Presentation is loading. Please wait.

Presentation is loading. Please wait.

OWASP Mobile Top 10 Why They Matter and What We Can Do

Published byLaurel Randall Modified over 9 years ago

Similar presentations

Presentation on theme: "OWASP Mobile Top 10 Why They Matter and What We Can Do"— Presentation transcript:

1 OWASP Mobile Top 10 Why They Matter and What We Can Do
BSides Columbus January 19th, 2015

2 Who Am I? Husband and Father Over 20 years in technology
New to the information security field. This is my first conference talk ever

3 Changes

4 M1: Weak Server Side Controls
What it is: Attack vectors typically leading to the traditional OWASP Top 10 as well as the OWASP Cloud Top 10 Anything that a mobile application can do wrong that is not on the phone itself. SQL Injection, CSRF, XSS, etc.. Insecure Coding Practices How to prevent: Satisfy the requirements for the OWASP Top 10 and OWASP Cloud Top 10. Implement secure coding practices across your organization. Don’t think that holes in your web application or cloud services are limited to just those areas.

5 M2: Insecure Data Storage
What It Is: Securing critical information insecurely on the device Most commonly seen in these places: SQLite Databases Log Files Binary Data Stores SD Cards Cloud Synced How to Prevent: The primary rule of mobile apps is not to store data unless absolutely necessary. If you must store data on the phone, it is your responsibility to know what is stored and protect it accordingly. OWASP maintains Best Practices for both iOS and Android in terms of data storage.

6 M3: Insufficient Transport Layer Protection
What It Is: Anything related to the transport of information from the client to the server, whether over a mobile network or a Wi-Fi Network. Lack of Certificate Inspection Weak Handshake Negotiation Confidential Information Leakage How to Prevent: We must assume the network layer is not secure. Apply SSL/TLS to all transport channel the mobile apple will use. Good Certificate practices DO NOT send sensitive information over alternate methods (SMS, MMS, notifications)

7 M4: Unintended Data Leakage
What It Is: Vulnerabilities in the operating system, frameworks, etc. that occur without a developer’s knowledge. The way an operating system or frameworks might cache data, images, key presses, images, etc.. How to Prevent: Understand the tools, frameworks, and operating systems that you use for mobile development. Threat model your operating system. Once you identify weakness you can you put in controls to offset this and avoid data lea

8 M5: Poor Authorization and Authentication
What It Is: This is primarily a lack of or mishandling of the authentication or authorization within the application. This can be storing information on the client side or not requiring server side authentication. How to Prevent: Assume any and all client side authorization/authentication controls can be exploited. Re-enforce server side controls where possible. If the app has offline usage requirements, implement local integrity checks.

9 M6: Broken Cryptography
What It Is: Insecure use of cryptography presents as having a flawed process behind the encryption that can be exploited or using an method of encryption/decryption that is weak by default. How to Prevent: Always use modern encryption methods and also consider white box encryption. Do not use weak or insufficient algorithms: RC2 MD4 MD5 SHA1

10 M7: Client Side Injection
What it Its: Allowing input without input validation and no prevention against code injection. This can be related to the data on the device itself, the mobile browser, application interfaces or the binary code itself. How to Prevent: Look at all areas your application can receive data from and apply some sort of data validation. For injection attacks on the mobile side, follow best practices for your OS of choice in terms of secure development against injections. M10 will discuss more in terms of binary attacks.

11 M8: Security Decisions Via Untrusted Inputs
What it Is: This is related specifically a mishandling or a misunderstanding about how to handle input via Inter Process Communications (IPC) within the operating system. How to Prevent: If IPC is needed, restrict access to a white list of trusted apps. Sensitive actions should require user interaction. Input validation must be strict for all IPC entries. Do not pass sensitive information over IPC.

12 M9: Improper Session Handling
What It Is: This primarily centers around not invalidating sessions on the back end, have no time out protection or inadequate time outs, not rotating cookies, and insecure token creation. How to Prevent: Invalidate sessions both on the mobile app and on the server side. Set good time out protections, with high security apps having the shortest window before timing out. Destroy cookies on the server side and insure cookies from prior sessions no longer accepted. Like cryptography, use well established and industry standard methods of creating tokens.

13 M10: Lack of Binary Protections
What It Is: The primary risk and attack vector is a code base that is hosted in an untrusted environment. This is an environment where the organization does not have physical control. Mobile clients, firmware in appliances, cloud spaces or data centers in certain countries. How to Prevent: Follow secure coding techniques for mobile apps. Build the app to prevent an adversary from analyzing and reverse engineering the app. Build the app to react appropriately to code integrity violation.

14 In Closing: As we continue to move towards more and more mobile apps, it is important for developers, QA, support, and security personnel to understand the weaknesses in the tools we are use and put in mitigation strategies to account for these. Security must be an end to end process in development. Always assume insecurity and work to address it. Never assume security is present or that someone else is handling it. Threat model everything from top to bottom. This will prevent surprises. Never compromise security in an application, mobile or otherwise.

15 Additional Information
OWASP Mobile Security Project: OWASP Traditional Top 10: OWASP Cloud Project: OWASP Reverse Engineering and Code Modification Prevention Project: _Project Android Secure Developer Practices: iOS Secure Developer Practices: urityDevelopmentChecklists/SecurityDevelopmentChecklists.html Microsoft Security Development LifeCycle: BlackBerry Security Best Practices: ecurity_overview.html

16 QUESTIONS?

17 THANK YOU!!!! @rrickardjr

Download ppt "OWASP Mobile Top 10 Why They Matter and What We Can Do"

Similar presentations

Innovation Towards a next generation secure internet Private Application Ecosystems Sanjay Deshpande CEO and Chief Innovation Officer Center.

Innovation Towards a next generation secure internet Private Application Ecosystems Sanjay Deshpande CEO and Chief Innovation Officer Center.
OWASP Mobile Top 10 Beau Woods

OWASP Mobile Top 10 Beau Woods
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
SEC835 OWASP Top Ten Project.

SEC835 OWASP Top Ten Project.
Engineering Secure Software. Uses of Risk Thus Far  Start with the functionality Use cases  abuse/misuse cases p(exploit), p(vulnerability)  Start.

Engineering Secure Software. Uses of Risk Thus Far  Start with the functionality Use cases  abuse/misuse cases p(exploit), p(vulnerability)  Start.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
BUILDING A SECURE STANDARD LIBRARY Information Assurance Project I MN121051 Tajuddin hj. Tappe Supervisor Mdm. Rasimah Che Mohd Yusoff ASP.NET TECHNOLOGY.

BUILDING A SECURE STANDARD LIBRARY Information Assurance Project I MN Tajuddin hj. Tappe Supervisor Mdm. Rasimah Che Mohd Yusoff ASP.NET TECHNOLOGY.
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
Metro (down the Tube) Security Testing Windows Store Apps Marion McCune – ScotSTS Ltd.

Metro (down the Tube) Security Testing Windows Store Apps Marion McCune – ScotSTS Ltd.
Telenet for Business Mobile & Security? Brice Mees Security Services Operations Manager.

Telenet for Business Mobile & Security? Brice Mees Security Services Operations Manager.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
OWASP Zed Attack Proxy Project Lead

OWASP Zed Attack Proxy Project Lead
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
 Computer security policy ◦ Defines the goals and elements of an organization's computer systems  Definition can be ◦ Highly formal ◦ Informal  Security.

 Computer security policy ◦ Defines the goals and elements of an organization's computer systems  Definition can be ◦ Highly formal ◦ Informal  Security.
Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.

Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.

Similar presentations

Ads by Google