This document summarizes a presentation on mobile application security risks given by Mennouchi Islam Azeddine. The presentation covered the OWASP Mobile Security Project, a mobile threat model, and the top 10 mobile risks. It discussed each risk in the top 10 list, including insecure data storage, weak server-side controls, insufficient transport layer protection, client-side injection, poor authorization and authentication, improper session handling, security decisions via untrusted inputs, side channel data leakage, broken cryptography, and sensitive information disclosure. For each risk, examples were provided and prevention tips were outlined.
This webcast's agenda is:
1. Introduction to the OWASP Top TEN.
2. How to integrate the OWASP Top Ten in your SDLC.
3. How the OWASP Top Ten maps to compliance, standards and other drivers.
Session on OWASP Top 10 Vulnerabilities presented by Aarti Bala and Saman Fatima. The session covered the below 4 vulnerabilities -
Injection,
Sensitive Data Exposure
Cross Site Scripting
Insufficient Logging and Monitoring
In this presentation I have tried to figure out common loop holes through which web applications may fall prey to the attackers, common tools used in the trade and some preventive security measures to put us on a safer side.
Owasp Mobile Risk Series : M4 : Unintended Data LeakageAnant Shrivastava
This presentation is part of a series focused on OWASP Mobile Top 10 : We discussed about what is data leakage, places where data could be leaked. sample /examples of data leakage and how it differes from M2: Insecure data storage.
This webcast's agenda is:
1. Introduction to the OWASP Top TEN.
2. How to integrate the OWASP Top Ten in your SDLC.
3. How the OWASP Top Ten maps to compliance, standards and other drivers.
Session on OWASP Top 10 Vulnerabilities presented by Aarti Bala and Saman Fatima. The session covered the below 4 vulnerabilities -
Injection,
Sensitive Data Exposure
Cross Site Scripting
Insufficient Logging and Monitoring
In this presentation I have tried to figure out common loop holes through which web applications may fall prey to the attackers, common tools used in the trade and some preventive security measures to put us on a safer side.
Owasp Mobile Risk Series : M4 : Unintended Data LeakageAnant Shrivastava
This presentation is part of a series focused on OWASP Mobile Top 10 : We discussed about what is data leakage, places where data could be leaked. sample /examples of data leakage and how it differes from M2: Insecure data storage.
Introduction of Ethical Hacking, Life cycle of Hacking, Introduction of Penetration testing, Steps in Penetration Testing, Foot printing Module, Scanning Module, Live Demos on Finding Vulnerabilities a) Bypass Authentication b) Sql Injection c) Cross site Scripting d) File upload Vulnerability (Web Server Hacking) Countermeasures of Securing Web applications
• What is Gateway Level Protection?
What is Firewall?
What is the need of Unified Management?
What is UTM?
Difference between UTM & Firewall
• Why you should switch to UTM-Gateway Level Protection
• Features and advantages offered by UTM.
• How Seqrite-Terminator helps to attain highest Safety, management and security
The Open Web Application Security Project, is an online community that produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security.
One of those projects, The OWASP Top Ten, provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are.
The OWASP team recently released the 2017 revised and updated version of the ten most critical web application security risks and so we’ve created these flash cards for you, your friends, and your colleagues (especially product and engineering :) to test your knowledge and learn more about these important issues.
Company-wide security awareness is a powerful way to improve the overall security of your organization. So adorn your waiting rooms, cubicles, and snack rooms with these flash cards for easy learning and remembrance.
OWASP Top 10 2017 - New VulnerabilitiesDilum Bandara
New Vulnerabilities introduced in OWASP Top 10 2017. Cover Broken Access Control ,
XML External Entities (XXE), Insecure Deserialization, and Insufficient Logging & Monitoring, as well as solutions
La mayor parte de las brechas de datos son debidas al uso indebido de credenciales privilegiadas. Los invitamos a conocer el enfoque de CyberArk, en esta presentación de Carolina Bozza.
Carolina será una de los presentadores en nuestro evento "EL ATAQUE INTERNO", el próximo 6 de mayo. El link de inscripción es:
https://eventioz.com.ar/e/el-ataque-interno?utm_source=eventioz&utm_medium=emailtrans&utm_campaign=ez_invite_recipient&utm_content=button_cta&source=orevem
Los esperamos!!
The Open Web Application Security Project is an online community that produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security
Why do databases have the highest rate of breaches among all business assets? The answer is simple: they house the sensitive business data that malicious insiders and hackers want most. The risk of a database breach can be mitigated by implementing internal controls and following industry best practices - but you must first understand the shifting threat landscape. This presentation will (1) present the top 10 threats to your database in 2013 (2) define a layered defense strategy for preventing database breaches using industry best practices (3) demonstrate a successful defense against data theft with a customer case study.
Precise Testing Solution is offering security testing services to web application. We help you to protect data from unauthorized users. Precise Testing Solution has 8 year experience in security testing. For more info visit at: http://www.precisetestingsolution.com/security-testing.php
The OWASP Top Ten is the de-facto web application security standard because it reflects the evolving threat landscape, providing organizations a framework to manage and mitigate application security risk.
This presentation examines the critical newcomers and pesky incumbents from both an offensive and defensive perspective. Our experts share their insight on how to harden Web applications and align your program towards OWASP compliance.
This example laden talk will show how common tools available in today's enterprise environments can be harnessed to enhance and transform an appsec program. This talk will have example attacks and simple config changes that could make all the difference. Devs, infrastructure sec, ciso, come one come all.
Network Field Day 11 - Skyport Systems PresentationDouglas Gourlay
A presentation at NetField Day 11 that covered how Skyport Systems builds Secure Enclaves that are designed to host and secure critical workloads. This includes building micro-segmentation capabilities, trusted computing, secure boot, and preventing malware and rootkits from affecting IT systems.
Guest lecture on web application security, presented to students at the Indianapolis campus of The Iron Yard on November 9, 2016. This presentation was a basic overview/introduction to security, discussed the CIA Triad, why security is difficult, what happens if we don't do security right, what developers can do to enhance security, and included a brief overview of the OWASP Top Ten.
Introduction of Ethical Hacking, Life cycle of Hacking, Introduction of Penetration testing, Steps in Penetration Testing, Foot printing Module, Scanning Module, Live Demos on Finding Vulnerabilities a) Bypass Authentication b) Sql Injection c) Cross site Scripting d) File upload Vulnerability (Web Server Hacking) Countermeasures of Securing Web applications
• What is Gateway Level Protection?
What is Firewall?
What is the need of Unified Management?
What is UTM?
Difference between UTM & Firewall
• Why you should switch to UTM-Gateway Level Protection
• Features and advantages offered by UTM.
• How Seqrite-Terminator helps to attain highest Safety, management and security
The Open Web Application Security Project, is an online community that produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security.
One of those projects, The OWASP Top Ten, provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are.
The OWASP team recently released the 2017 revised and updated version of the ten most critical web application security risks and so we’ve created these flash cards for you, your friends, and your colleagues (especially product and engineering :) to test your knowledge and learn more about these important issues.
Company-wide security awareness is a powerful way to improve the overall security of your organization. So adorn your waiting rooms, cubicles, and snack rooms with these flash cards for easy learning and remembrance.
OWASP Top 10 2017 - New VulnerabilitiesDilum Bandara
New Vulnerabilities introduced in OWASP Top 10 2017. Cover Broken Access Control ,
XML External Entities (XXE), Insecure Deserialization, and Insufficient Logging & Monitoring, as well as solutions
La mayor parte de las brechas de datos son debidas al uso indebido de credenciales privilegiadas. Los invitamos a conocer el enfoque de CyberArk, en esta presentación de Carolina Bozza.
Carolina será una de los presentadores en nuestro evento "EL ATAQUE INTERNO", el próximo 6 de mayo. El link de inscripción es:
https://eventioz.com.ar/e/el-ataque-interno?utm_source=eventioz&utm_medium=emailtrans&utm_campaign=ez_invite_recipient&utm_content=button_cta&source=orevem
Los esperamos!!
The Open Web Application Security Project is an online community that produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security
Why do databases have the highest rate of breaches among all business assets? The answer is simple: they house the sensitive business data that malicious insiders and hackers want most. The risk of a database breach can be mitigated by implementing internal controls and following industry best practices - but you must first understand the shifting threat landscape. This presentation will (1) present the top 10 threats to your database in 2013 (2) define a layered defense strategy for preventing database breaches using industry best practices (3) demonstrate a successful defense against data theft with a customer case study.
Precise Testing Solution is offering security testing services to web application. We help you to protect data from unauthorized users. Precise Testing Solution has 8 year experience in security testing. For more info visit at: http://www.precisetestingsolution.com/security-testing.php
The OWASP Top Ten is the de-facto web application security standard because it reflects the evolving threat landscape, providing organizations a framework to manage and mitigate application security risk.
This presentation examines the critical newcomers and pesky incumbents from both an offensive and defensive perspective. Our experts share their insight on how to harden Web applications and align your program towards OWASP compliance.
This example laden talk will show how common tools available in today's enterprise environments can be harnessed to enhance and transform an appsec program. This talk will have example attacks and simple config changes that could make all the difference. Devs, infrastructure sec, ciso, come one come all.
Network Field Day 11 - Skyport Systems PresentationDouglas Gourlay
A presentation at NetField Day 11 that covered how Skyport Systems builds Secure Enclaves that are designed to host and secure critical workloads. This includes building micro-segmentation capabilities, trusted computing, secure boot, and preventing malware and rootkits from affecting IT systems.
Guest lecture on web application security, presented to students at the Indianapolis campus of The Iron Yard on November 9, 2016. This presentation was a basic overview/introduction to security, discussed the CIA Triad, why security is difficult, what happens if we don't do security right, what developers can do to enhance security, and included a brief overview of the OWASP Top Ten.
Slidedeck from a 5 minute Ignite session at ISTE 2012 in San Diego. This presentation argues that teachers need to participate in online communities if they expect to engage youth in explicit conversations about digital culture.
All of material inside is un-licence, kindly use it for educational only but please do not to commercialize it.
Based on 'ilman nafi'an, hopefully this file beneficially for you.
Thank you.
The Trust Paradox: Access Management and Trust in an Insecure AgeEMC
This white paper discusses the results of a CIO UK survey on a“Trust Paradox,” defined as employees and business partners being both the weakest link in an organization’s security as well as trusted agents in achieving the company’s goals.
Breaking Secure Mobile Applications - Hack In The Box 2014 KLiphonepentest
Dominic Chell presents "Breaking Secure Mobile Applications" at Hack In The Box 2014.
This presentation details common vulnerabilities that can be found in supposedly secure applications, including BYOD and MDM apps. It also provides an overview of the binary protections that can be implemented to complicate these types of attacks.
The OWASP Top Ten is an expert consensus of the most critical web application security threats. If properly understood, it is an invaluable framework to prioritize efforts and address flaws that expose your organization to attack.
This webcast series presents the OWASP Top 10 in an abridged format, interpreting the threats for you and providing actionable offensive and defensive best practices. It is ideal for all IT/development stakeholders that want to take a risk-based approach to Web application security.
How to Test for the OWASP Top Ten webcast focuses on tell tale markers of the OWASP Top Ten and techniques to hunt them down:
• Vulnerability anatomy – how they present themselves
• Analysis of vulnerability root cause and protection schemas
• Test procedures to validate susceptibility (or not) for each threat
Azure 101: Shared responsibility in the Azure CloudPaulo Renato
Whether you’re working exclusively on Azure or with multiple cloud environments, there are certain things you should consider when moving assets to the public cloud. As with any cloud deployment, security is a top priority, and moving your workloads to the Azure cloud doesn’t mean you’re not responsible for the security of your operating system, applications, and data.
Building on the security of the Azure infrastructure, this shared security responsibility starts with making sure your environment is secure. In this session, we will discuss step-by-step what you need to do to secure access at the administrative, application and network layers.
Organizations are increasingly looking to their Internal Auditors to provide independent assurance about cyber risks and the organization's ability to defend against cyber attacks. With information technology becoming an inherent critical success factor for every business and the emerging cyber threat landscape, every internal auditor needs to equip themselves on IT audit essentials and cyber issues.
In part 12 of our Cyber Security Series you will learn about the current cyber risks and attack methods from Richard Cascarino, including:
Where are we now and Where are we going?
Current Cyberrisks
• Data Breach and Cloud Misconfigurations
• Insecure Application User Interface (API)
• The growing impact of AI and ML
• Malware Attack
• Single factor passwords
• Insider Threat
• Shadow IT Systems
• Crime, espionage and sabotage by rogue nation-states
• IoT
• CCPA and GDPR
• Cyber attacks on utilities and public infrastructure
• Shift in attack vectors
Controlling Access to IBM i Systems and DataPrecisely
Security best practice and regulations such as SOX, HIPAA, GDPR and others require you to restrict access to your critical IBM i systems and their data, but this is easier said than done. Legacy, proprietary access protocols now co-exist with new, open-source protocols to create access control headaches.
View this webcast on-demand for an in-depth discussion of IBM i access points that must be secured and how exit points can be leveraged to accomplish the task. We’ll cover:
• Securing network access and communication ports
• How database access via open-source protocols can be secured
• Taking control of command execution
this is a short awareness talk in one of OWASP MEETUP sessions in University Kuala Lumpur, Malaysia, discussing about Android application penetration testing and how to discover potential vulnerabilities
Expand Your Control of Access to IBM i Systems and DataPrecisely
Controlling all the ways your company’s data is being accessed, especially given the proliferation of open source software and other non-traditional data-access methods, is critical to ensuring security and regulatory compliance. This webinar reviews the different ways your data can be accessed, discusses how exit points work and how they can be managed, and why a global data access control strategy is especially important to efficiently protect sensitive data against unwanted access.
Topics include:
• IBM i access methods and risks
• Using exit programs to block traditional and modern access methods
• Real life examples and perspectives
For Business's Sake, Let's focus on AppSecLalit Kale
Slide-Deck for session on Application Security at Limerick DotNet-Azure User Group on 15th Feb, 2018
Event URL: https://www.meetup.com/Limerick-DotNet/events/hzctdpyxdbtb/
Securing your software environment:
1. Web application
2. API (Application Programming Interface)
3. Mobile application
4. Container
5. Open-source software
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021Teemu Tiainen
The great cyber security expert Sami Laiho returned as a keynote speaker with the theme of Zero Trust, but this time from the point of view of securing endpoint applications.
Sami Laiho is an internationally renowned and recognized specialist in access rights and endpoint security. In this webinar, Laiho and Centero's Juha Haapsaari discussed the Zero Trust model and securing endpoint applications – even in environments of over 100,000 workstations.
These are some of the themes we covered:
• How to ease your workload with allow-listing.
• Is allow-listing difficult? (A hint: it is not.)
• Implementing AppLocker to trim down your application portfolio.
• Restricting admin rights to control your IT environment.
• Managing and updating applications after allow-listing operations.
Zero Trust is a new paradigm for cyber security in organizations. Modern IT environments are complex by nature, and both users and devices are constantly on the move. Traditional methods are not sufficient to properly secure this kind of environment, and that’s where Zero Trust comes in.
Application security meetup k8_s security with zero trust_29072021lior mazor
The "K8S security with Zero Trust" Meetup is about K8s posture Management and runtime protection, ways to secure your software supply chain, Managing Attack Surface reduction, and How to secure K8s with Zero-Trust.
The presentation covers an analysis of microservices architecture and design patterns (such as API gateway, Log aggregation and more) in order to analyze how certain aspects of security is achievable at scale through these patterns.
4. 4
Mobile Security Project
• Began Q3 2010
• Why Unique and
different security risks
• Goal To build security
into mobile dev. life cycle
• Interested? Contribute
Threat Model
Dev. Guide
Training
Controls
Risks
Secure Libraries
Methodologies
Tools
Cheat Sheets
6. 6
Mobile Threat Model
• Platforms vary with mileage
• Very different from traditional web app
model due to wildly varying use cases
and usage patterns
• Must consider more than the ‘apps’
• Remote web services
• Platform integration (iCloud, C2DM)
• Device (in)security considerations
10. 10
Top 10 Risks
• Intended to be platform-agnostic
• Focused on areas of risk rather than
individual vulnerabilities
• Weighted utilizing the OWASP Risk
Rating Methodology
• https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology
12. 12
M1- Insecure Data Storage
• Sensitive data left unprotected
• Applies to locally stored data +
cloud synced
• Generally a result of:
• Not encrypting data
• Caching data not intended for long-term
storage
• Weak or global permissions
• Not leveraging platform best-practices
Impact
• Confidentiality
of data lost
• Credentials
disclosed
• Privacy
violations
• Non-
compliance
14. 14
M1- Insecure Data Storage
Prevention Tips
• Store ONLY what is absolutely
required
• Never use public storage areas (ie-
SD card)
• Leverage secure containers and
platform provided file encryption
APIs
• Do not grant files world readable or
world writeable permissions
Control
#
Description
1.1-1.14 Identify and protect
sensitive data on the mobile
device
2.1, 2.2,
2.5
Handle password
credentials securely on the
device
15. 15
M2- Weak Server Side Controls
• Applies to the backend services
• Not mobile specific per se, but
essential to get right
• We still can’t trust the client
• Luckily, we understand these
issues well
• Existing controls may need to be
re-evaluated (ie- out of band
comms)
Impact
• Confidentially
of data lost
• Integrity of
data not
trusted
16. 16
M2- Weak Server Side Controls
OWASP Top 10
• https://www.owasp.org/index.php/Category:O
WASP_Top_Ten_Project
OWASP Cloud Top 10
• https://www.owasp.org/images/4/47/Cloud-
Top10-Security-Risks.pdf
17. 17
M2- Weak Server Side Controls
Prevention Tips
• Understand the additional risks
mobile apps introduce into existing
architectures
• Leverage the wealth of knowledge
that is already out there
• OWASP Web Top 10, Cloud Top
10, Web Services Top 10
• Cheat sheets, development guides,
ESAPI
Control
#
Description
5.1-5.8 Keep the backend APIs
(services) and the platform
(server) secure
18. 18
M3- Insufficient Transport Layer Protection
• Complete lack of encryption for
transmitted data
• Yes, this unfortunately happens often
• Weakly encrypted data in transit
• Strong encryption, but ignoring
security warnings
• Ignoring certificate validation errors
• Falling back to plain text after failures
Impact
• Man-in-the-
middle attacks
• Tampering w/
data in transit
• Confidentiality
of data lost
19. 19
M3- Insufficient Transport Layer Protection
Real World Example: Google ClientLogin
Authentication Protocol
• Authorization header sent over HTTP
• When users connected via wifi, apps
automatically sent the token in an attempt
to automatically synchronize data from
server
• Sniff this value, impersonate the user
• http://www.uni-ulm.de/in/mi/mitarbeiter/koenings/catching-authtokens.html
20. 20
M3- Insufficient Transport Layer Protection
Prevention Tips
• Ensure that all sensitive data
leaving the device is
encrypted
• This includes data over carrier
networks, WiFi, and even NFC
• When security exceptions are
thrown, it’s generally for a
reason…DO NOT ignore them!
Control
#
Description
3.1.3.6 Ensure sensitive data is
protected in transit
21. 21
M4- Client Side Injection
• Apps using browser libraries
• Pure web apps
• Hybrid web/native apps
• Some familiar faces
• XSS and HTML Injection
• SQL Injection
• New and exciting twists
• Abusing phone dialer + SMS
• Abusing in-app payments
Impact
• Device
compromise
• Toll fraud
• Privilege
escalation
23. 23
M4- Client Side Injection
Prevention Tips
• Sanitize or escape untrusted data
before rendering or executing it
• Use prepared statements for
database calls…concatenation is
still bad, and always will be bad
• Minimize the sensitive native
capabilities tied to hybrid web
functionality
Control
#
Description
6.3 Pay particular attention to
validating all data received
from and sent to non-
trusted third party apps
before processing
10.1-
10.5
Carefully check any runtime
interpretation of code for
errors
24. 24
M5- Poor Authorization and Authentication
• Part mobile, part architecture
• Some apps rely solely on
immutable, potentially
compromised values (IMEI, IMSI,
UUID)
• Hardware identifiers persist across
data wipes and factory resets
• Adding contextual information is
useful, but not foolproof
Impact
• Privilege
escalation
• Unauthorized
access
26. 26
M5- Poor Authorization and Authentication
Prevention Tips
• Contextual info can enhance
things, but only as part of a
multi-factor implementation
• Out-of-band doesn’t work
when it’s all the same device
• Never use device ID or
subscriber ID as sole
authenticator
Control
#
Description
4.1-4.6 Implement user
authentication/authorization
and session management
correctly
8.4 Authenticate all API calls to
paid resources
27. 27
M6- Improper Session Handling
• Mobile app sessions are generally
MUCH longer
• Why? Convenience and usability
• Apps maintain sessions via
• HTTP cookies
• OAuth tokens
• SSO authentication services
• Bad idea= using a device identifier
as a session token
Impact
• Privilege
escalation
• Unauthorized
access
• Circumvent
licensing and
payments
28. 28
M6- Improper Session Handling
Prevention Tips
• Don’t be afraid to make users
re-authenticate every so often
• Ensure that tokens can be
revoked quickly in the event
of a lost/stolen device
• Utilize high entropy, tested
token generation resources
Control
#
Description
1.13 Use non-persistent
identifiers
4.1-4.6 Implement user
authentication/authorization
and session management
correctly
29. 29
M7- Security Decisions Via Untrusted Inputs
• Can be leveraged to bypass
permissions and security models
• Similar but different depending on
platform
• iOS- Abusing URL Schemes
• Android- Abusing Intents
• Several attack vectors
• Malicious apps
• Client side injection
Impact
• Consuming
paid resources
• Data
exfiltration
• Privilege
escalation
31. 31
M7- Security Decisions Via Untrusted Inputs
Prevention Tips
• Check caller’s permissions at
input boundaries
• Prompt the user for additional
authorization before allowing
• Where permission checks
cannot be performed, ensure
additional steps required to
launch sensitive actions
Control
#
Description
10.2 Run interpreters at minimal
privilege levels
32. 32
M8- Side Channel Data Leakage
• Mix of not disabling platform features and
programmatic flaws
• Sensitive data ends up in unintended places
• Web caches
• Keystroke logging
• Screenshots (ie- iOS backgrounding)
• Logs (system, crash)
• Temp directories
• Understand what 3rd party libraries in your
apps are doing with user data
(ie- ad networks, analytics)
Impact
• Data retained
indefinitely
• Privacy
violations
34. 34
M8- Side Channel Data Leakage
Prevention Tips
• Never log credentials, PII, or other sensitive data to
system logs
• Remove sensitive data before screenshots are taken,
disable keystroke logging per field, and utilize anti-
caching directives for web content
• Debug your apps before releasing them to observe
files created, written to, or modified in any way
• Carefully review any third party libraries you
introduce and the data they consume
• Test your applications across as many platform
versions as possible
Control
#
Description
7.3 Check whether you are
collecting PII, it may not
always be obvious
7.4 Audit communication
mechanisms to check for
unintended leaks (e.g.
image metadata)
35. 35
M9- Broken Cryptography
• Two primary categories
• Broken implementations using strong
crypto libraries
• Custom, easily defeated crypto
implementations
• Encoding != encryption
• Obfuscation != encryption
• Serialization != encryption
Impact
• Confidentiality
of data lost
• Privilege
escalation
• Circumvent
business logic
37. 37
M9- Broken Cryptography
Prevention Tips
• Storing the key with the
encrypted data negates
everything
• Leverage battle-tested crypto
libraries vice writing your own
• Take advantage of what your
platform already provides!
Control
#
Description
1.3 Utilize file encryption API’s
2.3 Leverage secure containers
38. 38
M10- Sensitive Information Disclosure
• We differentiate by stored (M1) vs.
embedded/hardcoded (M10)
• Apps can be reverse engineered
with relative ease
• Code obfuscation raises the bar, but
doesn’t eliminate the risk
• Commonly found “treasures”:
• API keys
• Passwords
• Sensitive business logic
Impact
• Credentials
disclosed
• Intellectual
property
exposed
40. 40
M10- Sensitive Information Disclosure
Prevention Tips
• Private API keys are called that
for a reason…keep them off of
the client
• Keep proprietary and sensitive
business logic on the server
• Almost never a legitimate reason
to hardcode a password (if there
is, you have other problems)
Control
#
Description
2.10 Do not store any passwords
or secrets in the application
binary
42. 42
Going Forward
• 60 day review period open to the public
Done!
• RC1 then becomes ‘Final v1.0’ Done!
• 12 month revision cycle
• Rapidly evolving platforms
• Stale data = not as useful
• If you have suggestions or ideas, we
want them!
43. 43
Conclusion
• This is a good start, but we have a long
way to go
• We’ve identified the issues…now we
have to fix them
• Platforms must mature, frameworks
must mature, apps must mature
• The OWASP Mobile body of knowledge
must grow
44. 44
Q&A
Thanks for listening!
If you have questions Shoot’Em or Contact
• Jack Mannino jack@nvisiumsecurity.com
http://twitter.com/jack_mannino
• Zach Lanier zach.lanier@intrepidusgroup.com
http://twitter.com/quine
• Mike Zusman mike.zusman@carvesystems.com
http://twitter.com/schmoilito
• Or Drop me an email azeddine.mennouchi@owasp.org