Presentation is loading. Please wait.

Presentation is loading. Please wait.

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Mobile Application Security.

Similar presentations


Presentation on theme: "© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Mobile Application Security."— Presentation transcript:

1 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Mobile Application Security Can You Trust Your Mobile Applications? Paras Shah Country Manager, Canada Software Security Assurance HP Enterprise Security Products

2 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The motivation

3 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 3 Rise of the mobile machines SmartphonesTablets E2013E Desktop PCsNotebook PCs 700, , , , , , ,000 Global Shipments (MM) Q4: Inflection Point Smartphones + Tablets > PCs Source: Morgan Stanley Research

4 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 4 The evolution of the modern enterprise 2010s2000s1990s Webpage eraWeb 2.0Mobile era

5 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 5 The smartphones as pocket PCs 81% Browsed the internet 77% Used a search engine 68% Used an app 48% Watch videos Smartphone activities within past week (excluding calls) Source: The Mobile Movement Study, Google, April 2011

6 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 6 Mobile represents a huge business opportunity Please select the most important benefit that your organization ultimately expects to gain from current or future mobile solutions deployments (whether or not you are currently receiving those benefits) N = 600, Source: IDCs mobile enterprise software survey, 2011

7 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Challenges

8 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 8 The Swiss army knife of computing Laptop Rolodex Game console Calculator Camera Book Television Internet GPS

9 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 9 A treasure trove of private information Your smartphone knows you better than you know yourself Pins & passwords Contacts Call history Messages Social networking Visited web sites Mobile banking Personal videos Family photos Documents … and cyber attackers are after your personal records $

10 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 10 Risks Difficult to train and retain staff - very difficult to keep skills up-to-date Constantly changing environment New attacks constantly emerge Compliance Requirements Too many tools for various results

11 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 11 Threats at all points Client Insecure storage of credentials Improper use of configuration files Use of insecure development libraries Poor Cert Management Server Authentication Session Management Cross-site Scripting SQL Injection Command Injection Network Insecure data transfer during installation or execution of the application Insecure transmission of data across the network

12 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 12 Top 10 Mobile by Prevalence Source: HP 2012 Cyber Security RiskReport

13 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 13 Increasing Awareness IDC Web Conference, 12 April 2012 Source: IDC Security as a Service Survey n-47 Which of the following technologies have resulted in an increase in IT security management spending at your organization within past 12 months? More than 60% of mobile apps have at least one critical vulnerability

14 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 14 Oops!

15 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The solution

16 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 16 What is mobile? ServersConnectionDevices

17 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 17 Same old client server model browser ServerNetwork Client

18 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 18 Mobile application concerns Does the application function as the business intends? Are all features there and working? Will the application perform for all users? Does it meet SLAs in production? Does it work?Does it perform? Is the application securely coded? Has the application been assessed for known threats? Is it secure?

19 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 19 Get over yourself. The testing stick will not work.

20 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 20 Integrating security into your established SDLC process Process integration Security Foundations – Mobile Applications Build ProductionTest Architecture & Design RequirementsPlan Mobile Security Development Standards Application Specific Threat Modeling and Analysis Mobile Secure Coding Training Mobile Application Security Assessment (Static, Dynamic, Server, Network, Client) Threat Modeling CBT for Developers Mobile Secure Coding Standards Wiki Mobile Risk Dictionary Mobile Application Security Process Design Mobile Firewall Mobile Security Policies Static Analysis

21 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 21 How you see your world Get the username Get the password Remember the User Get Sales Data Edit my account Generate Reports

22 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 22 How an attacker sees your world SQL Injection Cross Site Scripting Improper Session Handling Data Leakage Sensitive Information Disclosure Weak Server Side Controls Client Side Injection Insufficient Data Storage

23 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 23 Get over yourself. You are responsible for security.

24 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 24 Test, test some more and then test again

25 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 25 Testing Solution 1.Proactive – test early and often; repeatable and automated 2.Breadth – support for multiple platforms 3.Depth Research Secure the entire stack - client, server and network Quality analysis 4.Compliance – enforce internal and external standards 5.Scalability – 10, 100, 1,000 6.Cost effective

26 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 26 HP Fortify on Demand Simple Launch your application security initiative in <1 day No hardware or software investments No security experts to hire, train and retain Fast Scale to test all applications in your organization 1 day turn-around on application security results Support 1000s of applications for the desktop, mobile or cloud Flexible Test any application from anywhere Secure commercial, open source and 3 rd party applications Test applications on-premise or on demand, or both

27 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 27 Secure Comprehensive and accurate Broad supportFast and scalable Breadth of testing Powerful remediation HP Fortify on Demand at a glance HP Fortify SCA HP WebInspect Insightful Analysis and ReportsCollaboration Module ABAP C/C++ Cold Fusion Java Objective C Python ASP.NET Classic ASP Flex JavaScript/AJAX PHP T-SQL C# COBOL JSP PL/SQL VB.NET XML 1 Day Static TurnaroundVirtual Scan Farm DatacenterEncryptionThird Party Reviews 10,000+ applications 16 different industries represented 5 Continents Civilian and Defense Agencies across US Government Vendor Management and Internal Management Development teams from 1 to 10,000s Manual

28 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 28 Powerful remediation and guidance Executive Summary Most prevalent vulnerabilities Top 5 applications Heat Map Line of code details -Web based IDE -IDE Plug-in Assign issues to developers Star Rating Remediation roadmap Detailed vulnerability data Recommendations Insightful DashboardCollaborationDetailed Reports

29 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Questions


Download ppt "© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Mobile Application Security."

Similar presentations


Ads by Google