Integrating Application Security into the Mobile Software Development Lifecycle. WhiteHat Security Paper



Similar documents
A Strategic Approach to Web Application Security

A Strategic Approach to Web Application Security

A Strategic Approach to Web Application Security The importance of a secure software development lifecycle

Application Security Testing as a Foundation for Secure DevOps

IBM Rational AppScan: Application security and risk management

WhiteHat Security White Paper. Top 11 PCI DSS 3.0 Changes That Will Affect Your Application Security Program

Cenzic Product Guide. Cloud, Mobile and Web Application Security

Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP

Application Security Testing How to find software vulnerabilities before you ship or procure code

WhiteHat Security White Paper. Evaluating the Total Cost of Ownership for Protecting Web Applications

Adobe Systems Incorporated

The Web AppSec How-to: The Defenders Toolbox

Moving to the Cloud? Take Your Application Security Solution with You. A WhiteHat Security Whitepaper. September 2010

Application Security Center overview

Interactive Application Security Testing (IAST)

MIS Systems & Infrastructure Lifecycle Management 1. Week 13 April 14, 2016

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Stories From the Front Lines: Deploying an Enterprise Code Scanning Program

HP Application Security Center

Starting your Software Security Assurance Program. May 21, 2015 ITARC, Stockholm, Sweden

How to achieve PCI DSS Compliance with Checkmarx Source Code Analysis

WebGoat for testing your Application Security tools

elearning for Secure Application Development

Development Testing for Agile Environments

Practical Approaches for Securing Web Applications across the Software Delivery Lifecycle

Learning objectives for today s session

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Five Steps to Achieve Risk-Based Application Security Management Make application security a strategically managed discipline

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP

Application Security 101. A primer on Application Security best practices

WhiteHat Security White Paper Things That Undermine A Web Application Security Program

Getting Started with Web Application Security

G-Cloud IV Framework Service Definition Accenture Web Application Security Scanning as a Service

Detecting Critical Defects on the Developer s Desktop

"Secure insight, anytime, anywhere."

The Prevalence of Flash Vulnerabilities on the Web

Excellence Doesn t Need a Certificate. Be an. Believe in You AMIGOSEC Consulting Private Limited

Network Test Labs (NTL) Software Testing Services for igaming

RUN THE RIGHT RACE. Keep pace with quickening release cycles. Discover automation with the human touch. CHOOSE A TEST TO RUN BELOW

Advanced Service Desk Security

The AppSec How-To: Achieving Security in DevOps

Attack Vector Detail Report Atlassian

Guide to Mobile Testing

SAST, DAST and Vulnerability Assessments, = 4

IBM Innovate AppScan: Introducin g Security, a first. Bobby Walters Consultant, ATSC bwalters@atsc.com Application Security & Compliance

Elevation of Mobile Security Risks in the Enterprise Threat Landscape

Microsoft SDL: Agile Development

Integrating Security Testing into Quality Control

F5 and Microsoft Exchange Security Solutions

Effective Software Security Management

Making your web application. White paper - August secure

Product Roadmap. Sushant Rao Principal Product Manager Fortify Software, a HP company

Rational AppScan & Ounce Products

Total Protection for Compliance: Unified IT Policy Auditing

TEAM Academy Catalog. 187 Ballardvale Street, Wilmington, MA

Symantec Mobile Management 7.2

Contents. -Testing as a Services - TaaS 4. -Staffing Strategies 4. -Testing as a Managed Services - TaaMS 5. -Services 6.

Building a Corporate Application Security Assessment Program

How to Build a Trusted Application. John Dickson, CISSP

Secure Development Lifecycle. Eoin Keary & Jim Manico

Improving your Secure SDLC ( SSDLC ) with Prevoty. How adding real-time application security dramatically decreases vulnerabilities

Centralized Secure Vault with Serena Dimensions CM

Operationalizing Application Security & Compliance

Web application security: automated scanning versus manual penetration testing.

Continuous???? Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

The AppSec How-To: 10 Steps to Secure Agile Development

Building a Mobile App Security Risk Management Program. Copyright 2012, Security Risk Advisors, Inc. All Rights Reserved

1 0 0 V i l l a g e C o u r t H a z l e t, N J , U S A Tel: +1 (732) w w w. p a l i n d r o m e t e c h. c o m.

Your world runs on applications. Secure them with Veracode.

How To Ensure That Your Computer System Is Safe

White Paper. Enhancing Website Security with Algorithm Agility

Asset Discovery with Symantec Control Compliance Suite

CSUSB Web Application Security Standard CSUSB, Information Security & Emerging Technologies Office

Benefits of Test Automation for Agile Testing

Agile Security Successful Application Security Testing for Agile Development

Mobile Application Testing

Agile Development for Application Security Managers

Adobe ColdFusion. Secure Profile Web Application Penetration Test. July 31, Neohapsis 217 North Jefferson Street, Suite 200 Chicago, IL 60661

Table of contents. Web application security: too costly to ignore. White paper

A white paper analysis from Orasi Software. Enterprise Security. Attacking the problems of application and mobile security

Integrate App. Security in Continuous Integration

Security Testing of Java web applications Using Static Bytecode Analysis of Deployed Applications

Citrix GoToAssist Service Desk Security

Web Application Security Roadmap

LEARNING CURRICULUM SECURITY COMPASS TRAINING 2015 Q3. Copyright Security Compass. 1

SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis

Best Practices - Remediation of Application Vulnerabilities

Symantec Mobile Management 7.1

The Convergence of IT Security and Compliance with a Software as a Service (SaaS) approach

IT Security & Compliance. On Time. On Budget. On Demand.

Symantec Mobile Management for Configuration Manager 7.2

Software Development: The Next Security Frontier

Enterprise Application Security Program

i Network, Inc Technology Solutions, Products & Services Providing the right information, to the right customer, at the right time.

Athena Mobile Device Management from Symantec

Preemptive security solutions for healthcare

White Paper. Automating Your Code Review: Moving to a SaaS Model for Application Security

Is your software secure?

Extreme Networks Security Analytics G2 Vulnerability Manager

Transcription:

Integrating Application Security into the Mobile Software Development Lifecycle WhiteHat Security Paper

Keeping pace with the growth of mobile According to the November 2015 edition of the Ericsson Mobility Report projections, there will be 6.1 billion smartphone users globally by 2020. The exponential growth in smartphone usage has led to a dramatic shift in the way consumers and employees interact with businesses. As a result, businesses must adopt new processes and strategies to ensure that they continue to offer a competitive and comprehensive solution in the market. As with any revolutionary shift, adopting a mobile focused approach is complex and requires buy-in and participation from the company leadership. The widespread proliferation of smartphones has also brought a new set of security challenges that both development and security teams have to be cognizant of. The threat landscape has expanded to mobile applications as they are now used to access sensitive data and perform business critical activities. Traditionally, development teams have been focused on rapid growth, and security teams only came to the table once all development work was complete and the applications were in production. However, in today s agile environments, the increased flexibility of the software development life cycle (SDLC) allows more features to be developed more quickly. This requires security to be embedded into the SDLC to allow for constant assessment of the application code for vulnerabilities and issues as the code is being developed. Mobile software development lifecycle Mobile applications are yet another avenue for attacks on corporate intellectual property. As organizations continue to invest a substantial amount of time and resources developing an application security program, securing mobile applications has become an integral part of a complete application security program in order to improve the organization s overall security posture. The mobile software development life cycle consists of the following steps, which are performed as a part of a repeatable process called the phases of software development: Requirements Design Implementation User Acceptance Testing (UAT) / Quality Assurance Production Historically, security testing has been typically performed during the UAT or QA phase near the end of development cycle. As a result, testing in only one phase of the SDLC provides a limited view of security. Unfortunately, a development team following this paradigm would likely not have identified security defects in the code until late in the development life cycle and after the code was compiled into a functional application. Finding security defects at this late stage of development is highly inefficient and very expensive. 2

Integrating Application Security into the Mobile Software Development Life Cycle WhiteHat Security Paper Best practices in mobile software development lifecycle Typical security activities in each phase of the SDLC are as follows: Requirements veloped if sensitive customer data will be collected and stored, requirements on how the data should be encrypted, both in transit and at rest, should also be established. Everyone involved in web application development should be provided basic security training. Scalability and repeatability are critical aspects of effective security training programs. Traditionally in the past, security training was done live - but as development teams grow, e-learning and computer based training (CBT) are a great way to ensure consistency, reproducibility, and regularity of training across your entire IT workforce. Best practices include: Developer training in secure coding best practices, OWASP Top 10 (at a minimum) delivered via CBT, SME or professional delivery. Recognizing early on that the application will need access, to process and store critical/sensitive data including PII, PCI, HIPPA and SOC, thus including security requirements in addition to function or usability requirements. Design Once the mobile application requirements are captured, an architecture is created that should correspond to these of the application. Best practices include: Designing appropriate security controls for a given type of critical data identified during the "requirements" phase. Incorporating Threat Modeling to identify and address the security risks associated with an application. Implementation After requirements have been determined and an architectural design is in place, constructing the mobile software begins. Ideally, developers should receive security feedback while they are coding. This feedback should be provided as early and often as possible. Because this phase is often the most labor-intensive, continuously running automated security assessments allows a developer to address issues in near-real time. Otherwise, organizations may develop applications built on faulty code, with security as an afterthought, rather than being designed in at the start. Best practices include: Running static source code security assessments (SAST) at least nightly to enable near real time feedback to developers regarding the security of their code. Using static source code analysis as an early indicator of code quality WhiteHat Sentinel Mobile Static Analysis o Supports both ios (Objective C) and Android (Java) o Ensures protection of intellectual property (IP) o Offers integrations with the mobile software development cycle including IDE, bug tracking systems and ALM tools o Provides detailed descriptions of vulnerabilities and offers remediation guidance o Includes software composition analysis to identify third party libraries in the code, including their versions, licensing information and any known vulnerabilities 3

UAT / Quality Assurance New code needs to be tested before it goes into production to ensure that the code behaves as expected. While most organizations currently test for functional requirements, most are also beginning to test for security requirements in this phase as well. Best practices include: Testing pre-production code via dynamic analysis (DAST) to identify vulnerabilities Production In the deployment phase, continuous testing is vital to maintain security assurance and to protect the application where, t should also be subjected to static, QA and production testing. Best practices include: Performing continuous dynamic analysis (DAST) and manual security testing as the new code is introduced or otherwise updated with major revisions or simple bug fixes. WhiteHat Sentinel Mobile Dynamic Analysis o Enables continuous and concurrent assessments o Provides verified, prioritized vulnerability findings o Offers flexible assessment configuration o Provides detailed and custom reporting WhiteHat Sentinel Mobile Manual Assessments o Line-by-line assessment of the mobile source code o One-time white-box testing o Analysis of client, network, and server Static Analysis and Dynamic Analysis SAST and DAST are both critical for mobile application security With the proliferation of mobile applications, it is vital to incorporate security into the mobile SDLC as a strategic initiative. The threat landscape is constantly changing, and with hundreds of millions of mobile apps already it is critical for to utilize static analysis as well as dynamic analysis to get complete coverage of their mobile SDLC. Each type of testing has its own advantages. Performing nightly static application security testing on the mobile source code will greatly assist developers to ensure that they code securely throughout the development process. There are certain vulnerabilities that are best identified through SAST and be eliminated early in the process. However, certain other types of vulnerabilities can only be seen once the mobile app is in production. Therefore dynamic scanning of production applications is equally critical. Issues such as cross-site request forgery,, cross-site scripting are much more easily. Using SAST and DAST technologies at the appropriate stage, along with manual testing, is necessary for a comprehensive mobile application security program. 4

Embedding security right at the beginning is key A comprehensive mobile strategy involves not just strategic planning, but also identifying and mitigating roadblocks on the path to mobile maturity, establishing strategic objectives and KPIs, and choosing the right tools and technology. WhiteHat Security's Sentinel Mobile uses a combination of static analysis, dynamic analysis and manual testing to assess mobile applications for potential vulnerabilities early in the SDLC - where the cost to fix vulnerabilities and impact to resources is minimal. WhiteHat Security Sentinel Mobile Sentinel Mobile provides complete coverage across all aspects of mobile applications. Static analysis of the source code is performed to identify security vulnerabilities before the code goes to production. Sentinel Dynamic emulates mobile browsers and analyzes mobile optimized websites continuously to detect the full array of OWASP Top 10 vulnerabilities. the security experts of our Threat Research Center (TRC) includes a line-by-line assessment of the mobile source code as well as an analysis of client, network and server. Manual Mobile Assessment This includes white-box testing and deep-dive penetration test into the mobile application. Source code analysis, including data flow analysis, and dynamic testing between the client and the server is also performed. Production Mobile Website Assessment Dynamic Analysis Sentinel Dynamic emulates mobile browsers and analyzes mobile optimized websites continuously for the full array of OWASP Top 10 vulnerabilities and more. Automated Mobile Assessment Static Analysis Static code analysis of mobile source code identifies vulnerabilities and provides validated, actionable results. It integrates seamlessly with agile processes and tools including IDEs, ALM tools and Bug tracking systems. STATIC DYNAMIC MANUAL Integrated Assessment CLIENT SIDE APPLICATION Static analysis with Sentinel Source NETWORK Dynamic analysis with Sentinel Dynamic SERVER SIDE Static analysis with Sentinel Source Dynamic analysis with Sentinel Dynamic Supported Vulnerabilities and Concerns We scrutinize for a wide variety of vulnerabilities and privacy concerns including but not limited to the following: Configuration Setting Binary Analysis Anti-Analysis Jailbreak/Root Detection Authentication/Authorization Session Management Cryptography Data Handling Data Storage Handling of Personal Information Secure Coding Server Side Controls Informational Findings WhiteHat Security, Inc. 3970 Freedom Circle Santa Clara, CA 95054 1.408.343.8300 www.whitehatsec.com 2015 WhiteHat Security, Inc. All rights reserved. WhiteHat Security and the WhiteHat Security logo are registered trademarks of WhiteHatSecurity, Inc. All other trademarks are the property of their respective owners. 121615

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information