© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Mobile Application Security.

Slides:



Advertisements
Similar presentations
Symantec 2010 Windows 7 Migration Global Results.
Advertisements

1 CHALLENGES Users growing and becoming more demanding –E-learning, electronic registration and other services –Require 24x7 access to learning materials.
Final Project Instructor: Nguyen Anh Tu Students: Tran Tien Tai Tran Tien Tai Tran Ngoc Mai Tran Ngoc Mai Tu Kim Tuan Tu Kim Tuan Nguyen Ngoc Phuong Nguyen.
© 2007 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Application Security and Testing.
Chapter 14 Intranets & Extranets. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES Introduction Technical Infrastructure Planning an Intranet.
1 Copyright © 2010, Elsevier Inc. All rights Reserved Fig 2.1 Chapter 2.
ELECTRONIC DATA COLLECTION SYSTEM Howard Hamilton.
1 Copyright © 2005, Oracle. All rights reserved. Introducing the Java and Oracle Platforms.
17 Copyright © 2005, Oracle. All rights reserved. Deploying Applications by Using Java Web Start.
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
My Alphabet Book abcdefghijklm nopqrstuvwxyz.
1 Copyright Copyright 2012.
1 SANS Technology Institute - Candidate for Master of Science Degree 1 Assessing Privacy Risks of Flash Cookies Kevin Fuller and Stacy Jordan February.
Introduction Lesson 1 Microsoft Office 2010 and the Internet
Copyright, 2011 WowWe® VERS ONLINE 2 3.
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Hewlett-Packard.
Using Family Connection Online Resource for Planning & Advising.
1 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
1 Fortinet Confidential 1 T I T R E Fortinet 2013 Global Survey.
IAEA International Atomic Energy Agency 13th INIS/ETDE Joint Technical Committee Meeting October 2011, Vienna, Austria Domenico Pistillo (INIS) Leader,
IRIS Computing Orientation Lars Rohrbach Instructional and Research Information Systems (IRIS) 1 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY.
©2013 Check Point Software Technologies Ltd. | [Unrestricted] For everyone Best Practices to Secure the Mobile Enterprise Macy Torrey
1 2 In a computer system, a file is a collection of information with a single name, such as addresses.doc, or filebackup.ppt, or ftwr.exe, or guidebook.xls.
ACT User Meeting June Your entitlements window Entitlements, roles and v1 security overview Problems with v1 security Tasks, jobs and v2 security.
Copyright © 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential. Mobile Content Strategies and Deployment Best Practices.
Discovering Computers Fundamentals, 2012 Edition
Copyright Critical Software S.A All Rights Reserved. COTS based approach for the Multilevel Security Problem Bernardo Patrão.
Introduction for University Staff
1 | © 2012 V-Key.com – Proprietary and Confidential Bugatti Veyron Super SportBugatti Veyron Super Sport: 267 mph (429 km/h), 0-60 in 2.4 secs.
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Partner managed print.
Office 365 for Enterprises ITExpo February 2, 2012.
LFCDS SkyMail & SkyDrive Full Student Orientation
© Robert G Parker – UW-CISA 2010 S-1 New and Emerging Technologies 3 - New and Emerging Technologies.
Symantec Education Skills Assessment SESA 3.0 Feature Showcase
Whats New in Microsoft Office 365 Module 01 | Daniel Sierra | Account Technology Strategist Microsoft Education México.
Microsoft Office Illustrated Fundamentals Unit C: Getting Started with Unit C: Getting Started with Microsoft Office 2010 Microsoft Office 2010.
SOFTWARE SOLUTIONS Identification, Server-Side Printing, Tracking & Mobility Software TEKLYNX CENTRAL Bundled Solutions.
COM Orientation The template can be used to create presentations for community, civic, advocacy and government relations groups. It is also appropriate.
Customize Your View of Data Training Presentation for Supply Chain Platform: BAE Systems July 2012.
The printing drain… 60% of SMBs rely on printing 50% say colour volumes growing 60% say consumables expenditure growing.
© 2008 Security Compass inc. 1 Firefox Plug-ins for Application Penetration Testing Exploit-Me.
© 2012 National Heart Foundation of Australia. Slide 2.
Services Course Windows Live SkyDrive Participant Guide.
SLP – Endless Possibilities What can SLP do for your school? Everything you need to know about SLP – past, present and future.
2  Industry trends and challenges  Windows Server 2012: Modern workstyle, enabled  Access from virtually anywhere, any device  Full Windows experience.
Strategy Review Meeting Strategy Review Meeting
By CA. Pankaj Deshpande B.Com, FCA, D.I.S.A. (ICA) 1.
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Need for Speed Win the.
25 seconds left…...
Equal or Not. Equal or Not
Slippery Slope
Services Course Windows Live SkyDrive Participant Guide.
Week 1.
We will resume in: 25 Minutes.
VPN AND REMOTE ACCESS Mohammad S. Hasan 1 VPN and Remote Access.
Xiao Zhang and Wenliang Du Dept. of Electrical Engineering & Computer Science Syracuse University.
- 1 - Defense Security Service Background: During the Fall of 2012 Defense Security Service will be integrating ISFD with the Identity Management (IdM)
Introduction to ikhlas ikhlas is an affordable and effective Online Accounting Solution that is currently available in Brunei.
‘Changing environment – changing security’ - Cyber-threat challenges today – Budapest, September 17-18, Industry and the fight against cybercrime.
1 DIGITAL INTERACTIVE MEDIA Wednesday, October 28, 2009.
Page 1 GADD Software & GADD Analytics 1.6 Public version, 2015, gaddsoftware.com GADD Analytics.
WORKSHOP FOR INTERNATIONAL STUDENTS CONDUCTED BY THE INTERNATIONAL CENTER APRIL 8, 2011 APRIL 11, 2011 APRIL 15, 2011 APRIL18, 2011 MyCSN Student Information.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.
The Fallacy Behind “There’s Nothing to Hide” Why End-to-End Encryption Is a Must in Today’s World.
BOMGAR REMOTE SUPPORT Karl Lankford
AppExchange Security Certification
Presentation transcript:

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Mobile Application Security Can You Trust Your Mobile Applications? Paras Shah Country Manager, Canada Software Security Assurance HP Enterprise Security Products

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The motivation

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 3 Rise of the mobile machines SmartphonesTablets E2013E Desktop PCsNotebook PCs 700, , , , , , ,000 Global Shipments (MM) Q4: Inflection Point Smartphones + Tablets > PCs Source: Morgan Stanley Research

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 4 The evolution of the modern enterprise 2010s2000s1990s Webpage eraWeb 2.0Mobile era

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 5 The smartphones as pocket PCs 81% Browsed the internet 77% Used a search engine 68% Used an app 48% Watch videos Smartphone activities within past week (excluding calls) Source: The Mobile Movement Study, Google, April 2011

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 6 Mobile represents a huge business opportunity Please select the most important benefit that your organization ultimately expects to gain from current or future mobile solutions deployments (whether or not you are currently receiving those benefits) N = 600, Source: IDCs mobile enterprise software survey, 2011

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Challenges

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 8 The Swiss army knife of computing Laptop Rolodex Game console Calculator Camera Book Television Internet GPS

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 9 A treasure trove of private information Your smartphone knows you better than you know yourself Pins & passwords Contacts Call history Messages Social networking Visited web sites Mobile banking Personal videos Family photos Documents … and cyber attackers are after your personal records $

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 10 Risks Difficult to train and retain staff - very difficult to keep skills up-to-date Constantly changing environment New attacks constantly emerge Compliance Requirements Too many tools for various results

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 11 Threats at all points Client Insecure storage of credentials Improper use of configuration files Use of insecure development libraries Poor Cert Management Server Authentication Session Management Cross-site Scripting SQL Injection Command Injection Network Insecure data transfer during installation or execution of the application Insecure transmission of data across the network

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 12 Top 10 Mobile by Prevalence Source: HP 2012 Cyber Security RiskReport

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 13 Increasing Awareness IDC Web Conference, 12 April 2012 Source: IDC Security as a Service Survey n-47 Which of the following technologies have resulted in an increase in IT security management spending at your organization within past 12 months? More than 60% of mobile apps have at least one critical vulnerability

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 14 Oops!

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The solution

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 16 What is mobile? ServersConnectionDevices

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 17 Same old client server model browser ServerNetwork Client

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 18 Mobile application concerns Does the application function as the business intends? Are all features there and working? Will the application perform for all users? Does it meet SLAs in production? Does it work?Does it perform? Is the application securely coded? Has the application been assessed for known threats? Is it secure?

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 19 Get over yourself. The testing stick will not work.

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 20 Integrating security into your established SDLC process Process integration Security Foundations – Mobile Applications Build ProductionTest Architecture & Design RequirementsPlan Mobile Security Development Standards Application Specific Threat Modeling and Analysis Mobile Secure Coding Training Mobile Application Security Assessment (Static, Dynamic, Server, Network, Client) Threat Modeling CBT for Developers Mobile Secure Coding Standards Wiki Mobile Risk Dictionary Mobile Application Security Process Design Mobile Firewall Mobile Security Policies Static Analysis

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 21 How you see your world Get the username Get the password Remember the User Get Sales Data Edit my account Generate Reports

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 22 How an attacker sees your world SQL Injection Cross Site Scripting Improper Session Handling Data Leakage Sensitive Information Disclosure Weak Server Side Controls Client Side Injection Insufficient Data Storage

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 23 Get over yourself. You are responsible for security.

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 24 Test, test some more and then test again

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 25 Testing Solution 1.Proactive – test early and often; repeatable and automated 2.Breadth – support for multiple platforms 3.Depth Research Secure the entire stack - client, server and network Quality analysis 4.Compliance – enforce internal and external standards 5.Scalability – 10, 100, 1,000 6.Cost effective

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 26 HP Fortify on Demand Simple Launch your application security initiative in <1 day No hardware or software investments No security experts to hire, train and retain Fast Scale to test all applications in your organization 1 day turn-around on application security results Support 1000s of applications for the desktop, mobile or cloud Flexible Test any application from anywhere Secure commercial, open source and 3 rd party applications Test applications on-premise or on demand, or both

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 27 Secure Comprehensive and accurate Broad supportFast and scalable Breadth of testing Powerful remediation HP Fortify on Demand at a glance HP Fortify SCA HP WebInspect Insightful Analysis and ReportsCollaboration Module ABAP C/C++ Cold Fusion Java Objective C Python ASP.NET Classic ASP Flex JavaScript/AJAX PHP T-SQL C# COBOL JSP PL/SQL VB.NET XML 1 Day Static TurnaroundVirtual Scan Farm DatacenterEncryptionThird Party Reviews 10,000+ applications 16 different industries represented 5 Continents Civilian and Defense Agencies across US Government Vendor Management and Internal Management Development teams from 1 to 10,000s Manual

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 28 Powerful remediation and guidance Executive Summary Most prevalent vulnerabilities Top 5 applications Heat Map Line of code details -Web based IDE -IDE Plug-in Assign issues to developers Star Rating Remediation roadmap Detailed vulnerability data Recommendations Insightful DashboardCollaborationDetailed Reports

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Questions

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.