SlideShare ist ein Scribd-Unternehmen logo

2014 #sitnl Mobile Security Bug Parade

Frank Koehntopp
Frank Koehntopp

2014 #sitnl Mobile Security Bug Parade

Software
1 von 24
Mobile Security Bug Parade Frank Köhntopp November 2014
WhoAmI frank.koehntopp@sap.com I work in SAP’s Products & Innovation Group, in the Security Validation Team – Perform independent security assessments on our products from a customer’s point of view – Assess product security quality and integration aspects of security under real-world conditions – Find security vulnerabilities before shipment © 2014 SAP AG or an SAP affiliate company. All rights reserved. 2
Mobile Security Why do we need to talk? http://media.kaspersky.com/en/IT_Security_Risks_Survey_2014_Global_report.pdf http://www.net-security.org/secworld.php?id=17358 © 2014 SAP AG or an SAP affiliate company. All rights reserved. 3
Mobile Security The attack surface © 2014 SAP AG or an SAP affiliate company. All rights reserved. 4
Old school security Testing at the end of development Development of functionality Static Analysis Dynamic Analysis Penetration Testing Customer Testing © 2014 SAP AG or an SAP affiliate company. All rights reserved. 5
Automated Security Testing Helpful, but not enough Static Analysis Dynamic Analysis Architecture Flaws TOP 10 Software Security Design Flaws • Earn or give, but never assume, trust • Use an authentication mechanism that cannot be bypassed or tampered with • Authorize after you authenticate • Strictly separate data and control instructions • Define an approach that ensures all data are explicitly validated • Use cryptography correctly • Identify sensitive data and how they should be handled • Always consider the users • Understand how integrating external components changes your attack surface • Be flexible when considering future changes to objects and actors http://cybersecurity.ieee.org/center-for-secure-design.html © 2014 SAP AG or an SAP affiliate company. All rights reserved. 6
Old school security Welcome to 2014 Broken Application Bad People © 2014 SAP AG or an SAP affiliate company. All rights reserved. 7
Old school security Magic Crypto Fairy Dust • Shamir’s Law: Crypto is bypassed, not penetrated https://www.flickr.com/photos/chelseamcnamara/4058966236 © 2014 SAP AG or an SAP affiliate company. All rights reserved. 8
Open Source Free != Secure © 2014 SAP AG or an SAP affiliate company. All rights reserved. 9
Geers‘s Law Any security technology whose effectiveness can’t be empirically determined is indistinguishable from blind luck — Dan Geer © 2014 SAP AG or an SAP affiliate company. All rights reserved. 10
Bug Parade Stuff we found in SAP and Partner Products (Don‘t worry – it‘s all fixed now…) © 2014 SAP AG or an SAP affiliate company. All rights reserved. 11
Connecting to the server SSL for beginners © 2014 SAP AG or an SAP affiliate company. All rights reserved. 12
Don’t let the users make security decisions They’re not particularly good at it… © 2014 SAP AG or an SAP affiliate company. All rights reserved. 13
Flaws in login mechanisms 30 years in, password handling is still difficult… OK button can only be pressed if password is correct == endless retries Issues we found in several apps:  No password complexity – “qqqqqqqq”  Unlimited retries  No lock on device lock  Password change w/o old password  Hints on logon errors © 2014 SAP AG or an SAP affiliate company. All rights reserved. 14
Storing the password Local storage is not the best idea © 2014 SAP AG or an SAP affiliate company. All rights reserved. 15
Don’t trust the client They’re all liars! © 2014 SAP AG or an SAP affiliate company. All rights reserved. 16
Sending the password to the server © 2014 SAP AG or an SAP affiliate company. All rights reserved. 17
Inventing your own cryptography Those people thinking cryptography is hard? They’re right, actually… © 2014 SAP AG or an SAP affiliate company. All rights reserved. 18
Developers *love* log files! Subtitle © 2014 SAP AG or an SAP affiliate company. All rights reserved. 19
Too much information No need to be overly specific http://www.cvedetails.com/vulnerability-list. php?vendor_id=45&product_id=887&version_id=89269&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0 &opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=0&cvssscoremax=0&year=0&month=0&cweid=0&order=3&trc=3 3&sha=f2380b70216e338e4fcf75882a55606c6b46cddc © 2014 SAP AG or an SAP affiliate company. All rights reserved. 20
Red Flags Favourite development quotes „But why would anybody do that…?“ „On the server we store the password encrypted with 2048 bits“ „It‘s BASE64 encrypted“ © 2014 SAP AG or an SAP affiliate company. All rights reserved. 21
What SAP does Help developers avoid bugs & flaws Understand Risk & Threats Build it securely Abuse, try to break & verify React © 2014 SAP AG or an SAP affiliate company. All rights reserved. 22
How do do security the right way  Consider the full solution  Do Architecture Risk Analysis  Defense in depth != do/buy EVERYTHING  Each activity must add value in the context of the threat model  Let your technology stack guide you, not a checklist  It’s the only thing that works – think continuous delivery © 2014 SAP AG or an SAP affiliate company. All rights reserved. 23
Thank you Contact information: Frank Köhntopp SAP SE frank.koehntopp@sap.com © 2014 SAP AG or an SAP affiliate company. All rights reserved.

Empfohlen

SAP communties rock!
SAP communties rock!SAP communties rock!
SAP communties rock!
Twan van den Broek
 
Custom Visualizations: What, How and Why
Custom Visualizations: What, How and WhyCustom Visualizations: What, How and Why
Custom Visualizations: What, How and Why
Jeroen Van Der A
 
SAP HANA native development
SAP HANA native developmentSAP HANA native development
SAP HANA native development
tamas_szirtes
 
SAP Teched && dcode 2014 Recap (@SITNL, 29 Nov 2014)
SAP Teched && dcode 2014 Recap (@SITNL, 29 Nov 2014)SAP Teched && dcode 2014 Recap (@SITNL, 29 Nov 2014)
SAP Teched && dcode 2014 Recap (@SITNL, 29 Nov 2014)
Jan Penninkhof
 
Building an SAP HANA Cloud app, a travel report (#sitFRA)
Building an SAP HANA Cloud app, a travel report (#sitFRA)Building an SAP HANA Cloud app, a travel report (#sitFRA)
Building an SAP HANA Cloud app, a travel report (#sitFRA)
Twan van den Broek
 
SAP UI5 Training
SAP UI5 TrainingSAP UI5 Training
SAP UI5 Training
Global Online Trainings
 
SAPUI5 for everything
SAPUI5 for everythingSAPUI5 for everything
SAPUI5 for everything
Mauricio Lauffer
 
20141128 sap #sit nl slidedeck
20141128 sap #sit nl slidedeck20141128 sap #sit nl slidedeck
20141128 sap #sit nl slidedeck
Twan van den Broek
 

Empfohlen

SAP communties rock!
SAP communties rock!SAP communties rock!
SAP communties rock!
Twan van den Broek
 
Custom Visualizations: What, How and Why
Custom Visualizations: What, How and WhyCustom Visualizations: What, How and Why
Custom Visualizations: What, How and Why
Jeroen Van Der A
 
SAP HANA native development
SAP HANA native developmentSAP HANA native development
SAP HANA native development
tamas_szirtes
 
SAP Teched && dcode 2014 Recap (@SITNL, 29 Nov 2014)
SAP Teched && dcode 2014 Recap (@SITNL, 29 Nov 2014)SAP Teched && dcode 2014 Recap (@SITNL, 29 Nov 2014)
SAP Teched && dcode 2014 Recap (@SITNL, 29 Nov 2014)
Jan Penninkhof
 
Building an SAP HANA Cloud app, a travel report (#sitFRA)
Building an SAP HANA Cloud app, a travel report (#sitFRA)Building an SAP HANA Cloud app, a travel report (#sitFRA)
Building an SAP HANA Cloud app, a travel report (#sitFRA)
Twan van den Broek
 
SAP UI5 Training
SAP UI5 TrainingSAP UI5 Training
SAP UI5 Training
Global Online Trainings
 
SAPUI5 for everything
SAPUI5 for everythingSAPUI5 for everything
SAPUI5 for everything
Mauricio Lauffer
 
20141128 sap #sit nl slidedeck
20141128 sap #sit nl slidedeck20141128 sap #sit nl slidedeck
20141128 sap #sit nl slidedeck
Twan van den Broek
 
10 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 202410 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 2024
Mind IT Systems
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Steffen Staab
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
VictorSzoltysek
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
masabamasaba
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
masabamasaba
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
masabamasaba
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
mohitmore19
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
Health
 
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Nitya salvi
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare
masabamasaba
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
masabamasaba
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
Arshad QA
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
masabamasaba
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Philip Schwarz
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
AmarnathKambale
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
Willy Marroquin (WillyDevNET)
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
masabamasaba
 
SHRMPro HRMS Software Solutions Presentation
SHRMPro HRMS Software Solutions PresentationSHRMPro HRMS Software Solutions Presentation
SHRMPro HRMS Software Solutions Presentation
Shrmpro
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
harshavardhanraghave
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
Marius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
Expeed Software
 

Weitere ähnliche Inhalte

Kürzlich hochgeladen

Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Steffen Staab
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
VictorSzoltysek
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
masabamasaba
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
mohitmore19
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
Health
 
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Nitya salvi
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
masabamasaba
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
harshavardhanraghave
 

Kürzlich hochgeladen (20)

10 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 202410 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 2024
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
 
SHRMPro HRMS Software Solutions Presentation
SHRMPro HRMS Software Solutions PresentationSHRMPro HRMS Software Solutions Presentation
SHRMPro HRMS Software Solutions Presentation
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 

Empfohlen

How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
ThinkNow
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
Kurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
SpeakerHub
 

Empfohlen (20)

2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 

2014 #sitnl Mobile Security Bug Parade

  • 1. Mobile Security Bug Parade Frank Köhntopp November 2014
  • 2. WhoAmI frank.koehntopp@sap.com I work in SAP’s Products & Innovation Group, in the Security Validation Team – Perform independent security assessments on our products from a customer’s point of view – Assess product security quality and integration aspects of security under real-world conditions – Find security vulnerabilities before shipment © 2014 SAP AG or an SAP affiliate company. All rights reserved. 2
  • 3. Mobile Security Why do we need to talk? http://media.kaspersky.com/en/IT_Security_Risks_Survey_2014_Global_report.pdf http://www.net-security.org/secworld.php?id=17358 © 2014 SAP AG or an SAP affiliate company. All rights reserved. 3
  • 4. Mobile Security The attack surface © 2014 SAP AG or an SAP affiliate company. All rights reserved. 4
  • 5. Old school security Testing at the end of development Development of functionality Static Analysis Dynamic Analysis Penetration Testing Customer Testing © 2014 SAP AG or an SAP affiliate company. All rights reserved. 5
  • 6. Automated Security Testing Helpful, but not enough Static Analysis Dynamic Analysis Architecture Flaws TOP 10 Software Security Design Flaws • Earn or give, but never assume, trust • Use an authentication mechanism that cannot be bypassed or tampered with • Authorize after you authenticate • Strictly separate data and control instructions • Define an approach that ensures all data are explicitly validated • Use cryptography correctly • Identify sensitive data and how they should be handled • Always consider the users • Understand how integrating external components changes your attack surface • Be flexible when considering future changes to objects and actors http://cybersecurity.ieee.org/center-for-secure-design.html © 2014 SAP AG or an SAP affiliate company. All rights reserved. 6
  • 7. Old school security Welcome to 2014 Broken Application Bad People © 2014 SAP AG or an SAP affiliate company. All rights reserved. 7
  • 8. Old school security Magic Crypto Fairy Dust • Shamir’s Law: Crypto is bypassed, not penetrated https://www.flickr.com/photos/chelseamcnamara/4058966236 © 2014 SAP AG or an SAP affiliate company. All rights reserved. 8
  • 9. Open Source Free != Secure © 2014 SAP AG or an SAP affiliate company. All rights reserved. 9
  • 10. Geers‘s Law Any security technology whose effectiveness can’t be empirically determined is indistinguishable from blind luck — Dan Geer © 2014 SAP AG or an SAP affiliate company. All rights reserved. 10
  • 11. Bug Parade Stuff we found in SAP and Partner Products (Don‘t worry – it‘s all fixed now…) © 2014 SAP AG or an SAP affiliate company. All rights reserved. 11
  • 12. Connecting to the server SSL for beginners © 2014 SAP AG or an SAP affiliate company. All rights reserved. 12
  • 13. Don’t let the users make security decisions They’re not particularly good at it… © 2014 SAP AG or an SAP affiliate company. All rights reserved. 13
  • 14. Flaws in login mechanisms 30 years in, password handling is still difficult… OK button can only be pressed if password is correct == endless retries Issues we found in several apps:  No password complexity – “qqqqqqqq”  Unlimited retries  No lock on device lock  Password change w/o old password  Hints on logon errors © 2014 SAP AG or an SAP affiliate company. All rights reserved. 14
  • 15. Storing the password Local storage is not the best idea © 2014 SAP AG or an SAP affiliate company. All rights reserved. 15
  • 16. Don’t trust the client They’re all liars! © 2014 SAP AG or an SAP affiliate company. All rights reserved. 16
  • 17. Sending the password to the server © 2014 SAP AG or an SAP affiliate company. All rights reserved. 17
  • 18. Inventing your own cryptography Those people thinking cryptography is hard? They’re right, actually… © 2014 SAP AG or an SAP affiliate company. All rights reserved. 18
  • 19. Developers *love* log files! Subtitle © 2014 SAP AG or an SAP affiliate company. All rights reserved. 19
  • 20. Too much information No need to be overly specific http://www.cvedetails.com/vulnerability-list. php?vendor_id=45&product_id=887&version_id=89269&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0 &opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=0&cvssscoremax=0&year=0&month=0&cweid=0&order=3&trc=3 3&sha=f2380b70216e338e4fcf75882a55606c6b46cddc © 2014 SAP AG or an SAP affiliate company. All rights reserved. 20
  • 21. Red Flags Favourite development quotes „But why would anybody do that…?“ „On the server we store the password encrypted with 2048 bits“ „It‘s BASE64 encrypted“ © 2014 SAP AG or an SAP affiliate company. All rights reserved. 21
  • 22. What SAP does Help developers avoid bugs & flaws Understand Risk & Threats Build it securely Abuse, try to break & verify React © 2014 SAP AG or an SAP affiliate company. All rights reserved. 22
  • 23. How do do security the right way  Consider the full solution  Do Architecture Risk Analysis  Defense in depth != do/buy EVERYTHING  Each activity must add value in the context of the threat model  Let your technology stack guide you, not a checklist  It’s the only thing that works – think continuous delivery © 2014 SAP AG or an SAP affiliate company. All rights reserved. 23
  • 24. Thank you Contact information: Frank Köhntopp SAP SE frank.koehntopp@sap.com © 2014 SAP AG or an SAP affiliate company. All rights reserved.