 and My Network Got Hacked - Omar Santossantosomar
Many times security professionals, network engineers, and management ask "why did I spend all this money in network security equipment if I still got hacked?" For example, often questions like
these run through their minds: "Am I not buying the right security products? Am I not configuring or deploying them correctly? Do I have the right staff to run my network?" The security lifecycle requires measuring the current network state, creating a baseline and providing constant improvements. This presentation will cover several real-life case studies on how different network segments were compromised despite that state-of-the-art network security technologies and products were deployed. We will go over several security metrics that you should understand in order to better protect your network.
Omar Santos is an Incident Manager at Cisco's Product Security Incident Response Team (PSIRT). Omar has designed, implemented, and supported numerous secure networks for Fortune 500 companies and the U.S. government. Omar has delivered numerous technical presentations on several venues; as well as executive presentations to CEOs, CIOs, and CSOs of many organizations. He is also the author of 4 Cisco Press books and two more in the works.
JUSTLOOK<sup><sup>®</sup></sup> provides an efficient integral security to any organization with its below solutions – Face Recognition Time Attendance System
Face Recognition Visitors’ Management System
Face Recognition Access Control System
For Detailed specifications, kindly download our datasheet from –
www.aditechjustlook.com/JUSTLOOK-Datasheet.pdf
Kindly check below link for a Video Demonstration –
http://www.aditechjustlook.com/live-video.html
We request you to give us an appointment for live demonstration for JUSTLOOK solution at your convenience
The rise of malware on the web is threatening businesses around the world. This presentation looks at the trends in malware on the web, and how AppRiver is providing protection against this threat.
Malware on Smartphones and Tablets: The Inconvenient TruthIBM Security
View on-demand webinar: http://ibm.co/21C0aKO
Recent research shows that mobile has become the hackers’ new playground. However, most users and IT professionals do not think this is a real and substantial threat.
In this on-demand session, we will outline the broad scope of risk that mobile malware poses today on iOS and Android, and explain the potential business threats. The enterprise is at a critical juncture where advanced cyber-attacks targeting mobile users are now threatening both corporate and personal information.
Listen in to IBM Security product specialist, Shaked Vax to learn how to reduce risk of data leakage and protect against malicious activity with a comprehensive approach that combines enterprise mobility management (EMM) and mobile threat management.
Operation High Roller: The need for a security ally!Jeff Danielson
Operation High Roller was a dramatic change in the way cyber criminals went after their victims. This presentation will focus on the specifics of this attack against corporations, which was focused on small to medium sized organizations, the use of analytics to signal out the victims, and the advanced methodologies to hide the attack. Jeff will also discuss the need for specialization in the security marketplace and the need to ally yourself with other organizations as well as working with your General and Outside counsel to prepare for the inevitable battle.
At VMworld 2012, Symantec announced new solutions and technical integrations with VMware across its entire product portfolio to ensure higher levels of protection for virtualized environments. Together, Symantec and VMware enable SMBs and enterprises to use the benefits of virtualization without compromising protection.
Symantec announced new offerings to create a trusted ecosystem of applications and partners to help businesses accelerate the execution of their mobility initiatives. The offerings include two new programs – the App Center Ready Program for application developers and the Mobility Solution Specialization Program for channel partners – as well as a single mobile suite spanning device management, application management and mobile security.
Webinar - Easy multi factor authentication strategies and PCI DSSonionid12
In this webinar we will discuss the use of multi-factor authentication (MFA), and the new mandate in the latest version of PCI Data Security Standard, PCI DSS 3.2. MFA goes beyond traditional password-based approaches by combining multiple features, such as biometrics, behavioral patterns, and context information. In addition to covering these, the webinar will also address the problem of selecting the right combination of features for a business, given its unique priorities and circumstances. Learn how to comply with PCI DSS 3.2's MFA mandate for admin and user accounts.
It's 2012 and My Network Got Hacked - Omar Santossantosomar
Many times security professionals, network engineers, and management ask "why did I spend all this money in network security equipment if I still got hacked?" For example, often questions like
these run through their minds: "Am I not buying the right security products? Am I not configuring or deploying them correctly? Do I have the right staff to run my network?" The security lifecycle requires measuring the current network state, creating a baseline and providing constant improvements. This presentation will cover several real-life case studies on how different network segments were compromised despite that state-of-the-art network security technologies and products were deployed. We will go over several security metrics that you should understand in order to better protect your network.
Omar Santos is an Incident Manager at Cisco's Product Security Incident Response Team (PSIRT). Omar has designed, implemented, and supported numerous secure networks for Fortune 500 companies and the U.S. government. Omar has delivered numerous technical presentations on several venues; as well as executive presentations to CEOs, CIOs, and CSOs of many organizations. He is also the author of 4 Cisco Press books and two more in the works.
JUSTLOOK<sup><sup>®</sup></sup> provides an efficient integral security to any organization with its below solutions – Face Recognition Time Attendance System
Face Recognition Visitors’ Management System
Face Recognition Access Control System
For Detailed specifications, kindly download our datasheet from –
www.aditechjustlook.com/JUSTLOOK-Datasheet.pdf
Kindly check below link for a Video Demonstration –
http://www.aditechjustlook.com/live-video.html
We request you to give us an appointment for live demonstration for JUSTLOOK solution at your convenience
The rise of malware on the web is threatening businesses around the world. This presentation looks at the trends in malware on the web, and how AppRiver is providing protection against this threat.
Malware on Smartphones and Tablets: The Inconvenient TruthIBM Security
View on-demand webinar: http://ibm.co/21C0aKO
Recent research shows that mobile has become the hackers’ new playground. However, most users and IT professionals do not think this is a real and substantial threat.
In this on-demand session, we will outline the broad scope of risk that mobile malware poses today on iOS and Android, and explain the potential business threats. The enterprise is at a critical juncture where advanced cyber-attacks targeting mobile users are now threatening both corporate and personal information.
Listen in to IBM Security product specialist, Shaked Vax to learn how to reduce risk of data leakage and protect against malicious activity with a comprehensive approach that combines enterprise mobility management (EMM) and mobile threat management.
Operation High Roller: The need for a security ally!Jeff Danielson
Operation High Roller was a dramatic change in the way cyber criminals went after their victims. This presentation will focus on the specifics of this attack against corporations, which was focused on small to medium sized organizations, the use of analytics to signal out the victims, and the advanced methodologies to hide the attack. Jeff will also discuss the need for specialization in the security marketplace and the need to ally yourself with other organizations as well as working with your General and Outside counsel to prepare for the inevitable battle.
At VMworld 2012, Symantec announced new solutions and technical integrations with VMware across its entire product portfolio to ensure higher levels of protection for virtualized environments. Together, Symantec and VMware enable SMBs and enterprises to use the benefits of virtualization without compromising protection.
Symantec announced new offerings to create a trusted ecosystem of applications and partners to help businesses accelerate the execution of their mobility initiatives. The offerings include two new programs – the App Center Ready Program for application developers and the Mobility Solution Specialization Program for channel partners – as well as a single mobile suite spanning device management, application management and mobile security.
Webinar - Easy multi factor authentication strategies and PCI DSSonionid12
In this webinar we will discuss the use of multi-factor authentication (MFA), and the new mandate in the latest version of PCI Data Security Standard, PCI DSS 3.2. MFA goes beyond traditional password-based approaches by combining multiple features, such as biometrics, behavioral patterns, and context information. In addition to covering these, the webinar will also address the problem of selecting the right combination of features for a business, given its unique priorities and circumstances. Learn how to comply with PCI DSS 3.2's MFA mandate for admin and user accounts.
F5 keeps customers protected with new IP Intelligence service. F5's BIG-IP solutions now offer a cloud-based service to guard against malicious activity, emerging threats, and IP address-related attacks.
There is no debate that companies large or small are more or less have put a lot of efforts in protect digital security and privacy with “best practice” recommendations, often use solutions from branded security vendors or built by best in-house/outsourced experts, yet they are falling prey of cyber and insider attacks, because “compliance” or “best practice” do not equal to security. The reality has shown us that traditional security approaches have fall behind the increased system complexity and advanced technical capabilities that have been mastered by adversaries.
The key weakness in our security defenses lies with the weakness of digital identities systems have been used to authenticate users (no system could defends against attacker impersonates legitimate user); follow by inability to validate the authenticity and integrity of communication (If attacker can temper with the data freely, then no need to crack the one time password) and finally incapable of protecting information from unauthorized accesses in an event of inevitable security breach because unknown system or application security vulnerabilities.
FrontOne’s information security solution addresses all security weakness listed above:
First, FrontOne uses its own digital identity that is harden to withstand advanced hackers using sophisticated real time attacks and help all its users from falling prey of identity thieves from phishing and malware attacks at client side to advanced persistent threats at the server side, because FrontOne’s digital identity is dynamic and non-transferable.
Second, FrontOne provides 100% message integrity by using dedicated and destination aware messaging system and ensure each and every message is completely unique; reducing the chance of attackers from being able to identifying and manipulating it for their benefit.
Finally, FrontOne uses its own method of protecting information at rest, in transit or in use, by focusing our innovation at the security and integrity of encryption key while using industry standardized cryptography. FrontOne’s user centric data protection solution uses dual control for its encryption keys. Random encryption key is protected with security key that has two parts, one part from the client side and other from the centralized key server. This arrangement ensures that access to protected data is available with the presence of the user device of the authorized user.
The security approaches FrontOne have taken above are further strengthened with its own patented technologies that introduce a dynamic element is each and every message and transaction, mutually authenticate both parties before a request is served and providing user with ultimate control that is not accessible digitally.
Securing Mobile Apps: New Approaches for the BYOD WorldApperian
In this webinar we discussed the future of mobile application security in the enterprise?
Smart phones, tablets and even e-readers are now seen as security problems for an enterprise by some IT organizations. Applying MDM — aka mobile device management — has been the response of IT to handle devices, but this approach is lacking, especially as BYOD (bring your own device) has become the primary source of devices in companies. And, as “apps” have proliferated, the apps and data are becoming the engine of user empowerment and ROI — and risk.
Users are not accepting the restrictions MDM places on their use of the phone, especially when the user actually owns the device. And if the user leaves, IT may wipe the device, personal data and all. Mobile Application Management (MAM) promise a solution that keeps enterprise apps and data separate and secure. Other approaches are coming in the future as well. Virtualization promises that one phone can run two VMs, one personal and one business. There are containers and sandboxed apps. Ultimately, different approaches to application development and management could solve the puzzle of protecting confidential data while keeping individuals productive. What approach will win out?
RSA 2012 Virtualization Security February 2012Symantec
At RSA 2012 Symantec and VMware announced five new security integrations with the VMware cloud infrastructure suite designed to deliver extensive protection for virtual and cloud environments along with operational cost savings. With new VMware integrations, Symantec enables joint customers to completely protect their virtual infrastructure and business-critical applications with data loss prevention, IT risk an compliance, data center protection, security information and event management (SIEM) and endpoint protection solutions – delivering unparalleled security, scalability and cost reductions for rapid services delivery and enhanced business agility for the cloud.
Know the vulnerabilities in security products and the risks it exposes to us to and how to encounter it in the most effective manner. Know the secrets which are not revealed :
• How secure are security products?
• What are the vulnerabilities that security products bring into your environment?
• Which are the most vulnerable security products?
• Who are the security vendors with most published vulnerabilities?
• How to manage the risks?
Guarding the guardian’s guard: IBM Trusteer - SEP326 - AWS re:Inforce 2019 Amazon Web Services
Risk assessment associated with digital identity is at the core of any digital business transformation. Companies strive to provide their customers with the best possible service, but at the same time, they struggle with the challenges of digital identity risk. IBM Trusteer is a SaaS solution that is meeting the challenge head-on. In this talk, we present two stories. We look at some identity proofing techniques, and we also examine some of the tools and processes that are keeping Trusteer’s cloud safe and secure. This session also explores use cases involving IBM tools that are deployed in an AWS environment.
mCommerce - A Frsh Look At Why It Matters Doug Robinson
A brief overview of the growing mCommerce market, its characteristics and impacting trends. Our analysis looks into different segments of the industry: App-based services, On-Demand Services, Marketplace, Mobile Retail, Retail Enablement and Mobile Payments, and provides overall predictions for the future of the industry.
We are living in an era where data from multiple devices and connected objects and software systems are being intertwined to create a multitude of new services and performances– all without ruining the consumer experience.
If Apple Watch is successful, it will consolidate and standardize our expectations of wearable technology, in the same way that the iPhone did for the mobile market in 2007. This broad acceptance of the digitally-enhanced self will pave the way for other technologies that are still emerging at the fringes of the consumer domain.
Drones are a different kind of new technology from what we’re used to. They offer something else: the conquest of physical space, the extension of society’s compass, the ability to be anywhere and see anything.
For the past few years, one of the most exciting class of gadgets on display has been drones. They got cheaper, lighter, and easier to use even as they became more powerful.
We believe 2015 is an important year for drones as they will change how brands interact with consumers in both advertising and events, and here's everything you need to know about the drone technology.
If 2014 was the year of mobile, 2015 is most definitely the year of Rich Media.
Mobile ad spend is expected to increase 77%, in 2015. We will see sophisticated and creative collaboration in 2015, as content creators build audiences that rival those of pop stars and brands grasp just how powerful mobile can be. In order for brands to get the most ROI for their mobile advertising spend, they need to invest in Rich Media, to create immersive experiences, transforming their level of engagement with consumers.
In FreshDigitalGroup’s “Rethink 2015,” we take an in-depth look at the following Rich Media predictions in addition to forecasts for digital, mobile and social industries.
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
GridMate - End to end testing is a critical piece to ensure quality and avoid...ThomasParaiso2
End to end testing is a critical piece to ensure quality and avoid regressions. In this session, we share our journey building an E2E testing pipeline for GridMate components (LWC and Aura) using Cypress, JSForce, FakerJS…
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfPeter Spielvogel
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
Mobile Security
1. Fresh Digital Group
Building Mobile Security
We Strategize. We Execute. We Deliver. On All Screens.
2. The Problem: Vulnerabilities
OS Vulnerabilities
Server
Clients
Transport Vulnerabilities
Network
App Vulnerabilities
Client
Middleware
Servers
We Strategize. We Execute. We Deliver. On All Screens.
3. The Problem: App Security
Apps exist in market to make
$$$
Not to protect you or
your information
Gold Rush Mentality
Developers are
extremely rushed to
produce apps
Leading to security
suffering
We Strategize. We Execute. We Deliver. On All Screens.
4. The Problem: Enterprise Issues
Transforming how people work
Insurance agents close deals in
real time on their iPad
Doctors can review secure
messages and patient records
from a restaurant
Social workers carry tablets to
each clients home, takes
images, updates records
We Strategize. We Execute. We Deliver. On All Screens.
5. The Problem: Enterprise Issues
Mobile Ecosystem introduces an exponentially expanded attack
surface compared to past introductions
Non-Managed Firmware
Non-Managed Networks
Non-Managed OSs
Non-Managed Applications
Non-Managed Data Flows
Significant economic impacts from past situations with fewer
variables and complexities
Email- I Love You virus = $10B
Web Servers- Code Red = $9B
PC’s- Blaster = $5B
We Strategize. We Execute. We Deliver. On All Screens.
7. The Problem: Mobile Hacking
Old Process: 5 Steps to monetize a vulnerability
Data Data
Exploit Install Profit
Theft Sale
New Process: 3 Steps to monetize a vulnerability
Exploit Install Profit
We Strategize. We Execute. We Deliver. On All Screens.
8. App Vulnerabilities: Mobile App Threat
Many considerations
Platforms vary substantially
Similar but still very different than traditional web app--
even when heavy with client-side code
It’s more than just apps
Cloud/network integration
Device platform considerations
Most mobile apps are basically web apps
But with more client “smarts,” almost all web weaknesses
are relevant, and more
We Strategize. We Execute. We Deliver. On All Screens.
9. Mobile Threat Model
Missing
Device Malicious Social Carrier Tampering
Repudiation QR code Spoofing Engineering Network
Breach
Untrusted Weak
NFC tag or Authorization
Peer
Toll Modifying
Malware Local Insecure
Fraud
Improper Data WiFi
Client Network
Session
Side Malicious Weak
Injection Handling
Application Authentication
Push
Crashing
Malware Sandbox Compromised Notification
Compromised Apps
Escape Credentials Flooding
Backend Device
Breach
Lost Flawed Excessive
Weak
Device Authentication API Usage
Authorization
Elevation Denial of
Information Reverse of Service
Engineering DDoS
Disclosure Apps Privilege
We Strategize. We Execute. We Deliver. On All Screens.
10. Biggest Issue: Lost/ Stolen Device
Anyone with physical access to your device can get
to a wealth of data
- PIN is not effective
- App data
- Keychains
- Properties
Disk encryption helps, but we can’t count on users
using it
Apps must protect users’ local data storage
We Strategize. We Execute. We Deliver. On All Screens.
11. Lost/ Stolen Device Insecure Data Storage
Sensitive data left unprotected
Applies to locally stored data +
cloud synced Impact
Generally a result of: Confidentiality of
Not Encrypting Data data lost
Caching data not intended for Credentials
long-term storage disclosed
Weak or global permissions Privacy violations
Not leveraging platform best-
Non-compliance
practices
We Strategize. We Execute. We Deliver. On All Screens.
12. Second Biggest Issue: Insecure Comms
Without additional protection, mobile devices are
susceptible to the “coffee shop attack”
Anyone on an open WiFi can eavesdrop on
your data
No different than any other WiFi device really
Your apps MUST protect your users’ data in
transit
We Strategize. We Execute. We Deliver. On All Screens.
13. Case Study Examples: Mint.com
Mint.com : a financial service aggregator that relies on
targeted marketing/ lead generation, 5M+ active users
How it works:
- Create Mint.com account
- Link financial accounts to
Mint.com
- Install mobile application and
enter Mint.com credentials
- View all financial account activity
within app
We Strategize. We Execute. We Deliver. On All Screens.
14. Lost Device Example
Physical iOS Exploit Scenario
Lost iPhone> Recovered by data harvester> 4-digit pin
bypassed in 3 minutes> User partion copied> Mint.com
cookies and configuration copied to attach iOS platform
Full Mint.com mobile access in 20 minutes or less
We Strategize. We Execute. We Deliver. On All Screens.
15. Remote iOS Exploit Scenario
Un-patched iOS device is
compromised through URL
handling exploit
Attacker bundles keylogger as
exploit payload
User installs Mint.com and links
mobile application to Mint.com
account
Attacker programs compromised
phone to schedule daily dumps of
keystroke logs
We Strategize. We Execute. We Deliver. On All Screens.
16. Common Security Mechanisms: How to
Build in Security
Input validation
Output escaping
Authentication
Session handling
Protecting secrets
At rest
In transit
SQL connections
We Strategize. We Execute. We Deliver. On All Screens.
17. Authorization Basics
Question every action
Is the user allowed to access this:
• File
• Function
• Data
By role or by user
Complexity issues
Maintainability issues
Creeping exceptions
We Strategize. We Execute. We Deliver. On All Screens.
18. Security Solutions Address 4 Aspects
Authentication
1 Enforce enterprise standards w/o compromising UX
Data Security (Storage and Transit)
2 Isolate Corporate data, secure it, and provide DLP
Control Corp. Data
3 Provision enterprise access, enforce policy and visibility
App Creation
4 Native & HTML5, UX, Cross platform, getting business logic right
We Strategize. We Execute. We Deliver. On All Screens.
19. Fresh Digital Group
111 John St 2nd FL
New York, NY 10038
www. freshdigitalgroup.com
Fresh Digital Group