SlideShare ist ein Scribd-Unternehmen logo

Keeping Secrets on the Internet of Things - Mobile Web Application Security

Als PPTX, PDF herunterladen
Kelly Robertson
Kelly Robertson

This document summarizes an information security presentation about keeping secrets in the Internet of Things era. It discusses increasing vulnerabilities and dependencies, limitations of current security approaches, and motivations for lack of trust. It then covers secure software development best practices including threat modeling techniques. Lastly, it discusses solutions for organizations and end users, including encryption, authentication, firewalls, intrusion detection and more. Specific examples of security breaches like Heartbleed, Snapchat, and PlaceRaider are also summarized.

SoftwareTechnologie
1 von 51
Keeping Secrets In the vast Internet of Things Zisher Mob::Web::Sec Ipsilon Group Kelly Robertson
Agenda M-Days Part One • What are the stakes today? • We are vulnerable and dependent • Current InfoSec cannot reach the New Reality • Motivations for mis-trust • As the world turns… Part Two • Software Development – Secure by Design Part Three • Solutions for organizations and end users
The sun rises and sets the same on the Good and the Bad • Brightest Flashlight Free • Jekyll on iOS • Pinskimmer • FireSheep and Faceniff
The Heartbleed Bug • SSL/TLS is used for email, banking, e-commerce and privacy throughout the Internet • Attackers could eavesdrop on communications, steal identities and data • Leave-no-trace, long exposure, ease-of-exploit
SnapChat • 4.6 Million usernames and phone numbers • Anonymous posted this information and said: “You are downloading 4.6 million users’ phone number information, along with their usernames. People tend to use the same username around the web so you can use this information to find phone number information associated with Facebook and Twitter accounts, or simply to figure out the phone numbers of people you wish to get in touch with.”
PlaceRaider • Very Scary Smartphone Malware • US Naval Surface Warfare Center and University of Indiana • An Android app that secretly records and reconstructs a user’s environment as a 3D virtual model
The Mask • 380+ Targets in 31 countries over 7 years • One of the most sophisticated attacks ever • Intercepts network traffic, Skype, PGP Keys, Wi-Fi traffic, keystrokes, screen captures, encryption keys, and more • Three separate backdoors in Win 32/64 + Mac OS using sophisticated Malware, a bootkit and a rootkit • The iPad and Android versions are very difficult to trace: <b>Date: </b>Wed, 15 May 2013 23:34:01 +0000<br /> <b>Remote IP Address:</b> 200.x.x.x<br /><br /><h2> ** User Agent</h2><strong>Browser User Agent String:</strong> <br/><br/> <strong>Browser Name:</strong> iPad<br/>
Information Security Today • Encryption • Authentication • DNSsec • VPN • SoftToken • Anti-virus • Anti-Malware • Biometrics • NG Firewalls • Intrusion Detection • Threat Feeds • Manned SOCs • Forensics • And so forth…
Information Security Today • Encryption • Authentication • DNSsec • VPN • SoftToken • Anti-virus • Anti-Malware • Biometrics • NG Firewalls • Intrusion Detection • Threat Feeds • Manned SOCs • Forensics • And so forth…
Mobile Web Apps • Porous trust boundaries – Inherit trust/data from other components • App store curator, Operating Systems and APIs • Physically vulnerable to booted-rooted attack • Lots of sensors and sensitive user data • User’s unwarranted trust • Client server paradigm – no control from server • Bluetooth, Baseband, Wi-Fi, RF “always on” • Jailbroken or rooted phones subvert controls
Mobile Web Apps Platform Details • iOS apps run on Objective C – Hybrid C++ and a message parser – Introduces data leakage vulnerability – Special ‘extractors’ can harvest logic and class declarations – details that hackers exploit – The end user can decompile an app for symmetric keys – a component of secure transactions – Anti-tamper, use C++ wherever possible and generic declarations can mitigate much
Mobile Web Apps Platform Details • Android runs on Java and Dalvik • Susceptible to ‘repackaging’ exploit • Vulnerable to web proxy spoofing • Allows SD cards • But, Java is a type-safe language • Class library is well-established • Secure mobile abstraction when coded right
– Automotive • 100 million lines of code per car now • 100 + ECUs – Body-borne computing • Health monitoring • Behavior monitoring • Vision • Fashion – Eyeglasses – Nanorobotics – molecular scale Science Fiction is now…
Thank you… kelly@zisher.com This presentation has been brought to you by Zisher Mob::Web::Sec In collaboration with the Ipsilon Group
Keeping Secrets In the vast Internet of Things Zisher Mob::Web::Sec Ipsilon Group Kelly Robertson
Secure Software Development LifeCycle “Enemies may face off for years, only to have the outcome decided in a single day.” Sun Tzu The Art of War
Secure Software Development LifeCycle “The totally awakened warrior can freely utilize all of the elements contained in Heaven and Earth…with enlightened wisdom and deep calm.” Morihei Ushiba The Art of Peace Vibrant and Joyful
Secure Software Development LifeCycle Design Model Threats Develop Test Deploy Validate Upgrade Patch Education at every step of the way… • Teach • Coach • Validate • Iterate
Developing Developers Align with your business goals From the Book of Five Rings: • Empty as space • Hard as a diamond • Flexible as a willow in the wind • Smooth flowing like water Be organized, but take it easy Two stages: Document, then Prioritize
The Seven Pernicious Kingdoms Taxonomy of SW Security Errors OWASP • Input validation and response • API Abuse • Security Features • Time and State • Error Handling • Code Quality • Encapsulation
Threat Modeling Techniques Secure software does only it’s job Top down and bottom up Scoping attack surfaces and trust Threat priority = Severity + Probability Movie Plotting
Threat Modeling Techniques Scoping attack surfaces and trust boundaries Secure software does only it’s job Top down and bottom up Threat + Severity + Probability • Movie Plotting • Attack Trees
Threat Modeling Techniques Scoping attack surfaces and trust boundaries Secure software does only it’s job Top down and bottom up Threat + Severity + Probability • Movie Plotting • Attack Trees • S.T.R.I.D.E. – Spoofing, Tampering, Repudiation, InfoLeak, Denial of Service and Elevation of Privilege
Spoofing Impersonation: • Sites • Applications • Users or Roles • Components • Machines
Tampering Manipulation • Configuration • Files • Databases • Memory • Networks or protocols
Repudiation Deception and Denial • Business logic • Logs and forensics • Payment methods
Information Disclosure Leaks can happen at every layer • Error codes • Obscure files or descriptive file names • Data flow
Denial of Service Difficult to monetize, easier to defend than ever • Brute force (amplified) • Persistent (under the radar) • Logic tripwires can alert
Elevation of Privilege Always a top goal • Bugs • Configurations • Authentication • Corrupted process • Memory • Session hijacking
The Four Pillars of Priority Quantified, now qualified • Resolve it - Mitigate • Get rid of it - Eliminate • Deflect it - Transfer • Live with it - Accept the risk and move on…
Education Computer based training – SCORM compliant On-line resources – OWASP and SlideShare Universities – more and more, but still light Security and other Vendors Conferences Boutique Educators, Specialists and Authors
Elevation of Privilege M-Days The Game: • Awareness • Education • Conversation • Strategy • Play once a week!
Static Code Analysis The process of assessing code without executing it. “No single technique is a Silver Bullet. The best that a code review can uncover is about 50% of the security problems” Gary McGraw, Ph.D Cigital
SAST The Good, The Bad and The Ugly • Thorough, consistent analysis • Finds root cause much of the time • Can catch security flaws early • Great for checking lots of lines of code and branches But.. • Signal to noise ratio can dull the effectiveness • Can interrupt creativity and workflow • Can’t analyze architectural problems And… • Algorithms cannot cannot completely analyze algorithms • Writing for language parsers is hard – dialects make it worse
Static Code Analysis What to look for. . . • Alignment with workflow, creativity, culture • Ultimate cost savings and revenue generation • Source code versus compiled code • Simultaneous analysis, multi-branch, languages • Dependency injection • Configuration files • Service-oriented architecture (SOA) • Trade off between speed and depth/accuracy • Can code be developed while under analysis?
Static Code Analysis What to do with the output… • Must be vetted by a human analyst – Bug filing, reporting, taint analysis, training • Compliance officer can be very helpful • Most effective and least costly during development • Should drive education, training and coaching
Call-to-Action Institutional Integrate a Web Application Firewall into the SDLC • WAF in this case is a network-based proxy • Usually an appliance but can be Cloud or SW • PCI standards considered WAF as an acceptable alternative to securing the code • Often run by network engineers or network security practitioners, not developers
WAF The Good, The Bad and The Ugly • Web apps are accessed by legitimate traffic only • Reconnaissance, application behavior and forensics • Excellent for compliance and information assurance But.. • Legitimate traffic can be malicious • Susceptible to protocol-level evasions of many types and classes • Automated vulnerability scanning alone is not enough • Manual analysis is required to ensure accuracy • APT and Business Logic often require human intervention And… • Continuous & accurate tuning is hard
Call-to-Action Institutional Employ Mobile Device Management • Data containers • Black listing • Remote wipe • Find a device • Secure provisioning • Corporate app store • Compliance reporting • Jailbreak detection • Patch management • Crypto libraries • Authentication • CA integration • Firewall • Anti-virus
MDM The Good, The Bad and The Ugly • MDM evolved from mobile network operators • Agent-based with a control server • Audit for compliance • Provisioning is key, including bricking, wiping But.. • BYOD means anything goes • Users are a very big problem And… • Variances between vendors are wildly different • User behavior is usually tracked
Call-to-Action Personally, what can you do for yourself? Choose the source of your application carefully Question the app’s need to share location/contact Why does this app want to login with FB, et. al.? Don’t: Keep me logged in OR remember me Don’t save passwords Do: use a secure browser – WhiteHat Aviator Don’t click on the dancing pig…
Click on the Dancing Pig! "The applet DANCING PIGS could contain malicious code that might do permanent damage to your computer, steal your life's savings, and impair your ability to have children.”
Thank you… kelly@zisher.com This presentation has been brought to you by Zisher Mob::Web::Sec In collaboration with the Ipsilon Group
Bibliograhpy • Secure Programming with Static Analysis – Chess and West • The Tangled Web - A guide to securing modern web applications – Michael Zalewski • Threat Modeling – Designing for Security – Adam Shostack • Mobile Hacking Exposed – Bergman, Stanfield, Rouse, Scambray • Application Security for the Android Platform – Jeff Six • Hacking and Securing iOS Applications – Jonathan Zdziarski • Mobile Application Security – Dwivedi, Clark, Thiel • The Art of War – Sun Tzu • The Art of Peace – Morihei Ushiba • The Book of Five Rings - Myyamoto Musashi • Chinese Industrial Espionage: Technology Acquisition and Military Modernisation – Hannas, Mulvenon, Puglisi
Bibliography – Web page 1 • http://users.ece.cmu.edu taint-analysis-overview.pdf • http://blogs.wsj.com 5-ways-hackers-exploit-our- bad-byod-habits • http://www.gartner.com/technology/reprints.do?id= 1-1FRVS5W&ct=130524&st=sb • http://www.pcmag.com/article2/0,2817,2455172,00 .asp • Hpenterprisesecurity.com
Bibliography – Web page 2 • http://techcrunch.com/2014/02/19/facebooks-whatsapp- acquisition-snapchat/ • http://www.kaspersky.com/about/news/virus/2014/Kaspersky-Lab- Uncovers-The-Mask-One-of-the-Most-Advanced-Global-Cyber- espionage-Operations-to-Date-Due-to-the-Complexity-of-the- Toolset-Used-by-the-Attackers • https://sites.google.com/site/droidful/android-and-java • https://sites.google.com/site/droidful/developm/android-sdk • http://androidforums.com/nexus-7-2013/831394-art-vs-dalvik.html • https://www.google.com/search?client=safari&rls=en&q=android+r epackaging+hacks&ie=UTF-8&oe=UTF-8
Bibliography – Web page 3 • http://www.slideshare.net/DefCamp/defcamp-2013-android- hacking-techniques • http://www.xyu.io/2013/07/proxies-ip-spoofing/ • http://www.bbc.com/news/technology-27703318 ransomware article for SD cards on Android • http://stackoverflow.com/questions/260626/what-is-type-safe • http://en.wikipedia.org/wiki/Java_Class_Library • http://docs.oracle.com/javase/7/docs/api/java/security/package- summary.html • http://en.softonic.com/s/mobile-security-software:java • http://www.amazon.com/Oracle-Secure-Standard-Software- Engineering/dp/0321803957
Bibliography – Web page 4 • http://www.sans.org/course/secure-coding-java-jee-developing- defensible-applications#results • http://www.sans.org/top25-software-errors/ • http://spectrum.ieee.org/transportation/systems/this-car-runs-on- code • http://link.springer.com/article/10.1023/A:1021152023349 cool articles on nano technology • https://cwe.mitre.org/documents/sources/SevenPerniciousKingdo ms.pdf • http://en.wikipedia.org/wiki/Movie_plot_threat • http://msdn.microsoft.com/en-us/magazine/cc163519.aspx • http://stackoverflow.com/questions/3334578/what-is-dependency- injection • http://www.amazon.com/Service-Oriented-Architecture-Dummies- Edition/dp/0470376848/
Bibliography – Web page 5 • http://www.se-radio.net outstanding codecasts • http://stackoverflow.com/questions/2026523/what-is-soa-in- plain-english • http://searchsoa.techtarget.com/definition/service-oriented- architecture • http://en.wikipedia.org/wiki/Taint_checking • http://krebsonsecurity.com/2014/05/complexity-as-the- enemy-of-security/comment-page-1/ • http://www.bankinfosecurity.com/disagreement-on-target- breach-cause-a-6491/op-1 • https://corporate.target.com/about/shopping- experience/payment-card-issue-FAQ.aspx#q5874 • http://www.nytimes.com/2014/02/27/business/target- reports-on-fourth-quarter-earnings.html?_r=0

Empfohlen

Declaration of malWARe
Declaration of malWAReDeclaration of malWARe
Declaration of malWAReScott Sutherland
 
E2 Labs: ADVANCED PROGRAM ON: THE SECURITY OF A WEBSITE
E2 Labs: ADVANCED PROGRAM ON: THE SECURITY OF A WEBSITEE2 Labs: ADVANCED PROGRAM ON: THE SECURITY OF A WEBSITE
E2 Labs: ADVANCED PROGRAM ON: THE SECURITY OF A WEBSITEe2-labs
 
2018 CISSP Mentor Program Session 1
2018 CISSP Mentor Program Session 12018 CISSP Mentor Program Session 1
2018 CISSP Mentor Program Session 1FRSecure
 
Threat Hunting, Detection, and Incident Response in the Cloud
Threat Hunting, Detection, and Incident Response in the CloudThreat Hunting, Detection, and Incident Response in the Cloud
Threat Hunting, Detection, and Incident Response in the CloudBen Johnson
 
Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Claus Cramon Houmann
 
Malware and the risks of weaponizing code
Malware and the risks of weaponizing codeMalware and the risks of weaponizing code
Malware and the risks of weaponizing codeStephen Cobb
 
Declaration of Mal(WAR)e
Declaration of Mal(WAR)eDeclaration of Mal(WAR)e
Declaration of Mal(WAR)eNetSPI
 
Users awarness programme for Online Privacy
Users awarness programme for Online PrivacyUsers awarness programme for Online Privacy
Users awarness programme for Online PrivacyKazi Sarwar Hossain
 

Empfohlen

Declaration of malWARe
Declaration of malWAReDeclaration of malWARe
Declaration of malWAReScott Sutherland
 
E2 Labs: ADVANCED PROGRAM ON: THE SECURITY OF A WEBSITE
E2 Labs: ADVANCED PROGRAM ON: THE SECURITY OF A WEBSITEE2 Labs: ADVANCED PROGRAM ON: THE SECURITY OF A WEBSITE
E2 Labs: ADVANCED PROGRAM ON: THE SECURITY OF A WEBSITEe2-labs
 
2018 CISSP Mentor Program Session 1
2018 CISSP Mentor Program Session 12018 CISSP Mentor Program Session 1
2018 CISSP Mentor Program Session 1FRSecure
 
Threat Hunting, Detection, and Incident Response in the Cloud
Threat Hunting, Detection, and Incident Response in the CloudThreat Hunting, Detection, and Incident Response in the Cloud
Threat Hunting, Detection, and Incident Response in the CloudBen Johnson
 
Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Claus Cramon Houmann
 
Malware and the risks of weaponizing code
Malware and the risks of weaponizing codeMalware and the risks of weaponizing code
Malware and the risks of weaponizing codeStephen Cobb
 
Declaration of Mal(WAR)e
Declaration of Mal(WAR)eDeclaration of Mal(WAR)e
Declaration of Mal(WAR)eNetSPI
 
Users awarness programme for Online Privacy
Users awarness programme for Online PrivacyUsers awarness programme for Online Privacy
Users awarness programme for Online PrivacyKazi Sarwar Hossain
 
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...Core Security
 
Malware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthMalware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthAGILLY
 
Owasp2013 johannesullrich
Owasp2013 johannesullrichOwasp2013 johannesullrich
Owasp2013 johannesullrichdrewz lin
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecLalit Kale
 
IT system security principles practices
IT system security principles practicesIT system security principles practices
IT system security principles practicesgufranresearcher
 
Malware is Called Malicious for a Reason: The Risks of Weaponizing Code
Malware is Called Malicious for a Reason: The Risks of Weaponizing CodeMalware is Called Malicious for a Reason: The Risks of Weaponizing Code
Malware is Called Malicious for a Reason: The Risks of Weaponizing CodeStephen Cobb
 
An Introduction To IT Security And Privacy - Servers And More
An Introduction To IT Security And Privacy - Servers And MoreAn Introduction To IT Security And Privacy - Servers And More
An Introduction To IT Security And Privacy - Servers And MoreBlake Carver
 
An Introduction To IT Security And Privacy In Libraries
An Introduction To IT Security And Privacy In Libraries An Introduction To IT Security And Privacy In Libraries
An Introduction To IT Security And Privacy In LibrariesBlake Carver
 
Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsTop Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsDenim Group
 
Ciso executive forum 2013
Ciso executive forum 2013Ciso executive forum 2013
Ciso executive forum 2013Bill Burns
 
Top Security Trends for 2014
Top Security Trends for 2014Top Security Trends for 2014
Top Security Trends for 2014Imperva
 
Allianz Global CISO october-2015-draft
Allianz Global CISO october-2015-draftAllianz Global CISO october-2015-draft
Allianz Global CISO october-2015-draftEoin Keary
 
An Introduction To IT Security And Privacy In Libraries & Anywhere
An Introduction To IT Security And Privacy In Libraries & AnywhereAn Introduction To IT Security And Privacy In Libraries & Anywhere
An Introduction To IT Security And Privacy In Libraries & AnywhereBlake Carver
 
Threat Modeling In 2021
Threat Modeling In 2021Threat Modeling In 2021
Threat Modeling In 2021Adam Shostack
 
Chris Haley - Understanding Attackers' Use of Covert Communications
Chris Haley - Understanding Attackers' Use of Covert CommunicationsChris Haley - Understanding Attackers' Use of Covert Communications
Chris Haley - Understanding Attackers' Use of Covert Communicationscentralohioissa
 
Security best practices for regular users
Security best practices for regular usersSecurity best practices for regular users
Security best practices for regular usersGeoffrey Vaughan
 
Self Defending Applications
Self Defending ApplicationsSelf Defending Applications
Self Defending ApplicationsMichael Coates
 
Security in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of SoftwareSecurity in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of SoftwareMichael Coates
 
Stopping zero day threats
Stopping zero day threatsStopping zero day threats
Stopping zero day threatsZscaler
 
2019 FRSecure CISSP Mentor Program: Class One
2019 FRSecure CISSP Mentor Program: Class One2019 FRSecure CISSP Mentor Program: Class One
2019 FRSecure CISSP Mentor Program: Class OneFRSecure
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSECSean Whalen
 
Mobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP SeraphimdroidMobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP SeraphimdroidNikola Milosevic
 

Weitere ähnliche Inhalte

Was ist angesagt?

Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...Core Security
 
Malware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthMalware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthAGILLY
 
Owasp2013 johannesullrich
Owasp2013 johannesullrichOwasp2013 johannesullrich
Owasp2013 johannesullrichdrewz lin
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecLalit Kale
 
IT system security principles practices
IT system security principles practicesIT system security principles practices
IT system security principles practicesgufranresearcher
 
Malware is Called Malicious for a Reason: The Risks of Weaponizing Code
Malware is Called Malicious for a Reason: The Risks of Weaponizing CodeMalware is Called Malicious for a Reason: The Risks of Weaponizing Code
Malware is Called Malicious for a Reason: The Risks of Weaponizing CodeStephen Cobb
 
An Introduction To IT Security And Privacy - Servers And More
An Introduction To IT Security And Privacy - Servers And MoreAn Introduction To IT Security And Privacy - Servers And More
An Introduction To IT Security And Privacy - Servers And MoreBlake Carver
 
An Introduction To IT Security And Privacy In Libraries
An Introduction To IT Security And Privacy In Libraries An Introduction To IT Security And Privacy In Libraries
An Introduction To IT Security And Privacy In LibrariesBlake Carver
 
Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsTop Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsDenim Group
 
Ciso executive forum 2013
Ciso executive forum 2013Ciso executive forum 2013
Ciso executive forum 2013Bill Burns
 
Top Security Trends for 2014
Top Security Trends for 2014Top Security Trends for 2014
Top Security Trends for 2014Imperva
 
Allianz Global CISO october-2015-draft
Allianz Global CISO october-2015-draftAllianz Global CISO october-2015-draft
Allianz Global CISO october-2015-draftEoin Keary
 
An Introduction To IT Security And Privacy In Libraries & Anywhere
An Introduction To IT Security And Privacy In Libraries & AnywhereAn Introduction To IT Security And Privacy In Libraries & Anywhere
An Introduction To IT Security And Privacy In Libraries & AnywhereBlake Carver
 
Threat Modeling In 2021
Threat Modeling In 2021Threat Modeling In 2021
Threat Modeling In 2021Adam Shostack
 
Chris Haley - Understanding Attackers' Use of Covert Communications
Chris Haley - Understanding Attackers' Use of Covert CommunicationsChris Haley - Understanding Attackers' Use of Covert Communications
Chris Haley - Understanding Attackers' Use of Covert Communicationscentralohioissa
 
Security best practices for regular users
Security best practices for regular usersSecurity best practices for regular users
Security best practices for regular usersGeoffrey Vaughan
 
Self Defending Applications
Self Defending ApplicationsSelf Defending Applications
Self Defending ApplicationsMichael Coates
 
Security in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of SoftwareSecurity in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of SoftwareMichael Coates
 
Stopping zero day threats
Stopping zero day threatsStopping zero day threats
Stopping zero day threatsZscaler
 
2019 FRSecure CISSP Mentor Program: Class One
2019 FRSecure CISSP Mentor Program: Class One2019 FRSecure CISSP Mentor Program: Class One
2019 FRSecure CISSP Mentor Program: Class OneFRSecure
 

Was ist angesagt? (20)

Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
 
Malware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthMalware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient Truth
 
Owasp2013 johannesullrich
Owasp2013 johannesullrichOwasp2013 johannesullrich
Owasp2013 johannesullrich
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
 
IT system security principles practices
IT system security principles practicesIT system security principles practices
IT system security principles practices
 
Malware is Called Malicious for a Reason: The Risks of Weaponizing Code
Malware is Called Malicious for a Reason: The Risks of Weaponizing CodeMalware is Called Malicious for a Reason: The Risks of Weaponizing Code
Malware is Called Malicious for a Reason: The Risks of Weaponizing Code
 
An Introduction To IT Security And Privacy - Servers And More
An Introduction To IT Security And Privacy - Servers And MoreAn Introduction To IT Security And Privacy - Servers And More
An Introduction To IT Security And Privacy - Servers And More
 
An Introduction To IT Security And Privacy In Libraries
An Introduction To IT Security And Privacy In Libraries An Introduction To IT Security And Privacy In Libraries
An Introduction To IT Security And Privacy In Libraries
 
Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsTop Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for Applications
 
Ciso executive forum 2013
Ciso executive forum 2013Ciso executive forum 2013
Ciso executive forum 2013
 
Top Security Trends for 2014
Top Security Trends for 2014Top Security Trends for 2014
Top Security Trends for 2014
 
Allianz Global CISO october-2015-draft
Allianz Global CISO october-2015-draftAllianz Global CISO october-2015-draft
Allianz Global CISO october-2015-draft
 
An Introduction To IT Security And Privacy In Libraries & Anywhere
An Introduction To IT Security And Privacy In Libraries & AnywhereAn Introduction To IT Security And Privacy In Libraries & Anywhere
An Introduction To IT Security And Privacy In Libraries & Anywhere
 
Threat Modeling In 2021
Threat Modeling In 2021Threat Modeling In 2021
Threat Modeling In 2021
 
Chris Haley - Understanding Attackers' Use of Covert Communications
Chris Haley - Understanding Attackers' Use of Covert CommunicationsChris Haley - Understanding Attackers' Use of Covert Communications
Chris Haley - Understanding Attackers' Use of Covert Communications
 
Security best practices for regular users
Security best practices for regular usersSecurity best practices for regular users
Security best practices for regular users
 
Self Defending Applications
Self Defending ApplicationsSelf Defending Applications
Self Defending Applications
 
Security in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of SoftwareSecurity in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of Software
 
Stopping zero day threats
Stopping zero day threatsStopping zero day threats
Stopping zero day threats
 
2019 FRSecure CISSP Mentor Program: Class One
2019 FRSecure CISSP Mentor Program: Class One2019 FRSecure CISSP Mentor Program: Class One
2019 FRSecure CISSP Mentor Program: Class One
 

Ähnlich wie Keeping Secrets on the Internet of Things - Mobile Web Application Security

Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSECSean Whalen
 
Mobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP SeraphimdroidMobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP SeraphimdroidNikola Milosevic
 
Beyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability AssessmentBeyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability AssessmentDamon Small
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins
 
The state of web applications (in)security @ ITDays 2016
The state of web applications (in)security @ ITDays 2016The state of web applications (in)security @ ITDays 2016
The state of web applications (in)security @ ITDays 2016Tudor Damian
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile WorldDavid Lindner
 
Expand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataExpand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataPrecisely
 
Cybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comCybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comAravind R
 
CNIT 160 4e Security Program Management (Part 5)
CNIT 160 4e Security Program Management (Part 5)CNIT 160 4e Security Program Management (Part 5)
CNIT 160 4e Security Program Management (Part 5)Sam Bowne
 
Mobile security chess board - attacks & defense
Mobile security chess board - attacks & defenseMobile security chess board - attacks & defense
Mobile security chess board - attacks & defenseBlueinfy Solutions
 
Defending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityDefending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityClaus Cramon Houmann
 
How an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software SystemsHow an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software SystemsSecurity Innovation
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a DatabaseJohn Ashmead
 
Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015Claus Cramon Houmann
 
Wfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationWfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationPriyanka Aash
 
Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Claus Cramon Houmann
 
It security the condensed version
It security the condensed version It security the condensed version
It security the condensed version Brian Pichman
 
Fully Integrated Defense Operation
Fully Integrated Defense OperationFully Integrated Defense Operation
Fully Integrated Defense OperationRob Fry
 
Zen and the art of Security Testing
Zen and the art of Security TestingZen and the art of Security Testing
Zen and the art of Security TestingTEST Huddle
 
Defcon 23 - damon small - beyond the scan
Defcon 23 - damon small - beyond the scanDefcon 23 - damon small - beyond the scan
Defcon 23 - damon small - beyond the scanFelipe Prado
 

Ähnlich wie Keeping Secrets on the Internet of Things - Mobile Web Application Security (20)

Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSEC
 
Mobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP SeraphimdroidMobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
 
Beyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability AssessmentBeyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability Assessment
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
 
The state of web applications (in)security @ ITDays 2016
The state of web applications (in)security @ ITDays 2016The state of web applications (in)security @ ITDays 2016
The state of web applications (in)security @ ITDays 2016
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
 
Expand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataExpand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and Data
 
Cybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comCybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.com
 
CNIT 160 4e Security Program Management (Part 5)
CNIT 160 4e Security Program Management (Part 5)CNIT 160 4e Security Program Management (Part 5)
CNIT 160 4e Security Program Management (Part 5)
 
Mobile security chess board - attacks & defense
Mobile security chess board - attacks & defenseMobile security chess board - attacks & defense
Mobile security chess board - attacks & defense
 
Defending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityDefending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricality
 
How an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software SystemsHow an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software Systems
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a Database
 
Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015
 
Wfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationWfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security Innovation
 
Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2
 
It security the condensed version
It security the condensed version It security the condensed version
It security the condensed version
 
Fully Integrated Defense Operation
Fully Integrated Defense OperationFully Integrated Defense Operation
Fully Integrated Defense Operation
 
Zen and the art of Security Testing
Zen and the art of Security TestingZen and the art of Security Testing
Zen and the art of Security Testing
 
Defcon 23 - damon small - beyond the scan
Defcon 23 - damon small - beyond the scanDefcon 23 - damon small - beyond the scan
Defcon 23 - damon small - beyond the scan
 

Kürzlich hochgeladen

W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
BUS PASS MANGEMENT SYSTEM USING PHP.pptx
BUS PASS MANGEMENT SYSTEM USING PHP.pptxBUS PASS MANGEMENT SYSTEM USING PHP.pptx
BUS PASS MANGEMENT SYSTEM USING PHP.pptxalwaysnagaraju26
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdfAzure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdfryanfarris8
 
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verifiedSector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verifiedDelhi Call girls
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfonteinmasabamasaba
 
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...kalichargn70th171
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdfPearlKirahMaeRagusta1
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidPhilip Schwarz
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...Shane Coughlan
 

Kürzlich hochgeladen (20)

W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
BUS PASS MANGEMENT SYSTEM USING PHP.pptx
BUS PASS MANGEMENT SYSTEM USING PHP.pptxBUS PASS MANGEMENT SYSTEM USING PHP.pptx
BUS PASS MANGEMENT SYSTEM USING PHP.pptx
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdfAzure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
 
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verifiedSector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
 
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdf
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 

Keeping Secrets on the Internet of Things - Mobile Web Application Security

  • 1. Keeping Secrets In the vast Internet of Things Zisher Mob::Web::Sec Ipsilon Group Kelly Robertson
  • 2. Agenda M-Days Part One • What are the stakes today? • We are vulnerable and dependent • Current InfoSec cannot reach the New Reality • Motivations for mis-trust • As the world turns… Part Two • Software Development – Secure by Design Part Three • Solutions for organizations and end users
  • 3. The sun rises and sets the same on the Good and the Bad • Brightest Flashlight Free • Jekyll on iOS • Pinskimmer • FireSheep and Faceniff
  • 4. The Heartbleed Bug • SSL/TLS is used for email, banking, e-commerce and privacy throughout the Internet • Attackers could eavesdrop on communications, steal identities and data • Leave-no-trace, long exposure, ease-of-exploit
  • 5. SnapChat • 4.6 Million usernames and phone numbers • Anonymous posted this information and said: “You are downloading 4.6 million users’ phone number information, along with their usernames. People tend to use the same username around the web so you can use this information to find phone number information associated with Facebook and Twitter accounts, or simply to figure out the phone numbers of people you wish to get in touch with.”
  • 6. PlaceRaider • Very Scary Smartphone Malware • US Naval Surface Warfare Center and University of Indiana • An Android app that secretly records and reconstructs a user’s environment as a 3D virtual model
  • 7. The Mask • 380+ Targets in 31 countries over 7 years • One of the most sophisticated attacks ever • Intercepts network traffic, Skype, PGP Keys, Wi-Fi traffic, keystrokes, screen captures, encryption keys, and more • Three separate backdoors in Win 32/64 + Mac OS using sophisticated Malware, a bootkit and a rootkit • The iPad and Android versions are very difficult to trace: <b>Date: </b>Wed, 15 May 2013 23:34:01 +0000<br /> <b>Remote IP Address:</b> 200.x.x.x<br /><br /><h2> ** User Agent</h2><strong>Browser User Agent String:</strong> <br/><br/> <strong>Browser Name:</strong> iPad<br/>
  • 8. Information Security Today • Encryption • Authentication • DNSsec • VPN • SoftToken • Anti-virus • Anti-Malware • Biometrics • NG Firewalls • Intrusion Detection • Threat Feeds • Manned SOCs • Forensics • And so forth…
  • 9. Information Security Today • Encryption • Authentication • DNSsec • VPN • SoftToken • Anti-virus • Anti-Malware • Biometrics • NG Firewalls • Intrusion Detection • Threat Feeds • Manned SOCs • Forensics • And so forth…
  • 10. Mobile Web Apps • Porous trust boundaries – Inherit trust/data from other components • App store curator, Operating Systems and APIs • Physically vulnerable to booted-rooted attack • Lots of sensors and sensitive user data • User’s unwarranted trust • Client server paradigm – no control from server • Bluetooth, Baseband, Wi-Fi, RF “always on” • Jailbroken or rooted phones subvert controls
  • 11. Mobile Web Apps Platform Details • iOS apps run on Objective C – Hybrid C++ and a message parser – Introduces data leakage vulnerability – Special ‘extractors’ can harvest logic and class declarations – details that hackers exploit – The end user can decompile an app for symmetric keys – a component of secure transactions – Anti-tamper, use C++ wherever possible and generic declarations can mitigate much
  • 12. Mobile Web Apps Platform Details • Android runs on Java and Dalvik • Susceptible to ‘repackaging’ exploit • Vulnerable to web proxy spoofing • Allows SD cards • But, Java is a type-safe language • Class library is well-established • Secure mobile abstraction when coded right
  • 13. – Automotive • 100 million lines of code per car now • 100 + ECUs – Body-borne computing • Health monitoring • Behavior monitoring • Vision • Fashion – Eyeglasses – Nanorobotics – molecular scale Science Fiction is now…
  • 14. Thank you… kelly@zisher.com This presentation has been brought to you by Zisher Mob::Web::Sec In collaboration with the Ipsilon Group
  • 15. Keeping Secrets In the vast Internet of Things Zisher Mob::Web::Sec Ipsilon Group Kelly Robertson
  • 16. Secure Software Development LifeCycle “Enemies may face off for years, only to have the outcome decided in a single day.” Sun Tzu The Art of War
  • 17. Secure Software Development LifeCycle “The totally awakened warrior can freely utilize all of the elements contained in Heaven and Earth…with enlightened wisdom and deep calm.” Morihei Ushiba The Art of Peace Vibrant and Joyful
  • 18. Secure Software Development LifeCycle Design Model Threats Develop Test Deploy Validate Upgrade Patch Education at every step of the way… • Teach • Coach • Validate • Iterate
  • 19. Developing Developers Align with your business goals From the Book of Five Rings: • Empty as space • Hard as a diamond • Flexible as a willow in the wind • Smooth flowing like water Be organized, but take it easy Two stages: Document, then Prioritize
  • 20. The Seven Pernicious Kingdoms Taxonomy of SW Security Errors OWASP • Input validation and response • API Abuse • Security Features • Time and State • Error Handling • Code Quality • Encapsulation
  • 21. Threat Modeling Techniques Secure software does only it’s job Top down and bottom up Scoping attack surfaces and trust Threat priority = Severity + Probability Movie Plotting
  • 22.
  • 23. Threat Modeling Techniques Scoping attack surfaces and trust boundaries Secure software does only it’s job Top down and bottom up Threat + Severity + Probability • Movie Plotting • Attack Trees
  • 24.
  • 25. Threat Modeling Techniques Scoping attack surfaces and trust boundaries Secure software does only it’s job Top down and bottom up Threat + Severity + Probability • Movie Plotting • Attack Trees • S.T.R.I.D.E. – Spoofing, Tampering, Repudiation, InfoLeak, Denial of Service and Elevation of Privilege
  • 26. Spoofing Impersonation: • Sites • Applications • Users or Roles • Components • Machines
  • 27. Tampering Manipulation • Configuration • Files • Databases • Memory • Networks or protocols
  • 28. Repudiation Deception and Denial • Business logic • Logs and forensics • Payment methods
  • 29. Information Disclosure Leaks can happen at every layer • Error codes • Obscure files or descriptive file names • Data flow
  • 30. Denial of Service Difficult to monetize, easier to defend than ever • Brute force (amplified) • Persistent (under the radar) • Logic tripwires can alert
  • 31. Elevation of Privilege Always a top goal • Bugs • Configurations • Authentication • Corrupted process • Memory • Session hijacking
  • 32. The Four Pillars of Priority Quantified, now qualified • Resolve it - Mitigate • Get rid of it - Eliminate • Deflect it - Transfer • Live with it - Accept the risk and move on…
  • 33. Education Computer based training – SCORM compliant On-line resources – OWASP and SlideShare Universities – more and more, but still light Security and other Vendors Conferences Boutique Educators, Specialists and Authors
  • 34. Elevation of Privilege M-Days The Game: • Awareness • Education • Conversation • Strategy • Play once a week!
  • 35. Static Code Analysis The process of assessing code without executing it. “No single technique is a Silver Bullet. The best that a code review can uncover is about 50% of the security problems” Gary McGraw, Ph.D Cigital
  • 36. SAST The Good, The Bad and The Ugly • Thorough, consistent analysis • Finds root cause much of the time • Can catch security flaws early • Great for checking lots of lines of code and branches But.. • Signal to noise ratio can dull the effectiveness • Can interrupt creativity and workflow • Can’t analyze architectural problems And… • Algorithms cannot cannot completely analyze algorithms • Writing for language parsers is hard – dialects make it worse
  • 37. Static Code Analysis What to look for. . . • Alignment with workflow, creativity, culture • Ultimate cost savings and revenue generation • Source code versus compiled code • Simultaneous analysis, multi-branch, languages • Dependency injection • Configuration files • Service-oriented architecture (SOA) • Trade off between speed and depth/accuracy • Can code be developed while under analysis?
  • 38. Static Code Analysis What to do with the output… • Must be vetted by a human analyst – Bug filing, reporting, taint analysis, training • Compliance officer can be very helpful • Most effective and least costly during development • Should drive education, training and coaching
  • 39. Call-to-Action Institutional Integrate a Web Application Firewall into the SDLC • WAF in this case is a network-based proxy • Usually an appliance but can be Cloud or SW • PCI standards considered WAF as an acceptable alternative to securing the code • Often run by network engineers or network security practitioners, not developers
  • 40. WAF The Good, The Bad and The Ugly • Web apps are accessed by legitimate traffic only • Reconnaissance, application behavior and forensics • Excellent for compliance and information assurance But.. • Legitimate traffic can be malicious • Susceptible to protocol-level evasions of many types and classes • Automated vulnerability scanning alone is not enough • Manual analysis is required to ensure accuracy • APT and Business Logic often require human intervention And… • Continuous & accurate tuning is hard
  • 41. Call-to-Action Institutional Employ Mobile Device Management • Data containers • Black listing • Remote wipe • Find a device • Secure provisioning • Corporate app store • Compliance reporting • Jailbreak detection • Patch management • Crypto libraries • Authentication • CA integration • Firewall • Anti-virus
  • 42. MDM The Good, The Bad and The Ugly • MDM evolved from mobile network operators • Agent-based with a control server • Audit for compliance • Provisioning is key, including bricking, wiping But.. • BYOD means anything goes • Users are a very big problem And… • Variances between vendors are wildly different • User behavior is usually tracked
  • 43. Call-to-Action Personally, what can you do for yourself? Choose the source of your application carefully Question the app’s need to share location/contact Why does this app want to login with FB, et. al.? Don’t: Keep me logged in OR remember me Don’t save passwords Do: use a secure browser – WhiteHat Aviator Don’t click on the dancing pig…
  • 44. Click on the Dancing Pig! "The applet DANCING PIGS could contain malicious code that might do permanent damage to your computer, steal your life's savings, and impair your ability to have children.”
  • 45. Thank you… kelly@zisher.com This presentation has been brought to you by Zisher Mob::Web::Sec In collaboration with the Ipsilon Group
  • 46. Bibliograhpy • Secure Programming with Static Analysis – Chess and West • The Tangled Web - A guide to securing modern web applications – Michael Zalewski • Threat Modeling – Designing for Security – Adam Shostack • Mobile Hacking Exposed – Bergman, Stanfield, Rouse, Scambray • Application Security for the Android Platform – Jeff Six • Hacking and Securing iOS Applications – Jonathan Zdziarski • Mobile Application Security – Dwivedi, Clark, Thiel • The Art of War – Sun Tzu • The Art of Peace – Morihei Ushiba • The Book of Five Rings - Myyamoto Musashi • Chinese Industrial Espionage: Technology Acquisition and Military Modernisation – Hannas, Mulvenon, Puglisi
  • 47. Bibliography – Web page 1 • http://users.ece.cmu.edu taint-analysis-overview.pdf • http://blogs.wsj.com 5-ways-hackers-exploit-our- bad-byod-habits • http://www.gartner.com/technology/reprints.do?id= 1-1FRVS5W&ct=130524&st=sb • http://www.pcmag.com/article2/0,2817,2455172,00 .asp • Hpenterprisesecurity.com
  • 48. Bibliography – Web page 2 • http://techcrunch.com/2014/02/19/facebooks-whatsapp- acquisition-snapchat/ • http://www.kaspersky.com/about/news/virus/2014/Kaspersky-Lab- Uncovers-The-Mask-One-of-the-Most-Advanced-Global-Cyber- espionage-Operations-to-Date-Due-to-the-Complexity-of-the- Toolset-Used-by-the-Attackers • https://sites.google.com/site/droidful/android-and-java • https://sites.google.com/site/droidful/developm/android-sdk • http://androidforums.com/nexus-7-2013/831394-art-vs-dalvik.html • https://www.google.com/search?client=safari&rls=en&q=android+r epackaging+hacks&ie=UTF-8&oe=UTF-8
  • 49. Bibliography – Web page 3 • http://www.slideshare.net/DefCamp/defcamp-2013-android- hacking-techniques • http://www.xyu.io/2013/07/proxies-ip-spoofing/ • http://www.bbc.com/news/technology-27703318 ransomware article for SD cards on Android • http://stackoverflow.com/questions/260626/what-is-type-safe • http://en.wikipedia.org/wiki/Java_Class_Library • http://docs.oracle.com/javase/7/docs/api/java/security/package- summary.html • http://en.softonic.com/s/mobile-security-software:java • http://www.amazon.com/Oracle-Secure-Standard-Software- Engineering/dp/0321803957
  • 50. Bibliography – Web page 4 • http://www.sans.org/course/secure-coding-java-jee-developing- defensible-applications#results • http://www.sans.org/top25-software-errors/ • http://spectrum.ieee.org/transportation/systems/this-car-runs-on- code • http://link.springer.com/article/10.1023/A:1021152023349 cool articles on nano technology • https://cwe.mitre.org/documents/sources/SevenPerniciousKingdo ms.pdf • http://en.wikipedia.org/wiki/Movie_plot_threat • http://msdn.microsoft.com/en-us/magazine/cc163519.aspx • http://stackoverflow.com/questions/3334578/what-is-dependency- injection • http://www.amazon.com/Service-Oriented-Architecture-Dummies- Edition/dp/0470376848/
  • 51. Bibliography – Web page 5 • http://www.se-radio.net outstanding codecasts • http://stackoverflow.com/questions/2026523/what-is-soa-in- plain-english • http://searchsoa.techtarget.com/definition/service-oriented- architecture • http://en.wikipedia.org/wiki/Taint_checking • http://krebsonsecurity.com/2014/05/complexity-as-the- enemy-of-security/comment-page-1/ • http://www.bankinfosecurity.com/disagreement-on-target- breach-cause-a-6491/op-1 • https://corporate.target.com/about/shopping- experience/payment-card-issue-FAQ.aspx#q5874 • http://www.nytimes.com/2014/02/27/business/target- reports-on-fourth-quarter-earnings.html?_r=0

Hinweis der Redaktion

  1. Welcome to today’s broadcast: Keeping Secrets in the vast Internet of Things. I’m Kelly Robertson with Zisher Mob:Web:Sec in the Silicon Valley and this presentation is brought to you in collaboration with the Ipsilon Group in Frankfurt, Germany. In part one, we will be discussing security issues relative to the Mobile Revolution that is sweeping the planet. In part two, we will explore end-to-end countermeasures from the Software Development LifeCycle to Application Firewalls and Mobile Device Management tools.
  2. In the first place, we’ll take a look at the landscape today in terms of research, theory and actual exploits. We’ll then take a look at a novel approach to developing applications for mobile platforms more securely. Finally, we’ll briefly talk about solutions that organizations are using today, and some of the considerations that are important when choosing your tactics for defending information assets.
  3. Brightest Flashlight Free: December 2013 Goldenshores Technology, creator of a tens-of-millions-plus downloaded app collected private information and passed it off to third parties, and deceived the customer about it – the Federal Trade Commission stepped in Jekyll on iOS - Georgia Tech Attack that evaded mandatory app signing and code signing mechanisms in the AppStore – by rearranging the signed code. Successful PinsKimmer - Two guys from the University of Cambridge created a a side-channel attack that makes use of the video camera and microphone to infer PINs entered on a number-only soft key- board on a smartphone. The microphone is used to detect touch events, while the camera is used to estimate the smart- phone’s orientation, and correlate it to the position of the digit tapped by the user. It is undetectable by the end user and had both a mobile app and a server component. Firesheep and Faceniff – packet surfing extension to Mozilla Firefox that wasn’t blacklisted because it was intended to be used for good: to illustrate security risks in encryption during login, but had nothing to do with cookies. When used with a tool such as Ettercap, Firesheep was used to compromise a wi-fi environment, like an Internet cafe and harvest sensitive information all day long…examples were unencrypted cookies from Twitter and FaceBook, who have since addressed the issue. Brightest Flashlight Free:
  4. Heartbleed bug, so called because it relates to the heartbeat extension of the SSL/TLS protocol, is an implementation problem that has left large numbers of secrets on the Internet exposed…it actually leaks the secret keys that are used to secure transactions. The Heartbleed Bug is a serious, leave-no-trace vulnerability in the popular OpenSSL cryptographic software library that ships with over 14 popular operating systems and is very widely used across the Internet to provide privacy for financial transactions. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).   How bad is it? You are likely affected somehow…governments, banks, entertainment and social sites often use encryption to keep your secrets.   The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content.   Fixed OpenSSL has been released and now it has to be deployed, and it’s not trivial as one can imagine.
  5. 1/1/14 Snapchat –the disappearing message service… Twice last year, Gibson Security advised Snapchat that usernames and sensitive information were vulnerable to leakage…eek! On January 1st of this year, Anonymous hackers posted a file on Snapchatdb.info with 4.6 million SnapChat usernames and phone numbers Instructions on the pages say, “You are downloading 4.6 million users’ phone number information, along with their usernames. People tend to use the same username around the web so you can use this information to find phone number information associated with Facebook and Twitter accounts, or simply to figure out the phone numbers of people you wish to get in touch with.” It is clear that the hackers are trying to prod Snapchat to acknowledge the severity of their security holes and make the needed patches. They claim that the database “contains username and phone number pairs of a vast majority of the Snapchat users.” They used the security exploits documented last week by Gibson Security that Snapchat “dismissed.” SnapchatDB claims that this information “is being shared with the public to raise awareness on the issue. The company was too reluctant at patching the exploit until they knew it was too late and companies that we trust with our information should be more careful when dealing with it.” Facebook, which had made an offer on SnapChat previously, turned around and bought Whatsapp – for $19B. SnapChat has no source of revenue so acquisition was the likely exit strategy.
  6. The very scary Placeraider Smartphone malware The Naval Surface Warfare Center in Crane, Indiana, and a few pals at Indiana University reveal an entirely new class of ‘visual malware’ capable of recording and reconstructing a user’s environment in 3D by running in the background of just about any smartphone. This then allows the  theft of virtual objects such as financial information, data on computer screens and identity-related information.  In theory, it goes something like this: The user downloads an app which grants the malware access to the camera, and the malware suppresses the shound of the shutter while it takes random pictures and records the position of the phone and the time and location. Pictures are filtered and stitched together to give a 3D model of the user’s environment. The theory was tested on 20 unsuspecting people and then other random people were asked to harvest data from the images: Checks, calendars, QR codes and personal information were among the booty. Today Robert Templeman at the Naval Surface Warfare Center in Crane, Indiana, and a few pals at Indiana University reveal an entirely new class of ‘visual malware’ capable of recording and reconstructing a user’s environment in 3D. This then allows the  theft of virtual objects such as financial information, data on computer screens and identity-related information.  Templeman and co call their visual malware PlaceRaider and have created it as an app capable of running in the background of any smartphone using the Android 2.3 operating system. Their idea is that the malware would be embedded in a camera app that the user would download and run, a process that would give the malware the permissions it needs to take photos and send them. PlaceRaider then runs in the background taking photos at random while recording the time, location and orientation of the phone. (The malware mutes the phone as the photos are taken to hide the shutter sound, which would otherwise alert the user.)  The malware then performs some simple image filtering to get rid of blurred or dark images taken inside a pocket for example, and sends the rest to a central server. Here they are reconstructed into a 3D model of the user’s space, using additional details such as the orientation and location of the camera. A malicious user can then browse this space looking for objects worth stealing and sensitive data such as credit card details, identity data or calender details that reveal when the user might  be away. Templeman and co have carried out detailed tests of the app to see how well it works in realistic situations. They gave their infected phone to 20 individuals who were unaware of the malware and asked them to use it for various ordinary purposes in an office environment.  They then evaluated the resulting photos by asking a group of other users to see how much information they could glean from them. Some of these users studied the raw images while the others studied the 3D models, both groups looking for basic information such as the number of walls in the room as well as more detailed info such as QR codes and personal checks lying around. Templeman and co say the tests went well. They were able to build detailed models of the room from all the data sets. What’s more, the 3D models made it vastly easier for malicious users to steal information from the personal office space than from the raw photos alone. That’s an impressive piece of work that reveals some of the vulnerabilities of these powerful devices.And although the current version of the malware runs only on the Android platform, there is no reason why it couldn’t be adapted for other systems. “We implemented on Android for practical reasons, but we expect such malware to generalize to other platforms such as iOS and Windows Phone,” say Templeman and co. They go on to point out various ways that the operating systems could be made more secure. Perhaps the simplest would be to ensure that the shutter sound cannot be muted, so that the user is always aware when the camera is taking a picture. However that wouldn’t prevent the use of video to record data in silence. Templeman and co avoid this because of the huge amount of data it would produce but it’s not hard to imagine that this would be less of a problem in the near future. Another option would be a kind of antivirus app for smartphones which actively looks for potential malware and alerts the user.   The message is clear–this kind of malware is a clear and present danger. It’s only a matter of time before this game of cat and mouse becomes more serious.
  7. Careto, the ugly mask is a really, really interesting Advanced Persistent Threat for a number of reasons. It is really sophisticated and long term cyber-espionage with outstanding tools It was caught by Kaspersky researchers as they observed five year old evasion techniques being used that they had already mitigated. It is a Spanish-language assault 380+ Targets in 31 countries over 7 years One of the most sophisticated attacks ever Intercepts network traffic, Skype, PGP Keys, Wi-Fi traffic, keystrokes, screen captures, encryption keys, and more Three separate backdoors in Win 32/64 + Mac OS using sophisticated Malware, a bootkit and a rootkit The impact on mobility platforms is yet unknown…
  8. What do legacy infosec tools provide to combat the mobility threats?
  9. Well, Next generation firewalls do put unknown applications into a sandbox and analyze them. Intrusion detection can pick up some anomalous behaviors, but usually just known problems as compared to zero –day attacks. Threat feeds are services that provide tsunami warnings from the larger Internet community, think Security Data Warehouse and big data analytics, to predict problems. The top tier security vendors all have threat research centers with some type of incident response and early warning for customers. And, after the fact, improvements in the ease-of-use for forensics tools helps to determine if advanced persistent threats or insider-driven attacks are present. All are necessary, but not sufficient. So, let’s take a look at Mobile Web Applications and see how they are fundamentally different even from web applications and discuss what can be done about securing the Mobility Revolution.
  10. Information disclosure – leaking data can come from any layer, but can be error codes that tell the attacker versions of components, file names that can be guessed, data flow that reveals trust boundaries Data flow is particularly vulnerable over radio networks,
  11. DoS is a threat to availability.
  12. EoP is literally the keys to the kingdom Containers, buffers,
  13. Mitigate Eliminate Transfer Accept
  14. How do we learn this stuff? CBTs are good, try to get one that works with SCORM which is a spec for distributed learning – it helps to keep track of progress across lots of people and may help with compliance requirements There’s lots of self-help, but that takes discipline and it’s hard to maintain cohesion unless the team attends them together. Of course, a team may train a trainer Uni’s are lighter than one would think still Vendors and organizations such as SANS have very specific training Conferences are usually expensive in that there is travel and expense, time out of office (and usually not convenient to the development cycle) and a pretty hefty fee…but go through the syllabus and it it’s right up your alley, it’s probably invaluable Smaller specialists are more likely to come to you, develop a curricula for your environment, coach you through labs that really make it all stick and tend to be cost effective –you are paying one person’s T&E and at your convenience. Quality may vary. Sharable Content Object Reference Model Southern New Hampshire Universtity but not Southern Utah, Saitn Louis U, Stanford McAfee, Akamai, RSA Security, Infosec, SANS Denim Group, Manico
  15. How can you keep the dialog going and make it stick? Building a culture of communication for secure coding can definitely be helped along by having our team play a game of EoP once a week. This tricks-and-trumps card game is available for download free and was developed by Adam Shostack and his team at Microsoft. EoP illuminates, inspires and builds an organization’s skills…and it aligns directly with STRIDE
  16. Let’s talk about solutions for analyzing the code. Static Code Analysis, also known as SAST, is an automated software program that analyzes source code or object code ,usually after the code has been compiled. Code review is the same process done by humans. In either case, as Dr. McGraw states here, a program can only catch so much. We’ll examine just why that is in a moment, but for now let’s just say that we want to develop the best process that we can that aligns with our business goals and our culture. Prone to false positives – the developers or independent analysts are the only thing that really works here The Turing halting problem and Rice’s Theorom – static analysis cannot be perfect
  17. In the first place, we need to consider how the team works together and make a decision based in part on how much overhead SAST may involve. Alignment with worklow, creativity, culture Ultimate cost savings and revenue generation – SAST should be less expensive than the alternative. For example, an open-source SAST set on default may be way too noisy to be useful as developers may begin to ignore results after a short time. A commercial offering with professional services or a manned NOC may cost more up front yet save money due to risk. Source code versus compiled code. Compiled code may need to be sent off-site and this may not be acceptable for some development teams. If just snippets of the source code are sent off site, then reverse engineering by someone trying to steal intellectual property is unrealistic. Simultaneous analysis, multi-branch, languages. A boutique or in-house SAST service may not be able to analyze more that a single application at a time which may not be in the best interests of the team. Also, some SAST offerings charge by the branch, which can become a bit pricey. And, some SASTs are limited in their language coverage. Remember, too, that dialects can be difficult and time consuming if a language has been forked. Dependency injection is a method of making a service part of an object’s state, which can make testing easier and makes the code a bit more modular and easier to work with. It also allows multiple teams to work in parallel. DI also helps with configuration management using external config files, but sometimes it also makes tracing behavior a little more complicated. Not all application frameworks support support DI but the SAST should. Configuration files – the SAST may need to trace the dependency back to the external configuration files and the question should be brought up to the SAST vendor. Service-oriented architecture – SOA broadly defines how two programs can communicate so that one program can perform operations for another. Think SOAP. Because there is a lot of flexibility in how SOA is implemented, a SAST data sheet won’t likely have a check box stating that SOA is supported, but SOA is sufficiently popular to be something to ask about from a SAST, and especially a SAST service. The question of how deep to go into security analytics really should be answered by the threat modeling exercises but there is a fair amount of common sense involved as well. It’s best that business pressures don’t unduly affect this decision just as the hard cost of analysis should be justified with regard to the risk. Can code be developed while under analysis? If the code has to be compiled and development halted while the analysis is undertaken, it will likely disrupt the creative flow and, if coders are idle, may cost a fair amount of money. Sure, the coders can study or work on other projects, but when the results of the scan come back, they will likely need to go back to the analyzed code to fix security-related flaws so the disruption happens twice. Fortunately, many SAST vendors will analyze while the product is under development, think spell checkers advising you along the way of potential mistakes that you may be making. Another consideration that is very important has to do with the dependencies of code as it is built. If code from three weeks ago needs to have a fundamental flaw fixed, it may require re-engineering many other parts of the code that have been built since based on assumptions that the flawed code was, in fact, not flawed. So it’s wise to insist on a SAST Tool that allows analysis while code is being built. SAST Solutions are good and getting better all the time. SAST will quickly go through all of the lines of code and usually make tracing problems back to the cause in the tree quick work. Patterns that come up usually are propagated on several branches and much can be learned by the development team by seeing the results. But, false positive abound in any automatic scanner at default settings and tuning is a black art. Also, SAST does not deal with architectural issues or business logic flaws, generally. These need to be addresses by human analysts. Let’s look at some suggestion of what to look for in a SAST product or service. Configuration files really help to perform behavior modeling Source code is more clear, can be faster, may lack reality like an emulator does System-oriented – binding between URI and code will help to determine which input parameters are associated with each vuln Speed and depth could be the difference between professional service/research and automation, so be very clear on your ideals Binary analysis has to be mapped into useful code for developers to work with it Very diffiicult to decode once you’ve built on top of vulns