This is about the Mobile Application Security Verification Standard (MASVS) and the Mobile Security Testing Guide (MSTG) from OWASP. This relates my experience both as an author and a user of these resources and includes some practical examples of what mobile security means and why it is important in IoT.
The whole set of documents can be found at https://www.owasp.org/index.php/OWASP_Mobile_Security_Testing_Guide
The OWASP Top 10 for Mobile Apps is highly focused on security checks for your mobile apps.
The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications.
Navigating the Zero Trust Journey for Today's Everywhere WorkplaceIvanti
Join Ivanti cybersecurity experts as they share best practices for implementing an effective zero trust security strategy at the user, device and network-access levels to ensure the optimal security posture for your organization. Learn how you can implement a multi-tiered approach to mobile phishing protection to best protect against data breaches.
Defend your Everywhere Workplace through adaptive zero trust security and adapt to modern threats faster and experience better outcomes.
The OWASP Top 10 for Mobile Apps is highly focused on security checks for your mobile apps.
The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications.
Navigating the Zero Trust Journey for Today's Everywhere WorkplaceIvanti
Join Ivanti cybersecurity experts as they share best practices for implementing an effective zero trust security strategy at the user, device and network-access levels to ensure the optimal security posture for your organization. Learn how you can implement a multi-tiered approach to mobile phishing protection to best protect against data breaches.
Defend your Everywhere Workplace through adaptive zero trust security and adapt to modern threats faster and experience better outcomes.
Metasploit framework can also be called as ‘Swiss Army knife ’ of penetration testers as it provides multiple exploit, customization, easy to redevelop according to the requirements of the system . To secure our system and prevent it from any type of threats , we should perform the penetration testing.
Experts Live 2022 - Attack Surface Reduction rules...your best ally against r...PimJacobs3
“Your files have been encrypted! To decrypt the files, follow the following instructions…” Behind this dreaded message is much more than the cybercriminal sending it. The deployment of ransomware is often the most visible (and painful) step in a much larger process, in which many criminal actors and activities together form a complex whole. It often drives organizations to desperation. Each stage of the ransomware kill chain offers opportunities to intervene, both offensive as well as defensive. In this session we’ll focus on the defensive side and learn about reducing attack surfaces by detecting and preventing kill-chain attacks at an early stage with the use of Attack Surface Reduction rules.
After this session you’re on par with the latest updates on ASR rules, guidance on how to use them effectively (we don’t accept audit mode) and to gain insights with the help of advanced hunting. This is a must visit session for IT pro’s who wants to break the ransomware kill chain!
Frida is an instrumentation framework which is greatly helpful for dynamic analysis. This presentation was a part of my talk at @Nullblr - https://null.co.in/event_sessions/2039-getting-started-with-frida-on-android-apps
With Sophos EndUser Protection you get endpoint security, mobile device management, web protection, protection for your data and email, and more—all in a single license.
For more on Sophos EndUser Protection, visit: http://www.sophos.com/en-us/why-sophos/endpoint.aspx
Vulnerabilities in modern web applicationsNiyas Nazar
Microsoft powerpoint presentation for BTech academic seminar.This seminar discuses about penetration testing, penetration testing tools, web application vulnerabilities, impact of vulnerabilities and security recommendations.
This Edureka PPT on "Application Security" will help you understand what application security is and measures taken to improve the security of an application often by finding, fixing and preventing security vulnerabilities.
Following are the topics covered in this PPT:
Introduction to Cybersecurity
What is Application Security?
What is an SQL Injection attack
Demo on SQL Injection
Follow us to never miss an update in the future.
Instagram: https://www.instagram.com/edureka_learning/
Facebook: https://www.facebook.com/edurekaIN/
Twitter: https://twitter.com/edurekain
LinkedIn: https://www.linkedin.com/company/edureka
Null singapore - Mobile Security EssentialsSven Schleier
Even though modern mobile operating systems like iOS and Android offer great APIs for secure data storage and communication, those APIs have to be used correctly in order to be effective. Data storage, inter-app communication, proper usage of cryptographic APIs and secure network communication are only some of the aspects that require careful consideration.
The OWASP Mobile Application Verification Standard (MASVS) is an attempt to standardize mobile app security requirements using different verification levels. Complementary to the MASVS, we have developed the OWASP Mobile Security Testing Guide (MSTG) that provides detailed test cases for each requirement.
In this talk we will introduce both, the MASVS and MSTG which were both released this year and discuss the many challenges we faced during development, from dealing with the diversity and fragmentation of the Android ecosystem to clarifying the role of software protections in mobile security. Some mobile reverse engineering techniques described in the MSTG will be demonstrated including using objection to perform penetration testing on a non-jailbroken iOS device and using Frida to bypass client-side controls.
Metasploit framework can also be called as ‘Swiss Army knife ’ of penetration testers as it provides multiple exploit, customization, easy to redevelop according to the requirements of the system . To secure our system and prevent it from any type of threats , we should perform the penetration testing.
Experts Live 2022 - Attack Surface Reduction rules...your best ally against r...PimJacobs3
“Your files have been encrypted! To decrypt the files, follow the following instructions…” Behind this dreaded message is much more than the cybercriminal sending it. The deployment of ransomware is often the most visible (and painful) step in a much larger process, in which many criminal actors and activities together form a complex whole. It often drives organizations to desperation. Each stage of the ransomware kill chain offers opportunities to intervene, both offensive as well as defensive. In this session we’ll focus on the defensive side and learn about reducing attack surfaces by detecting and preventing kill-chain attacks at an early stage with the use of Attack Surface Reduction rules.
After this session you’re on par with the latest updates on ASR rules, guidance on how to use them effectively (we don’t accept audit mode) and to gain insights with the help of advanced hunting. This is a must visit session for IT pro’s who wants to break the ransomware kill chain!
Frida is an instrumentation framework which is greatly helpful for dynamic analysis. This presentation was a part of my talk at @Nullblr - https://null.co.in/event_sessions/2039-getting-started-with-frida-on-android-apps
With Sophos EndUser Protection you get endpoint security, mobile device management, web protection, protection for your data and email, and more—all in a single license.
For more on Sophos EndUser Protection, visit: http://www.sophos.com/en-us/why-sophos/endpoint.aspx
Vulnerabilities in modern web applicationsNiyas Nazar
Microsoft powerpoint presentation for BTech academic seminar.This seminar discuses about penetration testing, penetration testing tools, web application vulnerabilities, impact of vulnerabilities and security recommendations.
This Edureka PPT on "Application Security" will help you understand what application security is and measures taken to improve the security of an application often by finding, fixing and preventing security vulnerabilities.
Following are the topics covered in this PPT:
Introduction to Cybersecurity
What is Application Security?
What is an SQL Injection attack
Demo on SQL Injection
Follow us to never miss an update in the future.
Instagram: https://www.instagram.com/edureka_learning/
Facebook: https://www.facebook.com/edurekaIN/
Twitter: https://twitter.com/edurekain
LinkedIn: https://www.linkedin.com/company/edureka
Null singapore - Mobile Security EssentialsSven Schleier
Even though modern mobile operating systems like iOS and Android offer great APIs for secure data storage and communication, those APIs have to be used correctly in order to be effective. Data storage, inter-app communication, proper usage of cryptographic APIs and secure network communication are only some of the aspects that require careful consideration.
The OWASP Mobile Application Verification Standard (MASVS) is an attempt to standardize mobile app security requirements using different verification levels. Complementary to the MASVS, we have developed the OWASP Mobile Security Testing Guide (MSTG) that provides detailed test cases for each requirement.
In this talk we will introduce both, the MASVS and MSTG which were both released this year and discuss the many challenges we faced during development, from dealing with the diversity and fragmentation of the Android ecosystem to clarifying the role of software protections in mobile security. Some mobile reverse engineering techniques described in the MSTG will be demonstrated including using objection to perform penetration testing on a non-jailbroken iOS device and using Frida to bypass client-side controls.
Deploying Secure Modern Apps in Evolving InfrastructuresSBWebinars
Software development is changing. It is now measured in days instead of months. Microservice architectures are preferred over monolithic centralized app architecture, and cloud is the preferred environment over hardware that must be owned and maintained.
In this webinar, we examine how these new software development practices have changed web application security and review a new approach to protecting assets at the web application layer.
Attendees will learn:
The changes in development models, architecture designs, and infrastructure
How these changes necessitate a new approach to web application security
How development teams can effectively stay secure at the speed of DevOps
Filling your AppSec Toolbox - Which Tools, When to Use Them, and WhyBlack Duck by Synopsys
According to SAP 85% of cybersecurity attacks target the application layer. To be successful in defending against these attacks you need to use a variety of tools. In session we'll go into the various types application security tools and approaches, including SAST, DAST, RASP, PEN, as well as Open Source Vulnerability Management. We'll help you understand the differences between these tools and help you develop a plan for filling your application security toolbox.
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Deborah Schalm
Discover how Sona Srinivasan, Senior Architect of Cisco IT’s Global Architecture and Technology Services group, helps transform an IT DevOps strategy to a Security DevOps strategy, with IBM Security's assistance. Cisco is presently implementing continuous security and agile methods throughout the software development lifecycle (SDLC), and specific examples of current initiatives will be reviewed in this session.
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...DevOps.com
Discover how Sona Srinivasan, Senior Architect of Cisco IT’s Global Architecture and Technology Services group, helps transform an IT DevOps strategy to a Security DevOps strategy, with IBM Security's assistance. Cisco is presently implementing continuous security and agile methods throughout the software development lifecycle (SDLC), and specific examples of current initiatives will be reviewed in this session.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
6. Technical Architecture of an IoT solution
IoT device
collecting data on the field (for instance in smart xyz), OS is often Android or iOS
Cloud services
Including Authentication, IAM, Analytics, Moniroting, Storage, Device
management and Data visualization
API
Edge computing
API
End user
Using an application (web, mobile, …) for Remote management, Supervision, …
7. IoT Attack Surface
A significant part of the attack surface is made by
mobile:
• Local storage
• Insecure communications
• Insecure cryptography
• Insecure authentication
• Reverse engineering
• …
8. A few facts and figures
• Majority have little to no knowledge of the
number and type of installed mobile apps
• 79% think that using mobile apps increases
security risks (Ponemon 2017 Study on Mobile and Internet of Things Application Security)
• Few mobile apps go through security testing
• Focus on usability
9. Mobile Application Security (M -> I)
What can go wrong? Well,
• Mobile to IoT device: Study reports that
« Mobile App Flaws […] Could Allow Hackers
To Target Critical Infrastructure»
https://securityaffairs.co/wordpress/67701/iot/scada-mobile-security.html
• IoT device to Mobile
10. Mobile Application Security (I -> M)
What can go wrong? Well,
• Mobile to IoT device
• IoT device to Mobile: Belkin WeMo devices
used to attack mobile phones (Black Hat Europe, 2016)
11. And think about it…
What about your smart lock / smart fridge /
security cam / [take virtually any smart device]?
Hint: The architecture is the same!!!
12. MOBILE SECURITY AT OWASP
-
IMPROVE THE SECURITY POSTURE OF MOBILE APPS WITH
MASVS AND MSTG
13. OWASP
• https://www.owasp.org
• The Open Web Application Security Project is a non-for-profit
worldwide organization (US-based) that support application
security with hundreds of chapters worldwide and thousands
of members
• All OWASP tools / Documents / forums / chapters are free
• Participating in projects is FREE and everyone is welcome!
14. OWASP
• Not linked to any commercial company
• Organizes and sponsors world-class security
events
• Technical audience
• Meritocracy, core values are:
Open, Innovation, Global, Integrity
15. Why Mobile Application Security?
• Different Attack Surface
Local storage
Local authentication
OS interaction
• Different Vulnerabilities
Reverse engineering
Secret storage
Fewer (through frameworks
like Cordova) to no XSS and
CSRF (in native apps)
• 16 vulnerabilities per mobile app in average
• Malware also exists on mobile
• Anyway, « Hackers are able to penetrate mobile devices exactly in the same way
they accessed to our confidential data on our computer.» Pierluigi Paganini, ENISA
16. Mobile Security at OWASP
• https://www.owasp.org/index.php/OWASP_M
obile_Security_Testing_Guide
• Main deliverables are
Testing guide (MSTG)
List of requirements (MASVS)
Checklist for security assessment
17. A few words on… MASVS
• Mobile Application Security Verification
Standard
• Provides 3 levels of requirements in 8 domains:
- Baseline (MASVS-L1, 43 reqs)
- Defense-In-Depth (MASVS-L2, 19 reqs)
- Adds advanced reqs on resiliency against
reverse engineering and tampering (MASVS-R,
12 reqs)
• Fork of ASVS dedicated to mobile
• Provides scalability in security requirements
management
Available
Download at
19. A few words on… MSTG
• Mobile Security Testing Guide
• Risk-based approach
• Promote the use of SDLC*
• Maps directly to MASVS requirements
• Native Android and iOS applications
• Use OWASP Testing Guide for the security
of server side components
• Use cases
Available
*SDLC = Secure Development Life Cycle
Download at
22. MASVS and MSTG in SDLC
• Support « Shifting left » and « Security by
design », promotes security in DevOps
• MASVS early in app creation
• MSTG in Testing phase
MASVS MSTG
Checklist
24. Automating use of MASVS and MSTG
Example using BDD (Behavior Driven
Development) based on Calaba.sh :
https://www.owasp.org/images/f/fb/V2_-
_OWASP_Buscharest_Davide_Cioccia.pdf
25. Recognition
• Referenced by
• Governments are working on including MSTG
in their standards
• Used by many companies in many industries
in the world (banks, finance, …)
• Many requests for trainings received
26. Future of MASVS and MSTG
Not static:
• Bug fixing
• Follow iOS / Android new versions
• Add frameworks (Cordova, PhoneGap, …)
• Code samples for SWIFT
• As the guide is meant to evolve: milestoning and versioning strategy
• …
Volunteers are welcome!
Easy: go to https://github.com/OWASP/owasp-mstg/milestone/1 , pick
up any issue and submit your pull request!!!
27. Related OWASP projects
• Mobile Top 10 https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10
• Internet of Things https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project
• Cloud Security https://www.owasp.org/index.php/OWASP_Cloud_Security_Project
• Dependency Track https://www.owasp.org/index.php/OWASP_Dependency_Track_Project
• DevSecOps Studio https://www.owasp.org/index.php/OWASP_DevSecOps_Studio_Project
And so many others! Check at www.owasp.org
29. Attack scenario – Reverse Engineering
Scenario: An attacker wants to retrieve source code
of your app to (pick one):
- steal your IP
- find secrets to penetrate your network
- find flaws and manipulate your app
- repackage your app with malware
Attacker steps:
• Installs your app on his mobile (use Google Play)
• Retrieves it on his laptop (connect through USB / adb pull <package name>)
• Reverse engineers it (apktool d –f <directory> <appname>.apk or
d2j-dex2jar <file>.dex, unzip .jar and jad –o <file>.class)
30. MASVS Requirements – Reverse
Engineering
MASVS provides requirements (8.1 to 8.13) to
mitigate such attacks : section 8 entitled
«Resiliency Against Reverse Engineering
Requirements”.
And MSTG allows you to test the proper
implementation of these requirements!
31. Attack scenario – Local storage
Scenario: An attacker gets physical access to your mobile
(unsupervised or stolen mobile) and wants to find Corporate
secrets
Attacker steps:
Let’s assume the screen-locking protection is poor and has been circumvented:
• Attacker connects his laptop through USB
• Attacker performs a backup of your mobile / one of your apps (adb backup –f
backup.ab <packageName>)
• Attacker opens archive (java –jar abe.jar unpack backup.ab backup.tar and then
opens with 7-zip)
• Retrieve database / logs / preferences and analyse content
32. MASVS Requirements – Local storage
MASVS provides requirements (2.1 to 2.12) to
mitigate such attacks : section 2 entitled «Data
Storage and Privacy Requirements”.
34. Additional Attacks Include…
- Starting an activity exported to the outside that
contains sensitive informations (with tools like
Drozer for Android)
- Forensic analysis of screenshots (stored in
Library/Caches/Snapshots/<your app> directory
in iOS devices)
- And so many more
35. References
• OWASP - https://www.owasp.org
• MASVS and MSTG -
https://www.owasp.org/index.php/OWASP_Mobile_Security_Testing_Guide
• iOS Application Security David THIEL no starch press
• Ponemon Institute 2017 Study on Mobile and IoT Application Security -
https://media.scmagazine.com/documents/282/2017_study_mobile_and_iot_70394.p
df
• IoT devices can hack phones -
https://www.networkworld.com/article/3138050/internet-of-things/black-hat-europe-
iot-devices-can-hack-phones.html
• Mobile App Flaws of SCADA ICS Systems Could Allow Hackers To Target Critical
Infrastructure - https://securityaffairs.co/wordpress/67701/iot/scada-mobile-
security.html
• Blackout: Critical Infrastructure Attacks Will Soar in 2018 - https://www.inc.com/adam-
levin/next-hackers-target-industrial-plants-critical-infrastructure.html
• Mobile malware evolution 2017 - https://securelist.com/mobile-malware-review-
2017/84139/
• Critical Infrastructure and Cyber Security - https://www.incapsula.com/blog/critical-
infrastructure-cyber-security.html
36. Thanks to those who have supported me when
writting all this material (private joke, cf MSTG foreword)
Kudos to all OWASP authors and contributors!!!
Credits
37. • Mobile security is an important attack vector
in IoT systems
• Significant variety of attacks
• OWASP provide resources to support:
- manufacturers in raising the security level of
their offers
- users to better understand risks and place
requirements on suppliers
Key takeaways