RISKS HIDING IN PLAIN SIGHT: MOBILE APP CYBER THREAT & VULNERABILITY BENCHMARKS. BRIAN LAWRENCE SENIOR SECURITY ENGINEER
|
|
- Miles Moody
- 5 years ago
- Views:
Transcription
1 RISKS HIDING IN PLAIN SIGHT: MOBILE APP CYBER THREAT & VULNERABILITY BENCHMARKS BRIAN LAWRENCE SENIOR SECURITY ENGINEER Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. te.
2 NOWSECURE DELIVERING SECURE MOBILE APPS FASTER Books & Speaking MOBILE THREAT RESEARCH IS IN OUR DNA Dream team of security researchers Every waking moment spent: Discovering critical vulns Identifying novel attack vectors Creating/maintaining renowned open-source mobile security tools/projects Open source THE NOWSECURE MISSION Save the world from unsafe mobile apps Educate enterprises on the latest mobile threats 2
3 TRAFFIC IS MOVING FROM WEB TO MOBILE APPS 3
4 85% of Mobile Apps In AppStores Have Security Vulnerabilities 49% of Mobile Apps In AppStores Leak Data to Violate GDPR 4
5 INSIDE THE MOBILE ATTACK SURFACE CODE FUNCTIONALITY ios APPS TEST APP ios FRAMEWORKS GPS spoofing URL schemes Buffer overflow GPS Leaking allowbackup Flag Integrity/tampering/repacking allowdebug Flag Side channel attacks Code Obfuscation App signing key unprotected Configuration manipulation JSON-RPC Escalated privileges Automatic Reference Counting WEB + SAST VENDORS Android rooting/ios jailbreak User-initiated code Confused deputy attack Media/file format parsers Insecure 3rd party libraries World Writable Files World Writable Executables Dynamic runtime injection Unintended permissions UI overlay/pin stealing Intent hijacking Zip directory traversal Clipboard data World Readable Files ios NATIVE LIBRARIES DATA AT REST DATA IN MOTION ios HAL ios Mach/XNU KERNEL HARDWARE Data caching Data stored in application directory Decryption of keychain Data stored in log files Data cached in memory/ram Data stored in SD card OS data caching Passwords & data accessible No/Weak encryption TEE/Secure Enclave Processor Side channel leak SQLite database Emulator variance Wi-Fi (no/weak encryption) Rogue access point Packet sniffing Man-in-the-middle Session hijacking DNS poisoning TLS Downgrade Fake TLS certificate Improper TLS validation HTTP Proxies VPNs Weak/No Local authentication App transport security Transmitted to insecure server Zip files in transit Cookie httponly flag Cookie secure flag Network & Cloud Services Data Center & App Backend 5
6 NOWSECURE BROADEST COVERAGE, HIGHEST ACCURACY ios APPS TEST APP AUTOMATED MOBILE APP SECURITY TESTING PLATFORM ios FRAMEWORKS ios NATIVE LIBRARIES ios HAL STATIC TESTING analyzes the binary postcompilation to discover vulnerabilities including those in third-party libraries DYNAMIC TESTING observes the binary at runtime to discover vulnerabilities within the app BEHAVIORAL TESTING attacks the binary & network environment to discover vulnerabilities within the app with near zero false positives ios Mach/XNU KERNEL HARDWARE Network & Cloud Services Data Center & App Backend 6
7 ENABLING DIGITAL BUSINESS VALUE - SAFELY AUTOMATION + INTEGRATION SECURITY COVERAGE LOW HIGH LEGACY APPROACHES TARGET...Is the only way to get from here to there SPEED COVERAGE ACCURACY CONSISTENCY SLOW FAST PREDICTABILITY EFFICIENCIES BUSINESS VELOCITY 7
8 ANALYSIS OF MOBILE APP STORE APPS BY INDUSTRY VIA CVSS SCORED FINDINGS Copyright Copyright 2018 NowSecure, 2017 NowSecure, Inc. All Rights Inc. Reserved. All Rights Proprietary Reserved. information. Proprietary Do information. not distribute.
9 BENCHMARKING 45,000 APPSTORE APPS Analysis of Mobile App Risk in Apple App Store and the Google Play store via OWASP Mobile Top 10 Comprehensive Risk Analysis Security vulnerabilities Compliance violations Privacy leakage Rich Results Industry Standard CVSS Scores High Accuracy Detailed Results & Recommendations 9
10 INSIDE NOWSECURE MOBILE APP RISK SCORING 10
11 INSIDE NOWSECURE MOBILE APP RISK SCORING 11
12 NOWSECURE BENCHMARKS: BANKING & FINANCE TOP 50 NowSecure Score Risk Range Hgh Risk Caution Low Risk *Scoring algorithm based on Industry Standard CVSS Scored findings A significant 10 of 100 Apps (10%) fail w/ critical & high risks Identified Failures: Man in Middle Attack, Invalid Certificate, Known Vulnerable 3rd Party Libraries, Unencrypted credentials/pii in local files or over HTTP
13 NOWSECURE BENCHMARKS: HEALTHCARE TOP 35 NowSecure Score Risk Range Hgh Risk Caution Low Risk *Scoring algorithm based on Industry Standard CVSS Scored findings A significant 7 of 70 Apps (10%) fail w/ critical & high risks Identified Failures: Man in Middle Attack, Invalid Certificate, Known Vulnerable 3rd Party Libraries, Unencrypted credentials/pii in local files or over HTTP
14 NOWSECURE BENCHMARKS: RETAIL TOP 40 NowSecure Score Risk Range Hgh Risk Caution Low Risk *Scoring algorithm based on Industry Standard CVSS Scored findings A shocking 27 of 80 Apps (38%) fail w/ critical & high risks Identified Failures: Man in Middle Attack, Invalid Certificate, Known Vulnerable 3rd Party Libraries, Unencrypted credentials/pii in local files or over HTTP
15 NOWSECURE BENCHMARKS: FANTASY SPORTS TOP 30 NowSecure Score Risk Range Hgh Risk Caution Low Risk *Scoring algorithm based on Industry Standard CVSS Scored findings A significant 23 of 60 Apps (38%)fail w/ critical & high risks Identified Failures: Man in Middle Attack, Invalid Certificate, Known Vulnerable 3rd Party Libraries, Unencrypted credentials/pii in local files or over HTTP
16 APPSTORE SCORES INDUSTRY COMPARATIVE RESULTS Analysis of Top 10 downloads in 11 Major Categories of apps used by employees ios Best Performing Scores Finance General Navigation Android Best Performing Scores Finance Medical Business ios 8 of 11 categories are range Android none are in range, but 8 of 11 categories are range
17 YOU ARE MOST LIKELY USING THESE POPULAR BUSINESS POPULAR BUSINESS CRM POPULAR BUSINESS NOTE TAKING POPULAR ERP WORKFORCE MGMT POPULAR BUSINESS CHAT APP POPULAR BUSINESS TRAVEL APP POPULAR BUSINESS INTELLIGENCE POPULAR ERP FINANCIALS 17
18 ANALYSIS OF MOBILE APP STORE APPS ALL INDUSTRIES VIA OWASP MOBILE TOP 10 Copyright Copyright 2018 NowSecure, 2017 NowSecure, Inc. All Rights Inc. Reserved. All Rights Proprietary Reserved. information. Proprietary Do information. not distribute.
19 OWASP MOBILE TOP 10 [2016] OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. OWASP initiated MOBILE TOP 10 in 2011 Recognized Mobile OS Platforms vary widely Unique from web app model Must consider more than the Apps Remote web services Platform integration (icloud, GCM) Device (in)security considerations Intended to be platform-agnostic Focused on areas of risk rather than individual vulnerabilities Weighted utilizing the OWASP Risk Rating Methodology
20 OWASP MOBILE TOP 10 M1 - Improper Platform Usage M2 - Insecure Data Storage M3 - Insecure Communication M4 - Insecure Authentication M5 - Insufficient Cryptography M6 - Insecure Authorization M7 - Client Code Quality M8 - Code Tampering M9 - Reverse Engineering M10 - Extraneous Functionality Misuse of features like Touch ID, permissions, Keychain Data Leakage, client-side injection, weak server-side controls Poor handshake, SSL/TLS/Cert issues, transfer in clear text Improper identity mgmt, weak session mgmt Lack of crypto, improper crypto use Improper local auth, forced browsing Code mistakes eg. Buffer overflows, format string vulns Binary patching, method hooking/swizzling, memory mods Exposure to attacker reversing tools Dev/QA inadvertent disabling security, hidden backdoors
21 OWASP MOBILE TOP 10-3rd PARTY ANALYSIS M1 - Improper Platform Usage Misuse of features like Touch ID, permissions, Keychain M2 - Insecure Data Storage Data Leakage, client-side injection, weak server-side controls 50% Fail
22 TESTING FOR RISK -- DATA AT REST Android ios Total M2-Insecure Data Storage 85% 16% 50% Local log/file data Account Credentials PII Geolocation IMEI/Serial Number WiFi World Writable Executables 52% of Android Apps
23 OWASP MOBILE TOP 10-3rd PARTY ANALYSIS M1 - Improper Platform Usage Misuse of features like Touch ID, permissions, Keychain M2 - Insecure Data Storage Data Leakage, client-side injection, weak server-side controls 50% Fail M3 - Insecure Communication Poor handshake, SSL/TLS/Cert issues, transfer in clear text 48% Fail
24 TESTING FOR RISK -- DATA IN TRANSIT Android ios Total M3-Insecure Communication 20% 76% 48% Assume that the network layer is not secure and is susceptible to intercept Frequent lack of proper ios ATS and crossplatform SSL implementations Unencrypted data OTA Account Credentials PII Geolocation IMEI/Serial Number 30% of ios apps use HTTP (not HTTPS) 24
25 OWASP MOBILE TOP 10-3rd PARTY ANALYSIS M1 - Improper Platform Usage Misuse of features like Touch ID, permissions, Keychain M2 - Insecure Data Storage Data Leakage, client-side injection, weak server-side controls 50% Fail M3 - Insecure Communication Poor handshake, SSL/TLS/Cert issues, transfer in clear text 48% Fail M4 - Insecure Authentication Improper identity mgmt, weak session mgmt 5% Fail M5 - Insufficient Cryptography Lack of crypto, improper crypto use M6 - Insecure Authorization Improper local auth, forced browsing 2% Fail M7 - Client Code Quality Code mistakes eg. Buffer overflows, format string vulns, 3rd Party 32% Fail
26 TESTING FOR RISK -- CODE & 3rd PARTY Android ios Total M7-Client Code Quality 59% 4% 32% ios enforces stronger code quality practices Nearly all apps have 3rd party/oss libraries Open source often unvetted Inconsistent upgrading to latest patched library versions Android app challenges 1465 arbitrary code injection 1133 SQL injection 112 Debug flag on
27 OWASP MOBILE TOP 10-3rd PARTY ANALYSIS M1 - Improper Platform Usage Misuse of features like Touch ID, permissions, Keychain M2 - Insecure Data Storage Data Leakage, client-side injection, weak server-side controls 50% Fail M3 - Insecure Communication Poor handshake, SSL/TLS/Cert issues, transfer in clear text 48% Fail M4 - Insecure Authentication Improper identity mgmt, weak session mgmt 5% Fail M5 - Insufficient Cryptography Lack of crypto, mproper crypto use M6 - Insecure Authorization Improper local auth, forced browsing 2% Fail M7 - Client Code Quality Code mistakes eg. Buffer overflows, format string vulns 32% Fail M8 - Code Tampering Binary patching, method hooking/swizzling, memory mods M9 - Reverse Engineering Exposure to attacker reversing tools 32% Fail M10 - Extraneous Functionality Dev/QA inadvertent disabling security, hidden backdoors 47% Fail
28 TESTING FOR RISK -- TAMPERING Android ios Total M9-Reverse Engineering 64% 0% 32% M10- Extraneous Functionality 92% 2% 47% Obfuscation insufficiently used by Android developers 90% of Android apps allow backup of data 1465 Android apps allow arbitrary code execution
29 TESTING FOR RISK -- PERMISSIONS & ENTITLEMENTS Risk Dependent on your corporate policies Sample potentially risky permissions Contact list access Write external storage Calendar Send SMS NFC
30 TESTING FOR RISK -- IP ADDRESSES Risk Dependent on your corporate policies 3rd party libraries, SDKs are common culprits Ad networks frequently uniquely identify users and geo-locate them insecurely Apps frequently have hundreds of connections (this one had 250)
31 BEST PRACTICES RECOMMENDATIONS FOR SECURITY TEAMS 1. Recognize the risks of 3rd party apps on all mobile devices Assume all are untrusted until validated, no matter who the developer 2. Put controls and processes in place to analyze and monitor 3rd party app risk Inventory & analyze your existing mobile apps leveraging EMM/MDM Adapt processes to review and approve all new mobile apps before introduction Leverage automated tools for in depth testing and continuous monitoring FOR APP DEVELOPERS 1. Train developers on secure coding best practices & fully vet 3rd party libraries Leverage the NowSecure Guide to Secure Mobile App Development Best Practices 2. Ensure all mobile app releases are properly security tested Leverage automated mobile appsec testing tools in SDLC lifecycle Leverage 3rd party expert mobile app pen testing 3. Find reputable sources to stay up to date on the latest mobile threats and vulnerabilities Nowsecure #MobSec5 at and blog THN, ThreatPost, Krebs, bankinfosecurity, etc.
32 GET A FREE MOBILE APP SECURITY REPORT Free for All Attendees Delivered by NowSecure Mobile App Security Experts Choose a 3rd Party Mobile app used in your business Surf to request: BRIAN LAWRENCE SENIOR SECURITY ENGINEER blawrence@nowsecure.com
33 RISKS HIDING IN PLAIN SIGHT: MOBILE APP CYBER THREAT & VULNERABILITY BENCHMARKS BRIAN LAWRENCE SENIOR SECURITY ENGINEER Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary riet information. Do not distribute. te.
The Attacker s POV Hacking Mobile Apps. in Your Enterprise to Reveal Real Vulns and Protect the Business. Tony Ramirez
The Attacker s POV Hacking Mobile Apps in Your Enterprise to Reveal Real Vulns and Protect the Business Tony Ramirez AGENDA & SPEAKERS Introduction Attacks on Mobile Live Demo Recommendations Q&A Tony
More informationMobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing
Mobile Malfeasance Exploring Dangerous Mobile Code Jason Haddix, Director of Penetration Testing Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to
More informationC1: Define Security Requirements
OWASP Top 10 Proactive Controls IEEE Top 10 Software Security Design Flaws OWASP Top 10 Vulnerabilities Mitigated OWASP Mobile Top 10 Vulnerabilities Mitigated C1: Define Security Requirements A security
More informationOWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati
OWASP TOP 10 2017 Release Andy Willingham June 12, 2018 OWASP Cincinnati Agenda A quick history lesson The Top 10(s) Web Mobile Privacy Protective Controls Why have a Top 10? Software runs the world (infrastructure,
More informationMobile Payment Application Security. Security steps to take while developing Mobile Application s. SISA Webinar.
Mobile Payment Application Security Security steps to take while developing Mobile Application s About SISA Payment Security Specialists PCI Certification Body (PCI Qualified Security Assessor) Payment
More informationBank Infrastructure - Video - 1
Bank Infrastructure - 1 05/09/2017 Threats Threat Source Risk Status Date Created Account Footprinting Web Browser Targeted Malware Web Browser Man in the browser Web Browser Identity Spoofing - Impersonation
More informationCSWAE Certified Secure Web Application Engineer
CSWAE Certified Secure Web Application Engineer Overview Organizations and governments fall victim to internet based attacks every day. In many cases, web attacks could be thwarted but hackers, organized
More informationCopyright
1 Security Test EXTRA Workshop : ANSWER THESE QUESTIONS 1. What do you consider to be the biggest security issues with mobile phones? 2. How seriously are consumers and companies taking these threats?
More informationWeak Spots Enterprise Mobility Management. Dr. Johannes Hoffmann
Weak Spots Enterprise Mobility Management Dr. Johannes Hoffmann Personal details TÜV Informationstechnik GmbH TÜV NORD GROUP Dr. Johannes Hoffmann IT Security Business Security & Privacy Main focus: Mobile
More informationCertified Secure Web Application Engineer
Certified Secure Web Application Engineer ACCREDITATIONS EXAM INFORMATION The Certified Secure Web Application Engineer exam is taken online through Mile2 s Assessment and Certification System ( MACS ),
More informationThe Android security jungle: pitfalls, threats and survival tips. Scott
The Android security jungle: pitfalls, threats and survival tips Scott Alexander-Bown @scottyab The Jungle Ecosystem Google s protection Threats Risks Survival Network Data protection (encryption) App/device
More informationEndpoint Security - what-if analysis 1
Endpoint Security - what-if analysis 1 07/23/2017 Threat Model Threats Threat Source Risk Status Date Created File Manipulation File System Medium Accessing, Modifying or Executing Executable Files File
More informationTopics. Ensuring Security on Mobile Devices
Ensuring Security on Mobile Devices It is possible right? Topics About viaforensics Why mobile security matters Types of security breaches and fraud Anticipated evolution of attacks Common mistakes that
More informationMOBILE SECURITY OVERVIEW. Tim LeMaster
MOBILE SECURITY OVERVIEW Tim LeMaster tim.lemaster@lookout.com Your data center is in the cloud. Your users and customers have gone mobile. Starbucks is your fall-back Network. Your mobile device is a
More informationTale of a mobile application ruining the security of global solution because of a broken API design. SIGS Geneva 21/09/2016 Jérémy MATOS
Tale of a mobile application ruining the security of global solution because of a broken API design SIGS Geneva 21/09/2016 Jérémy MATOS whois securingapps Developer background Spent last 10 years working
More informationOWASP Top 10 The Ten Most Critical Web Application Security Risks
OWASP Top 10 The Ten Most Critical Web Application Security Risks The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain
More informationDrone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created
Drone - 2 04/12/2018 Threat Model Description Threats Threat Source Risk Status Date Created Mobile Phone: Sensitive Data Leakage Smart Devices Mobile Phone: Session Hijacking Smart Devices Mobile Phone:
More informationHP 2012 Cyber Security Risk Report Overview
HP 2012 Cyber Security Risk Report Overview September 2013 Paras Shah Software Security Assurance - Canada Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject
More informationIBM Future of Work Forum
IBM Cognitive IBM Future of Work Forum The Engaged Enterprise Comes Alive Improving Organizational Collaboration and Efficiency While Enhancing Security on Mobile and Cloud Apps Chris Hockings IBM Master
More informationEthical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities
Ethical Hacking and Countermeasures: Web Chapter 3 Web Application Vulnerabilities Objectives After completing this chapter, you should be able to: Understand the architecture of Web applications Understand
More informationMBFuzzer - MITM Fuzzing for Mobile Applications
MBFuzzer - MITM Fuzzing for Mobile Applications Fatih Özavcı Mentor of MBFuzer @ yakindanegitim.org fatih.ozavci at gamasec.net gamasec.net/fozavci Scope Yakindan Egitim Project Security Vulnerabilities
More informationTIBCO Cloud Integration Security Overview
TIBCO Cloud Integration Security Overview TIBCO Cloud Integration is secure, best-in-class Integration Platform as a Service (ipaas) software offered in a multi-tenant SaaS environment with centralized
More informationFrequently Asked Questions WPA2 Vulnerability (KRACK)
Frequently Asked Questions WPA2 Vulnerability (KRACK) Release Date: October 20, 2017 Document version: 1.0 What is the issue? A research paper disclosed serious vulnerabilities in the WPA and WPA2 key
More informationRiskSense Attack Surface Validation for Web Applications
RiskSense Attack Surface Validation for Web Applications 2018 RiskSense, Inc. Keeping Pace with Digital Business No Excuses for Not Finding Risk Exposure We needed a faster way of getting a risk assessment
More informationSAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0
Welcome BIZEC Roundtable @ IT Defense, Berlin SAP Security BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0 February 1, 2013 Andreas Wiegenstein CTO, Virtual Forge 2 SAP Security SAP security is a complex
More information1 About Web Security. What is application security? So what can happen? see [?]
1 About Web Security What is application security? see [?] So what can happen? 1 taken from [?] first half of 2013 Let s focus on application security risks Risk = vulnerability + impact New App: http://www-03.ibm.com/security/xforce/xfisi
More informationMobile hacking. Marit Iren Rognli Tokle
Mobile hacking Marit Iren Rognli Tokle 14.11.2018 «Hacker boss Marit» Software Engineer at Sopra Steria Leading TG:Hack, Norways largest hacking competition Leading UiO-CTF with Laszlo Shared 1st place
More informationCh 1: The Mobile Risk Ecosystem. CNIT 128: Hacking Mobile Devices. Updated
Ch 1: The Mobile Risk Ecosystem CNIT 128: Hacking Mobile Devices Updated 1-12-16 The Mobile Ecosystem Popularity of Mobile Devices Insecurity of Mobile Devices The Mobile Risk Model Mobile Network Architecture
More informationEvaluating the Security Risks of Static vs. Dynamic Websites
Evaluating the Security Risks of Static vs. Dynamic Websites Ballard Blair Comp 116: Introduction to Computer Security Professor Ming Chow December 13, 2017 Abstract This research paper aims to outline
More information"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary
Course Summary Description Securing.Net Web Applications - Lifecycle is a lab-intensive, hands-on.net security training course, essential for experienced enterprise developers who need to produce secure.net-based
More informationEffective Strategies for Managing Cybersecurity Risks
October 6, 2015 Effective Strategies for Managing Cybersecurity Risks Larry Hessney, CISA, PCI QSA, CIA 1 Everybody s Doing It! 2 Top 10 Cybersecurity Risks Storing, Processing or Transmitting Sensitive
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V3.0, MAY 2017 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More information01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED
01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED Contents 1. Introduction 3 2. Security Testing Methodologies 3 2.1 Internet Footprint Assessment 4 2.2 Infrastructure Assessments
More informationMaaS360 Secure Productivity Suite
MaaS360 Secure Productivity Suite Frequently Asked Questions (FAQs) What is MaaS360 Secure Productivity Suite? MaaS360 Secure Productivity Suite integrates a set of comprehensive mobile security and productivity
More informationSOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications
Enabling and Securing Digital Business in Economy Protect s Serving Business Critical Applications 40 percent of the world s web applications will use an interface Most enterprises today rely on customers
More informationSecure Coding, some simple steps help. OWASP EU Tour 2013
Secure Coding, some simple steps help. OWASP EU Tour 2013 About Me Steven van der Baan - Dutch - 7Safe, part of PA Consulting Group - Developer - Pentester - Consultant - CISSP, OSCP It's amazing how
More informationEngineering Your Software For Attack
Engineering Your Software For Attack Robert A. Martin Senior Principal Engineer Cyber Security Center Center for National Security The MITRE Corporation 2013 The MITRE Corporation. All rights reserved.
More informationManaged Application Security trends and best practices in application security
Managed Application Security trends and best practices in application security Adrian Locusteanu, B2B Delivery Director, Telekom Romania adrian.locusteanu@telekom.ro About Me Adrian Locusteanu is the B2B
More informationDeliver Strong Mobile App Security and the Ultimate User Experience
Deliver Strong Mobile App Security and the Ultimate User Experience The Presenters Will LaSala, Director of Services @ VASCO Will has been with VASCO since 2001 and over the years has been involved in
More informationWeb Application Penetration Testing
Web Application Penetration Testing COURSE BROCHURE & SYLLABUS Course Overview Web Application penetration Testing (WAPT) is the Security testing techniques for vulnerabilities or security holes in corporate
More informationPrecisionAccess Trusted Access Control
Data Sheet PrecisionAccess Trusted Access Control Defeats Cyber Attacks Credential Theft: Integrated MFA defeats credential theft. Server Exploitation: Server isolation defeats server exploitation. Compromised
More informationME?
ME? VULNEX: Blog: Twitter: www.vulnex.com www.simonroses.com @simonroses TALK OBJECTIVES Apps are the new Web Peek into current state of Apps security on Markets Bugs will be revealed but not the victims
More informationProtecting Against Online Fraud. F5 EMEA Webinar August 2014
Protecting Against Online Fraud F5 EMEA Webinar August 2014 Agenda Fraud threat trends and business challenges Web fraud protection Mobile fraud protection Security operations center Example architecture
More informationOWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13
Airlock and the OWASP TOP 10-2017 Version 2.1 11.24.2017 OWASP Top 10 A1 Injection... 3 A2 Broken Authentication... 5 A3 Sensitive Data Exposure... 6 A4 XML External Entities (XXE)... 7 A5 Broken Access
More informationGetting Into Mobile Without Getting Into Trouble
Getting Into Mobile Without Getting Into Trouble Greg Kliewer Senior Solutions Strategist October, 2014 The good old days Network separation No programmatic access from the Public Internet Safety through
More informationSecurity Specification
Security Specification Security Specification Table of contents 1. Overview 2. Zero-knowledge cryptosystem a. The master password b. Secure user authentication c. Host-proof hosting d. Two-factor authentication
More informationHacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK
Hacker Academy Ltd COURSES CATALOGUE Hacker Academy Ltd. LONDON UK TABLE OF CONTENTS Basic Level Courses... 3 1. Information Security Awareness for End Users... 3 2. Information Security Awareness for
More informationAdvanced Diploma on Information Security
Course Name: Course Duration: Prerequisites: Course Fee: Advanced Diploma on Information Security 300 Hours; 12 Months (10 Months Training + 2 Months Project Work) Candidate should be HSC Pass & Basic
More informationCurso: Ethical Hacking and Countermeasures
Curso: Ethical Hacking and Countermeasures Module 1: Introduction to Ethical Hacking Who is a Hacker? Essential Terminologies Effects of Hacking Effects of Hacking on Business Elements of Information Security
More informationSecurity Best Practices. For DNN Websites
Security Best Practices For DNN Websites Mitchel Sellers Who am I? Microsoft MVP, ASPInsider, DNN MVP Microsoft Certified Professional CEO IowaComputerGurus, Inc. Contact Information msellers@iowacomputergurus.com
More informationCISSP CEH PKI SECURITY + CEHv9: Certified Ethical Hacker. Upcoming Dates. Course Description. Course Outline
CISSP CEH PKI SECURITY + CEHv9: Certified Ethical Hacker Learn to find security vulnerabilities before the bad guys do! The Certified Ethical Hacker (CEH) class immerses students in an interactive environment
More informationApplication Security Introduction. Tara Gu IBM Product Security Incident Response Team
Application Security Introduction Tara Gu IBM Product Security Incident Response Team About Me - Tara Gu - tara.weiqing@gmail.com - Duke B.S.E Biomedical Engineering - Duke M.Eng Computer Engineering -
More informationLET S TALK MONEY. Fahad Pervaiz. Sam Castle, Galen Weld, Franziska Roesner, Richard Anderson
LET S TALK MONEY Fahad Pervaiz Sam Castle, Galen Weld, Franziska Roesner, Richard Anderson Unbanked Population Branchless Banking Bank/Financial Institute Bank of America, Standard Chartered Bank Telecommunication
More informationINFORMATION SUPPLEMENT. Use of SSL/Early TLS for POS POI Terminal Connections. Date: June 2018 Author: PCI Security Standards Council
Use of SSL/Early TLS for POS POI Terminal Connections Date: Author: PCI Security Standards Council Table of Contents Introduction...1 Executive Summary...1 What is the risk?...1 What is meant by Early
More informationMobile Devices prioritize User Experience
Mobile Security 1 Uniqueness of Mobile Mobile Devices are Shared More Often Mobile Devices are Used in More Locations Mobile Devices prioritize User Experience Mobile Devices have multiple personas Mobile
More informationWayward Wi-Fi. How Rogue Hotspots Can Hijack Your Data and Put Your Mobile Devices at Risk
Wayward Wi-Fi How Rogue Hotspots Can Hijack Your Data and Put Your Mobile Devices at Risk 288 MILLION There are more than 288 million unique Wi-Fi networks worldwide. Source: Wireless Geographic Logging
More informationApplication Security through a Hacker s Eyes James Walden Northern Kentucky University
Application Security through a Hacker s Eyes James Walden Northern Kentucky University waldenj@nku.edu Why Do Hackers Target Web Apps? Attack Surface A system s attack surface consists of all of the ways
More informationSECURITY ON PUBLIC WI-FI New Zealand. A guide to help you stay safe online while using public Wi-Fi
SECURITY ON PUBLIC WI-FI New Zealand A guide to help you stay safe online while using public Wi-Fi WHAT S YOUR WI-FI PASSWORD? Enter password for the COFFEE_TIME Wi-Fi network An all too common question
More informationmacos Security Checklist:
WHITE PAPER macos Security Checklist: implementing the Center for Internet Security Benchmark for macos Recommendations for securing macos The Center for Internet Security (CIS) benchmark for macos is
More informationConsolidated Edition. 5th Annual State of Application Security Report Perception vs. Reality
Consolidated Edition 5th Annual State of Application Security Report Perception vs. Reality January 2016 State of Application Security Report Consolidated Edition 2 Table of Contents Executive Summary...
More informationWHITE PAPER Cloud FastPath: A Highly Secure Data Transfer Solution
WHITE PAPER Cloud FastPath: A Highly Secure Data Transfer Solution Tervela helps companies move large volumes of sensitive data safely and securely over network distances great and small. We have been
More information10 FOCUS AREAS FOR BREACH PREVENTION
10 FOCUS AREAS FOR BREACH PREVENTION Keith Turpin Chief Information Security Officer Universal Weather and Aviation Why It Matters Loss of Personally Identifiable Information (PII) Loss of Intellectual
More informationEthical Hacking and Countermeasures: Secure Network Operating Systems and Infrastructures, Second Edition
Ethical Hacking and Countermeasures: Secure Network Operating Systems and Infrastructures, Second Edition Chapter 7 Hacking Mobile Phones, PDAs, and Handheld Devices Objectives After completing this chapter,
More informationShiftLeft. Real-World Runtime Protection Benchmarking
ShiftLeft Real-World Runtime Protection Benchmarking Table of Contents Executive Summary... 02 Testing Approach... 02 ShiftLeft Technology... 04 Test Application... 06 Results... 07 SQL injection exploits
More informationOWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example
Proxy Caches and Web Application Security Using the Recent Google Docs 0-Day as an Example Tim Bass, CISSP Chapter Leader, Thailand +66832975101, tim@unix.com AppSec Asia October 21, 2008 Thailand Worldwide
More informationApplication security : going quicker
Application security : going quicker The web application firewall example Agenda Agenda o Intro o Application security o The dev team approach o The infra team approach o Impact of the agility o The WAF
More informationVulnerabilities in online banking applications
Vulnerabilities in online banking applications 2019 Contents Introduction... 2 Executive summary... 2 Trends... 2 Overall statistics... 3 Comparison of in-house and off-the-shelf applications... 6 Comparison
More informationC and C++ Secure Coding 4-day course. Syllabus
C and C++ Secure Coding 4-day course Syllabus C and C++ Secure Coding 4-Day Course Course description Secure Programming is the last line of defense against attacks targeted toward our systems. This course
More informationSHA-1 to SHA-2. Migration Guide
SHA-1 to SHA-2 Migration Guide Web-application attacks represented 40 percent of breaches in 2015. Cryptographic and server-side vulnerabilities provide opportunities for cyber criminals to carry out ransomware
More informationmacos Security Checklist:
WHITE PAPER macos Security Checklist: implementing the Center for Internet Security Benchmark for macos Recommendations for securing macos The Center for Internet Security (CIS) benchmark for macos is
More informationZimperium Global Threat Data
Zimperium Global Threat Report Q2-2017 700 CVEs per Year for Mobile OS 500 300 100 07 08 09 10 11 12 13 14 15 16 17 Outdated ios Outdated ANDROID 1 of 4 Devices Introduces Unnecessary Risk 1 out of 50
More informationF5 Application Security. Radovan Gibala Field Systems Engineer
1 F5 Application Security Radovan Gibala Field Systems Engineer r.gibala@f5.com +420 731 137 223 2007 2 Agenda Challenge Websecurity What are the problems? Building blocks of Web Applications Vulnerabilities
More informationSurvey of Cyber Moving Targets. Presented By Sharani Sankaran
Survey of Cyber Moving Targets Presented By Sharani Sankaran Moving Target Defense A cyber moving target technique refers to any technique that attempts to defend a system and increase the complexity of
More informationKaspersky Enterprise Cybersecurity. Kaspersky Security Assessment Services. #truecybersecurity
Kaspersky Enterprise Cybersecurity Kaspersky Security Assessment Services www.kaspersky.com #truecybersecurity Security Assessment Services Security Assessment Services from Kaspersky Lab. the services
More informationPracticeDump. Free Practice Dumps - Unlimited Free Access of practice exam
PracticeDump http://www.practicedump.com Free Practice Dumps - Unlimited Free Access of practice exam Exam : SY0-501 Title : CompTIA Security+ Certification Exam Vendor : CompTIA Version : DEMO Get Latest
More informationWireless LAN Security (RM12/2002)
Information Technology in Education Project Reference Materials Wireless LAN Security (RM12/2002) Infrastructure Division Education Department The Government of HKSAR www.ited.ed.gov.hk December 2002 For
More informationWeb Security 2 https://www.xkcd.com/177/ http://xkcd.com/1323/ Encryption basics Plaintext message key secret Encryp)on Func)on Ciphertext Insecure network Decryp)on Func)on Curses! Foiled again! key Plaintext
More informationHow Secured2 Uses Beyond Encryption Security to Protect Your Data
Secured2 Beyond Encryption How Secured2 Uses Beyond Encryption Security to Protect Your Data Secured2 Beyond Encryption Whitepaper Document Date: 06.21.2017 Document Classification: Website Location: Document
More informationMan-In-The-Browser Attacks. Daniel Tomescu
Man-In-The-Browser Attacks Daniel Tomescu 1 About me Work and education: Pentester @ KPMG Romania Moderator @ Romanian Security Team MSc. Eng. @ University Politehnica of Bucharest OSCP, CREST CRT Interests:
More informationPenetration testing.
Penetration testing Penetration testing is a globally recognized security measure that can help provide assurances that a company s critical business infrastructure is protected from internal or external
More informationAbout DPI-SSL. About DPI-SSL. Functionality. Deployment Scenarios
DPI-SSL About DPI-SSL Configuring Client DPI-SSL Settings Configuring Server DPI-SSL Settings About DPI-SSL About DPI-SSL Functionality Deployment Scenarios Customizing DPI-SSL Connections per Appliance
More informationDon t blink or how to create secure software. Bozhidar Bozhanov, LogSentinel
Don t blink or how to create secure software Bozhidar Bozhanov, CEO @ LogSentinel About me Senior software engineer and architect Founder & CEO @ LogSentinel Former IT and e-gov advisor to the deputy prime
More informationWeb insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.
Web Security Web Programming Uta Priss ZELL, Ostfalia University 2013 Web Programming Web Security Slide 1/25 Outline Web insecurity Security strategies General security Listing of server-side risks Language
More informationWhen providing a native mobile app ruins the security of your existing web solution. CyberSec Conference /11/2015 Jérémy MATOS
When providing a native mobile app ruins the security of your existing web solution CyberSec Conference 2015 05/11/2015 Jérémy MATOS whois securingapps Developer background Spent last 10 years working
More informationSolutions Business Manager Web Application Security Assessment
White Paper Solutions Business Manager Solutions Business Manager 11.3.1 Web Application Security Assessment Table of Contents Micro Focus Takes Security Seriously... 1 Solutions Business Manager Security
More informationOWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP
OWASP Top 10 Risks Dean.Bushmiller@ExpandingSecurity.com Many thanks to Dave Wichers & OWASP My Mom I got on the email and did a google on my boy My boy works in this Internet thing He makes cyber cafes
More informationMitigating Security Breaches in Retail Applications WHITE PAPER
Mitigating Security Breaches in Retail Applications WHITE PAPER Executive Summary Retail security breaches have always been a concern in the past, present and will continue to be in the future. They have
More informationComputer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks
Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition Chapter 3 Investigating Web Attacks Objectives After completing this chapter, you should be able to: Recognize the indications
More informationMOBILE THREAT PREVENTION
MOBILE THREAT PREVENTION BEHAVIORAL RISK ANALYSIS AN ADVANCED APPROACH TO COMPREHENSIVE MOBILE SECURITY Accurate threat detection and efficient response are critical components of preventing advanced attacks
More informationThe SANS Institute Top 20 Critical Security Controls. Compliance Guide
The SANS Institute Top 20 Critical Security Controls Compliance Guide February 2014 The Need for a Risk-Based Approach A common factor across many recent security breaches is that the targeted enterprise
More informationEn partenariat avec CA Technologies. Genève, Hôtel Warwick,
SIGS Afterwork Event in Geneva API Security as Part of Digital Transformation Projects The role of API security in digital transformation Nagib Aouini, Head of Cyber Security Services Defense & Cyber Security
More informationSOLUTION BRIEF CA API MANAGEMENT. Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management
SOLUTION BRIEF CA API MANAGEMENT Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management 2 SOLUTION BRIEF ENABLE AND PROTECT YOUR WEB APPLICATIONS WITH CA API MANAGEMENT ca.com
More informationMOBILE THREAT LANDSCAPE. February 2018
MOBILE THREAT LANDSCAPE February 2018 WHERE DO MOBILE THREATS COME FROM? In 2017, mobile applications have been a target of choice for hackers to access and steal data, with 86% of mobile threats coming
More informationEthical Hacking and Prevention
Ethical Hacking and Prevention This course is mapped to the popular Ethical Hacking and Prevention Certification Exam from US-Council. This course is meant for those professionals who are looking for comprehensive
More informationWhat someone said about junk hacking
What someone said about junk hacking Yes, we get it. Cars, boats, buses, and those singing fish plaques are all hackable and have no security. Most conferences these days have a! whole track called "Junk
More informationGUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.
Report on IRONWASP Software Product: IronWASP Description of the Product: IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing.
More informationCertified Secure Web Application Security Test Checklist
www.certifiedsecure.com info@certifiedsecure.com Tel.: +31 (0)70 310 13 40 Loire 128-A 2491 AJ The Hague The Netherlands Certified Secure Checklist About Certified Secure exists to encourage and fulfill
More informationStudents should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:
Secure Java Web Application Development Lifecycle - SDL (TT8325-J) Day(s): 5 Course Code: GK1107 Overview Secure Java Web Application Development Lifecycle (SDL) is a lab-intensive, hands-on Java / JEE
More informationWhy bother? Causes of data breaches OWASP. Top ten attacks. Now what? Do it yourself Questions?
Jeroen van Beek 1 Why bother? Causes of data breaches OWASP Top ten attacks Now what? Do it yourself Questions? 2 In many cases the web application stores: Credit card details Personal information Passwords
More informationWho Am I? Mobile Security chess board - Attacks & Defense. Mobile Top 10 - OWASP. Enterprise Mobile Cases
Who Am I? hemil@espheresecurity.net http://www.espheresecurity.com Tweet - @espheresecurity Mobile Security chess board - Attacks & Defense Hemil Shah hemil@espheresecurity.net Past experience HBO, KPMG,
More information