mobile application security can you trust your mobile applications?

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Mobile Application SecurityCan You Trust Your Mobile Applications?

Paras ShahCountry Manager, CanadaSoftware Security AssuranceHP Enterprise Security Products


The motivation

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.3

Rise of the mobile machines

Smartphones Tablets2005 2006 2007 2008 2009 2010 2011 2012E 2013E

Desktop PCs Notebook PCs

700,000

600,000

500,000

400,000

300,000

200,000

100,000

Glo

bal S

hipm

ents

(M

M)

Q4: Inflection PointSmartphones + Tablets > PCs

Source: Morgan Stanley Research


The evolution of the modern enterprise

2010s

2000s

1990sWebpage era Web 2.0 Mobile era


The smartphones as pocket PCs

81%Browsed

the internet

77%Used a search engine

68%Used an app

48%Watch videos

Smartphone activities within past week (excluding calls)

Source: The Mobile Movement Study, Google, April 2011


Mobile represents a huge business opportunityPlease select the most important benefit that your organization ultimately expects to gain from current or future mobile solutions deployments (whether or not you are currently receiving those benefits)

N = 600, Source: IDC’s mobile enterprise software survey, 2011

Provide perception of an advanced company to customersSpeed the sales process

Eliminate paperworkEnhance portability within the office or work environment

Offer employees more flexibilityDecreased costs

Improve customer serviceProvide ease of information access

Improve competitive advantage/market shareImprove field service response time

Increased sales/revenueImprove/enhance worker productivity

0 5 10 15 20 25 30


Challenges


The Swiss army knife of computing

Laptop

Rolodex Game console

Calculator

Camera

Book

Television

Email

Internet

GPS


A treasure trove of private information

Your smartphone knows you better than you know yourself• Pins & passwords • Contacts • Call history • Messages • Social networking • Visited web sites • Mobile banking • Personal videos • Family photos • Documents

… and cyber attackers are after your personal records

$


Risks

• Difficult to train and retain staff - very difficult to keep skills up-to-date

• Constantly changing environment

• New attacks constantly emerge

• Compliance Requirements

• Too many tools for various results


Threats at all points

Client• Insecure storage of

credentials• Improper use of

configuration files• Use of insecure

development libraries• Poor Cert Management

Server• Authentication• Session

Management• Cross-site Scripting• SQL Injection• Command Injection

Network• Insecure data transfer

during installation or execution of the application

• Insecure transmission of data across the network


Top 10 Mobile by Prevalence

Source: HP 2012 Cyber Security RiskReport


Increasing Awareness

IDC Web Conference, 12 April 2012

Green IT

Unified Communications

VoIP

Social Networking

Virtualization

Mobility

0% 10% 20% 30% 40% 50% 60% 70%

Source: IDC Security as a Service Survey n-47

Which of the following technologies have resulted in an increase in IT security management spending at your organization within past 12 months?

More than 60% of mobile apps have at least one critical

vulnerability


Oops!


The solution


What is mobile?

ServersConnectionDevices


Same old client server model

browserServerNetwork

Client


Mobile application concerns

• Does the application function as the business intends?

• Are all features there and working?

• Will the application perform for all users?

• Does it meet SLAs in production?

Does it work? Does it perform?• Is the application securely

coded?• Has the application been

assessed for known threats?

Is it secure?


Get over yourself.The testing stick will not

work.


Integrating security into your established SDLC processProcess integration

Security Foundations – Mobile Applications

Build ProductionTestArchitecture & DesignRequirementsPlan

Mobile Security Development Standards

Application Specific Threat Modeling and Analysis

Mobile Secure Coding Training

Mobile Application Security Assessment (Static, Dynamic, Server, Network, Client)

Threat Modeling CBT for Developers Mobile Secure Coding Standards WikiMobile Risk Dictionary

Mobile Application Security Process Design

Mobile Firewall

Mobile Security Policies

Static Analysis


How you see your world

Get the username

Get the password

Remember the User

Get Sales Data

Edit my account

Generate Reports


How an attacker sees your world

SQL Injection

Cross Site Scripting

Improper Session Handling

Data Leakage

Sensitive Information Disclosure

Weak Server Side ControlsClient Side Injection

Insufficient Data Storage


Get over yourself.You are responsible for

security.


Test, test some more and then test again


Testing Solution1. Proactive – test early and often; repeatable and automated2. Breadth – support for multiple platforms3. Depth

− Research− Secure the entire stack - client, server and network− Quality analysis

4. Compliance – enforce internal and external standards5. Scalability – 10, 100, 1,0006. Cost effective


HP Fortify on Demand

SimpleLaunch your application security initiative in <1 day• No hardware or software

investments• No security experts to

hire, train and retain

FastScale to test all applications in your organization• 1 day turn-around on

application security results• Support 1000s of

applications for the desktop, mobile or cloud

FlexibleTest any application from anywhere• Secure commercial, open

source and 3rd party applications

• Test applications on-premise or on demand, or both


Secure

Comprehensive and accurate

Broad support Fast and scalable

Breadth of testing

Powerful remediation

HP Fortify on Demand at a glance

HP Fortify SCA

HP WebInspec

t

Insightful Analysis and Reports

Collaboration Module

• ABAP• C/C++• Cold Fusion• Java• Objective C• Python

• ASP.NET• Classic ASP• Flex• JavaScript/AJAX• PHP• T-SQL

• C#• COBOL• JSP• PL/SQL• VB.NET• XML

1 Day Static Turnaround

Virtual Scan Farm

Datacenter

Encryption

Third Party Reviews

• 10,000+ applications• 16 different industries represented• 5 Continents• Civilian and Defense Agencies across US Government• Vendor Management and Internal Management• Development teams from 1 to 10,000s

Manual


Powerful remediation and guidance

• Executive Summary• Most prevalent vulnerabilities• Top 5 applications• Heat Map

• Line of code details- Web based IDE- IDE Plug-in

• Assign issues to developers

• Star Rating• Remediation roadmap• Detailed vulnerability data• Recommendations

Insightful Dashboard CollaborationDetailed Reports


Questions

mobile application security can you trust your mobile applications?

Documents

mobile era copyright

mobile applications

mobile presence

mobile storefront

motivation copyright

challenges copyright

mobile movement study

business needs