Diese Präsentation wurde erfolgreich gemeldet.
Die SlideShare-Präsentation wird heruntergeladen. ×

2014 #sitnl Mobile Security Bug Parade

Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Nächste SlideShare
SAP communties rock!
SAP communties rock!
Wird geladen in …3
×

Hier ansehen

1 von 24 Anzeige
Anzeige

Weitere Verwandte Inhalte

Aktuellste (20)

Anzeige

2014 #sitnl Mobile Security Bug Parade

  1. 1. Mobile Security Bug Parade Frank Köhntopp November 2014
  2. 2. WhoAmI frank.koehntopp@sap.com I work in SAP’s Products & Innovation Group, in the Security Validation Team – Perform independent security assessments on our products from a customer’s point of view – Assess product security quality and integration aspects of security under real-world conditions – Find security vulnerabilities before shipment © 2014 SAP AG or an SAP affiliate company. All rights reserved. 2
  3. 3. Mobile Security Why do we need to talk? http://media.kaspersky.com/en/IT_Security_Risks_Survey_2014_Global_report.pdf http://www.net-security.org/secworld.php?id=17358 © 2014 SAP AG or an SAP affiliate company. All rights reserved. 3
  4. 4. Mobile Security The attack surface © 2014 SAP AG or an SAP affiliate company. All rights reserved. 4
  5. 5. Old school security Testing at the end of development Development of functionality Static Analysis Dynamic Analysis Penetration Testing Customer Testing © 2014 SAP AG or an SAP affiliate company. All rights reserved. 5
  6. 6. Automated Security Testing Helpful, but not enough Static Analysis Dynamic Analysis Architecture Flaws TOP 10 Software Security Design Flaws • Earn or give, but never assume, trust • Use an authentication mechanism that cannot be bypassed or tampered with • Authorize after you authenticate • Strictly separate data and control instructions • Define an approach that ensures all data are explicitly validated • Use cryptography correctly • Identify sensitive data and how they should be handled • Always consider the users • Understand how integrating external components changes your attack surface • Be flexible when considering future changes to objects and actors http://cybersecurity.ieee.org/center-for-secure-design.html © 2014 SAP AG or an SAP affiliate company. All rights reserved. 6
  7. 7. Old school security Welcome to 2014 Broken Application Bad People © 2014 SAP AG or an SAP affiliate company. All rights reserved. 7
  8. 8. Old school security Magic Crypto Fairy Dust • Shamir’s Law: Crypto is bypassed, not penetrated https://www.flickr.com/photos/chelseamcnamara/4058966236 © 2014 SAP AG or an SAP affiliate company. All rights reserved. 8
  9. 9. Open Source Free != Secure © 2014 SAP AG or an SAP affiliate company. All rights reserved. 9
  10. 10. Geers‘s Law Any security technology whose effectiveness can’t be empirically determined is indistinguishable from blind luck — Dan Geer © 2014 SAP AG or an SAP affiliate company. All rights reserved. 10
  11. 11. Bug Parade Stuff we found in SAP and Partner Products (Don‘t worry – it‘s all fixed now…) © 2014 SAP AG or an SAP affiliate company. All rights reserved. 11
  12. 12. Connecting to the server SSL for beginners © 2014 SAP AG or an SAP affiliate company. All rights reserved. 12
  13. 13. Don’t let the users make security decisions They’re not particularly good at it… © 2014 SAP AG or an SAP affiliate company. All rights reserved. 13
  14. 14. Flaws in login mechanisms 30 years in, password handling is still difficult… OK button can only be pressed if password is correct == endless retries Issues we found in several apps:  No password complexity – “qqqqqqqq”  Unlimited retries  No lock on device lock  Password change w/o old password  Hints on logon errors © 2014 SAP AG or an SAP affiliate company. All rights reserved. 14
  15. 15. Storing the password Local storage is not the best idea © 2014 SAP AG or an SAP affiliate company. All rights reserved. 15
  16. 16. Don’t trust the client They’re all liars! © 2014 SAP AG or an SAP affiliate company. All rights reserved. 16
  17. 17. Sending the password to the server © 2014 SAP AG or an SAP affiliate company. All rights reserved. 17
  18. 18. Inventing your own cryptography Those people thinking cryptography is hard? They’re right, actually… © 2014 SAP AG or an SAP affiliate company. All rights reserved. 18
  19. 19. Developers *love* log files! Subtitle © 2014 SAP AG or an SAP affiliate company. All rights reserved. 19
  20. 20. Too much information No need to be overly specific http://www.cvedetails.com/vulnerability-list. php?vendor_id=45&product_id=887&version_id=89269&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0 &opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=0&cvssscoremax=0&year=0&month=0&cweid=0&order=3&trc=3 3&sha=f2380b70216e338e4fcf75882a55606c6b46cddc © 2014 SAP AG or an SAP affiliate company. All rights reserved. 20
  21. 21. Red Flags Favourite development quotes „But why would anybody do that…?“ „On the server we store the password encrypted with 2048 bits“ „It‘s BASE64 encrypted“ © 2014 SAP AG or an SAP affiliate company. All rights reserved. 21
  22. 22. What SAP does Help developers avoid bugs & flaws Understand Risk & Threats Build it securely Abuse, try to break & verify React © 2014 SAP AG or an SAP affiliate company. All rights reserved. 22
  23. 23. How do do security the right way  Consider the full solution  Do Architecture Risk Analysis  Defense in depth != do/buy EVERYTHING  Each activity must add value in the context of the threat model  Let your technology stack guide you, not a checklist  It’s the only thing that works – think continuous delivery © 2014 SAP AG or an SAP affiliate company. All rights reserved. 23
  24. 24. Thank you Contact information: Frank Köhntopp SAP SE frank.koehntopp@sap.com © 2014 SAP AG or an SAP affiliate company. All rights reserved.

×