Presentation is loading. Please wait.

Presentation is loading. Please wait.

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Mobile Application Security.

Published byPhoebe Suit Modified over 10 years ago

Similar presentations

Presentation on theme: "© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Mobile Application Security."— Presentation transcript:

1 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Mobile Application Security Can You Trust Your Mobile Applications? Paras Shah Country Manager, Canada Software Security Assurance HP Enterprise Security Products

2 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The motivation

3 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 3 Rise of the mobile machines SmartphonesTablets 20052006200720082009201020112012E2013E Desktop PCsNotebook PCs 700,000 600,000 500,000 400,000 300,000 200,000 100,000 Global Shipments (MM) Q4: Inflection Point Smartphones + Tablets > PCs Source: Morgan Stanley Research

4 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 4 The evolution of the modern enterprise 2010s2000s1990s Webpage eraWeb 2.0Mobile era

5 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 5 The smartphones as pocket PCs 81% Browsed the internet 77% Used a search engine 68% Used an app 48% Watch videos Smartphone activities within past week (excluding calls) Source: The Mobile Movement Study, Google, April 2011

6 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 6 Mobile represents a huge business opportunity Please select the most important benefit that your organization ultimately expects to gain from current or future mobile solutions deployments (whether or not you are currently receiving those benefits) N = 600, Source: IDCs mobile enterprise software survey, 2011

7 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Challenges

8 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 8 The Swiss army knife of computing Laptop Rolodex Game console Calculator Camera Book Television Email Internet GPS

9 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 9 A treasure trove of private information Your smartphone knows you better than you know yourself Pins & passwords Contacts Call history Messages Social networking Visited web sites Mobile banking Personal videos Family photos Documents … and cyber attackers are after your personal records $

10 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 10 Risks Difficult to train and retain staff - very difficult to keep skills up-to-date Constantly changing environment New attacks constantly emerge Compliance Requirements Too many tools for various results

11 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 11 Threats at all points Client Insecure storage of credentials Improper use of configuration files Use of insecure development libraries Poor Cert Management Server Authentication Session Management Cross-site Scripting SQL Injection Command Injection Network Insecure data transfer during installation or execution of the application Insecure transmission of data across the network

12 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 12 Top 10 Mobile by Prevalence Source: HP 2012 Cyber Security RiskReport

13 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 13 Increasing Awareness IDC Web Conference, 12 April 2012 Source: IDC Security as a Service Survey n-47 Which of the following technologies have resulted in an increase in IT security management spending at your organization within past 12 months? More than 60% of mobile apps have at least one critical vulnerability

14 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 14 Oops!

15 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The solution

16 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 16 What is mobile? ServersConnectionDevices

17 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 17 Same old client server model browser ServerNetwork Client

18 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 18 Mobile application concerns Does the application function as the business intends? Are all features there and working? Will the application perform for all users? Does it meet SLAs in production? Does it work?Does it perform? Is the application securely coded? Has the application been assessed for known threats? Is it secure?

19 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 19 Get over yourself. The testing stick will not work.

20 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 20 Integrating security into your established SDLC process Process integration Security Foundations – Mobile Applications Build ProductionTest Architecture & Design RequirementsPlan Mobile Security Development Standards Application Specific Threat Modeling and Analysis Mobile Secure Coding Training Mobile Application Security Assessment (Static, Dynamic, Server, Network, Client) Threat Modeling CBT for Developers Mobile Secure Coding Standards Wiki Mobile Risk Dictionary Mobile Application Security Process Design Mobile Firewall Mobile Security Policies Static Analysis

21 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 21 How you see your world Get the username Get the password Remember the User Get Sales Data Edit my account Generate Reports

22 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 22 How an attacker sees your world SQL Injection Cross Site Scripting Improper Session Handling Data Leakage Sensitive Information Disclosure Weak Server Side Controls Client Side Injection Insufficient Data Storage

23 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 23 Get over yourself. You are responsible for security.

24 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 24 Test, test some more and then test again

25 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 25 Testing Solution 1.Proactive – test early and often; repeatable and automated 2.Breadth – support for multiple platforms 3.Depth Research Secure the entire stack - client, server and network Quality analysis 4.Compliance – enforce internal and external standards 5.Scalability – 10, 100, 1,000 6.Cost effective

26 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 26 HP Fortify on Demand Simple Launch your application security initiative in <1 day No hardware or software investments No security experts to hire, train and retain Fast Scale to test all applications in your organization 1 day turn-around on application security results Support 1000s of applications for the desktop, mobile or cloud Flexible Test any application from anywhere Secure commercial, open source and 3 rd party applications Test applications on-premise or on demand, or both

27 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 27 Secure Comprehensive and accurate Broad supportFast and scalable Breadth of testing Powerful remediation HP Fortify on Demand at a glance HP Fortify SCA HP WebInspect Insightful Analysis and ReportsCollaboration Module ABAP C/C++ Cold Fusion Java Objective C Python ASP.NET Classic ASP Flex JavaScript/AJAX PHP T-SQL C# COBOL JSP PL/SQL VB.NET XML 1 Day Static TurnaroundVirtual Scan Farm DatacenterEncryptionThird Party Reviews 10,000+ applications 16 different industries represented 5 Continents Civilian and Defense Agencies across US Government Vendor Management and Internal Management Development teams from 1 to 10,000s Manual

28 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 28 Powerful remediation and guidance Executive Summary Most prevalent vulnerabilities Top 5 applications Heat Map Line of code details -Web based IDE -IDE Plug-in Assign issues to developers Star Rating Remediation roadmap Detailed vulnerability data Recommendations Insightful DashboardCollaborationDetailed Reports

29 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Questions

Download ppt "© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Mobile Application Security."

Similar presentations

Symantec 2010 Windows 7 Migration Global Results.

Symantec 2010 Windows 7 Migration Global Results.
1 CHALLENGES Users growing and becoming more demanding –E-learning, electronic registration and other services –Require 24x7 access to learning materials.

1 CHALLENGES Users growing and becoming more demanding –E-learning, electronic registration and other services –Require 24x7 access to learning materials.
Final Project Instructor: Nguyen Anh Tu Students: Tran Tien Tai Tran Tien Tai Tran Ngoc Mai Tran Ngoc Mai Tu Kim Tuan Tu Kim Tuan Nguyen Ngoc Phuong Nguyen.

Final Project Instructor: Nguyen Anh Tu Students: Tran Tien Tai Tran Tien Tai Tran Ngoc Mai Tran Ngoc Mai Tu Kim Tuan Tu Kim Tuan Nguyen Ngoc Phuong Nguyen.
© 2007 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Application Security and Testing.

© 2007 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Application Security and Testing.
Chapter 14 Intranets & Extranets. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES Introduction Technical Infrastructure Planning an Intranet.

Chapter 14 Intranets & Extranets. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES Introduction Technical Infrastructure Planning an Intranet.
1 Copyright © 2010, Elsevier Inc. All rights Reserved Fig 2.1 Chapter 2.

1 Copyright © 2010, Elsevier Inc. All rights Reserved Fig 2.1 Chapter 2.
ELECTRONIC DATA COLLECTION SYSTEM Howard Hamilton.

ELECTRONIC DATA COLLECTION SYSTEM Howard Hamilton.
1 Copyright © 2005, Oracle. All rights reserved. Introducing the Java and Oracle Platforms.

1 Copyright © 2005, Oracle. All rights reserved. Introducing the Java and Oracle Platforms.
17 Copyright © 2005, Oracle. All rights reserved. Deploying Applications by Using Java Web Start.

17 Copyright © 2005, Oracle. All rights reserved. Deploying Applications by Using Java Web Start.
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13

Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13

Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
My Alphabet Book abcdefghijklm nopqrstuvwxyz.

My Alphabet Book abcdefghijklm nopqrstuvwxyz.
1 Copyright 2012. 2 3 4 5 6 7 8 9 10 Copyright 2012.

1 Copyright Copyright 2012.
1 SANS Technology Institute - Candidate for Master of Science Degree 1 Assessing Privacy Risks of Flash Cookies Kevin Fuller and Stacy Jordan February.

1 SANS Technology Institute - Candidate for Master of Science Degree 1 Assessing Privacy Risks of Flash Cookies Kevin Fuller and Stacy Jordan February.
Introduction Lesson 1 Microsoft Office 2010 and the Internet

Introduction Lesson 1 Microsoft Office 2010 and the Internet
Copyright, 2011 WowWe® VERS. 2.0. 1 ONLINE 2 3.

Copyright, 2011 WowWe® VERS ONLINE 2 3.
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Hewlett-Packard.

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Hewlett-Packard.
Using Family Connection Online Resource for Planning & Advising.

Using Family Connection Online Resource for Planning & Advising.
1 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.

1 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
1 Fortinet Confidential 1 T I T R E Fortinet 2013 Global Survey.

1 Fortinet Confidential 1 T I T R E Fortinet 2013 Global Survey.

Similar presentations

Ads by Google