Weitere ähnliche Inhalte
Kürzlich hochgeladen (20)
2014 #sitnl Mobile Security Bug Parade
- 2. WhoAmI
frank.koehntopp@sap.com
I work in SAP’s Products & Innovation Group, in the Security Validation Team
– Perform independent security assessments on our products from a customer’s point of view
– Assess product security quality and integration aspects of security under real-world conditions
– Find security vulnerabilities before shipment
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 2
- 3. Mobile Security
Why do we need to talk?
http://media.kaspersky.com/en/IT_Security_Risks_Survey_2014_Global_report.pdf
http://www.net-security.org/secworld.php?id=17358
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 3
- 4. Mobile Security
The attack surface
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 4
- 5. Old school security
Testing at the end of development
Development
of
functionality
Static Analysis
Dynamic Analysis
Penetration Testing
Customer Testing
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 5
- 6. Automated Security Testing
Helpful, but not enough
Static
Analysis
Dynamic
Analysis
Architecture
Flaws
TOP 10 Software Security Design Flaws
• Earn or give, but never assume, trust
• Use an authentication mechanism that cannot
be bypassed or tampered with
• Authorize after you authenticate
• Strictly separate data and control instructions
• Define an approach that ensures all data are
explicitly validated
• Use cryptography correctly
• Identify sensitive data and how they should be
handled
• Always consider the users
• Understand how integrating external
components changes your attack surface
• Be flexible when considering future changes to
objects and actors
http://cybersecurity.ieee.org/center-for-secure-design.html
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 6
- 7. Old school security
Welcome to 2014
Broken
Application
Bad People
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 7
- 8. Old school security
Magic Crypto Fairy Dust
• Shamir’s Law: Crypto is bypassed,
not penetrated
https://www.flickr.com/photos/chelseamcnamara/4058966236
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 8
- 9. Open Source
Free != Secure
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 9
- 10. Geers‘s Law
Any security technology whose
effectiveness can’t be empirically
determined is indistinguishable from
blind luck — Dan Geer
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 10
- 11. Bug Parade
Stuff we found in SAP and Partner Products
(Don‘t worry – it‘s all fixed now…)
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 11
- 12. Connecting to the server
SSL for beginners
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 12
- 13. Don’t let the users make security decisions
They’re not particularly good at it…
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 13
- 14. Flaws in login mechanisms
30 years in, password handling is still difficult…
OK button can only be
pressed if password is correct
== endless retries
Issues we found in several apps:
No password complexity – “qqqqqqqq”
Unlimited retries
No lock on device lock
Password change w/o old password
Hints on logon errors
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 14
- 15. Storing the password
Local storage is not the best idea
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 15
- 16. Don’t trust the client
They’re all liars!
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 16
- 17. Sending the password to the server
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 17
- 18. Inventing your own cryptography
Those people thinking cryptography is hard? They’re right, actually…
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 18
- 19. Developers *love* log files!
Subtitle
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 19
- 20. Too much information
No need to be overly specific
http://www.cvedetails.com/vulnerability-list.
php?vendor_id=45&product_id=887&version_id=89269&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0
&opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=0&cvssscoremax=0&year=0&month=0&cweid=0&order=3&trc=3
3&sha=f2380b70216e338e4fcf75882a55606c6b46cddc
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 20
- 21. Red Flags
Favourite development quotes
„But why would anybody do that…?“
„On the server we store the password encrypted with 2048 bits“
„It‘s BASE64 encrypted“
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 21
- 22. What SAP does
Help developers avoid bugs & flaws
Understand
Risk & Threats
Build it securely
Abuse, try to break
&
verify
React
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 22
- 23. How do do security the right way
Consider the full solution
Do Architecture Risk Analysis
Defense in depth != do/buy EVERYTHING
Each activity must add value in the context of the threat model
Let your technology stack guide you, not a checklist
It’s the only thing that works – think continuous delivery
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 23
- 24. Thank you
Contact information:
Frank Köhntopp
SAP SE
frank.koehntopp@sap.com
© 2014 SAP AG or an SAP affiliate company. All rights reserved.