Mobile Application Security. Helping Organizations Develop a Secure and Effective Mobile Application Security Program



Similar documents
CYBER4SIGHT TM THREAT INTELLIGENCE SERVICES ANTICIPATORY AND ACTIONABLE INTELLIGENCE TO FIGHT ADVANCED CYBER THREATS

Elevation of Mobile Security Risks in the Enterprise Threat Landscape

Cyber4sight TM Threat. Anticipatory and Actionable Intelligence to Fight Advanced Cyber Threats

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Assuring Application Security: Deploying Code that Keeps Data Safe

Cybersecurity: Mission integration to protect your assets

BYOD: End-to-End Security

How To Deal With A Converged Threat From A Cloud And Mobile Device To A Business Or A Customer'S Computer Or Network To A Cloud Device

Where every interaction matters.

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Cyber ROI. A practical approach to quantifying the financial benefits of cybersecurity

The Top Web Application Attacks: Are you vulnerable?

Mobile Application Security Study

PCI Security Standards Council

Five Trends to Track in E-Commerce Fraud

If you can't beat them - secure them

Securing the mobile enterprise with IBM Security solutions

Trust Digital Best Practices

Reducing the Cost and Complexity of Web Vulnerability Management

Mobile security and your EMR. Presented by: Shawn Tester & Allen Cornwall

IDENTIFY YOUR CUSTOMERS

Mobile & Security? Brice Mees Security Services Operations Manager

SECURING TODAY S MOBILE WORKFORCE

Mobile Application Security Report 2015

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Booz Allen Cloud Solutions. Our Capability-Based Approach

Workday Mobile Security FAQ

How Security Testing can ensure Your Mobile Application Security. Yohannes, CEHv8, ECSAv8, ISE, OSCP(PWK) Information Security Consultant

OWASP Mobile Top Ten 2014 Meet the New Addition

Enterprise Apps: Bypassing the Gatekeeper

10 Smart Ideas for. Keeping Data Safe. From Hackers

Rational AppScan & Ounce Products

Table of Contents. Page 2/13

Mobile Application Security

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

Mobile Application Security Sharing Session May 2013

Application Security in the Software Development Life Cycle (SDLC) White Paper

Table of Contents. Application Vulnerability Trends Report Introduction. 99% of Tested Applications Have Vulnerabilities

A white paper analysis from Orasi Software. Enterprise Security. Attacking the problems of application and mobile security

Utilizing Pervasive Application Monitoring and File Origin Tracking in IT Security

Utilizing and Visualizing Geolocation Data for Powerful Analysis

STRONGER AUTHENTICATION for CA SiteMinder

The Business Case for Security Information Management

Mobile Workforce. Connect, Protect, and Manage Mobile Devices and Users with Junos Pulse and the Junos Pulse Mobile Security Suite.

Certified Secure Computer User

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Cyber Security. An Executive Imperative for Business Owners. 77 Westport Plaza, St. Louis, MO p f

90% of data breaches are caused by software vulnerabilities.

THE HACKERS NEXT TARGET

WHITEPAPER. Combating Cybercrime A Collective Global Response

Technical Testing. Application, Network and Red Team Testing DATA SHEET. Test your security defenses. Expert Testing, Analysis and Assessments

BYPASSING THE ios GATEKEEPER

The State of Mobile Application Insecurity

Internet threats: steps to security for your small business

Data Lake-based Approaches to Regulatory- Driven Technology Challenges

Securing the Cloud Infrastructure

Simplifying the Challenges of Mobile Device Security Three Steps to Reduce Mobile Device Security Risks

Symantec Mobile Management 7.1

Simplifying the Challenges of Mobile Device Security

Barracuda Web Site Firewall Ensures PCI DSS Compliance

Protecting Your Organisation from Targeted Cyber Intrusion

Android Developer Applications

Mobile Banking. Secure Banking on the Go. Matt Hillary, Director of Information Security, MX

Digital Enterprise Unit. White Paper. Securing Patient Information HIPAA and Mobile Healthcare Applications

WEB APPLICATION SECURITY

10 best practice suggestions for common smartphone threats

WHITE PAPER Usher Mobile Identity Platform

Office of Emergency Communications (OEC) Mobile Applications for Public Safety (MAPS)

APPLICATION SECURITY: FROM WEB TO MOBILE. DIFFERENT VECTORS AND NEW ATTACK

CYBERSECURITY IN FINANCIAL SERVICES POINT OF VIEW CHALLENGE 1 REGULATORY COMPLIANCE ACROSS GEOGRAPHIES

Overview of F5 Networks. Fatih Bilger Senior Systems Engineer, Prolink.

Data Security Best Practices & Reasonable Methods

NATIONAL CYBER SECURITY AWARENESS MONTH

Cyber Exploits: Improving Defenses Against Penetration Attempts

The Key to Secure Online Financial Transactions

THE PERFECT STORM WEATHERING CYBER THREATS IN THE HEALTHCARE INDUSTRY

Reducing the Cost and Complexity of Web Vulnerability Management

WHITE PAPER Fighting Mobile Fraud

Doyourwebsitebot defensesaddressthe changingthreat landscape?

Chapter 1: Your relationship with risk

Passing PCI Compliance How to Address the Application Security Mandates

Selecting the right cybercrime-prevention solution

Evolving Threats and Attacks: A Cloud Service Provider s viewpoint. John Howie Senior Director Online Services Security and Compliance

Solving data residency and privacy compliance challenges Delivering business agility, regulatory compliance and risk reduction

Mobile Security: Controlling Growing Threats with Mobile Device Management

Mobile Security Threats: Get Ready for 2016

Information Security Addressing Your Advanced Threats

Fear and Loathing in BYOD

Cyber Security & Data Privacy. January 22, 2014

Today s Cybersecurity Technology: Is Your Business Getting Full Protection?

Threat landscape how are you getting attacked and what can you do better protect yourself and your e-commerce platform

IBM Security re-defines enterprise endpoint protection against advanced malware

EXECUTIVE STRATEGY BRIEF. Securing the Cloud Infrastructure. Cloud. Resources

Public Cloud Security: Surviving in a Hostile Multitenant Environment

Samsung KNOX: An Overview for Business Customers

Modern two-factor authentication: Easy. Affordable. Secure.

Strategic Information Security. Attacking and Defending Web Services

Before the DEPARTMENT OF COMMERCE Internet Policy Task Force

Transcription:

Mobile Application Security Helping Organizations Develop a Secure and Effective Mobile Application Security Program by James Fox fox_james@bah.com Shahzad Zafar zafar_shahzad@bah.com

Mobile applications are software applications designed to run primarily on smartphones, tablets, Mobile Applications Market Places and pocket PCs. They are distributed by application market places and are specific to the Operating Apple App Store System (OS) of the mobile devices. The four most SM popular mobile application distribution market Google Play places are (1) Apple App Store, (2) Google Play, (3) BlackBerry App World, and (4) Windows Phone BlackBerry App World Store. The Apple App Store provides applications for Apple s IOS-based iphones and ipads, the Microsoft Windows Phone Store Google Play for Android-based OS mobile devices, the BlackBerry App World for the Research In Motion s BlackBerry mobile devices and Windows Phone store for Microsoft s Mobile Phones, tablets, and pocket PCs. Since 2009, thousands of applications that can be installed and used on mobile devices have flooded these application market places. These mobile applications have evolved from their initial use as productivity, entertainment, and utility applications. Now users, customers, and employees are conducting their day-to-day business transactions on mobile devices. Businesses need to develop and provide mobile applications to their employees and customers to keep pace with the changing business and consumer landscape. However, these mobile applications have also introduced major security concerns for businesses and enterprises as hackers and bad actors can exploit them to steal and harm customers and businesses. Mobile application security protects an organization from potential threats, leveraging the customer-facing mobile applications an organization develops as attack vectors. Mobile application security covers mobile applications, communication between mobile applications and backend infrastructure, backend infrastructure, and the associated activities, processes, and work streams used to design, test, develop, deploy, operate, and maintain these technologies. Understanding the Evolving Threat Landscape of Mobile Security Worldwide In the Middle East and North Africa (MENA) region and around the world, an increasing number of businesses, consumers, and employees are using mobile applications to conduct daily business transactions using mobile devices due to availability, ease, and accessibility of mobile ecosystems. A recent survey conducted by Booz Allen Hamilton of consumers in the Kingdom of Saudi Arabia indicates that 83 percent of the population uses smartphones to conduct business or enterprise transactions. In addition, 64 percent of those surveyed use mobile devices to conduct banking. However, the survey also revealed that one in three people have experienced cybercrime in the past 12 months and close to 50 percent of the people surveyed lack a basic understanding of mobile security and proper cyber hygiene. This survey data indicates that the stakes are high when it comes to mobile security and risk levels are only going to elevate as more and more businesses enable mobile application-based transactions to attract a new generation of consumers. While consumer confidence and awareness is a key driver for addressing mobile security, the stakes are even higher for businesses and enterprises. They are the ultimate victims of cybercrime that could occur from breach in mobile application security. This threat is especially high for financial institutions. Regulators and banks are starting to address this quickly evolving threat landscape facing mobile applications. The Open Web Application Security Project (OWASP) is an organization that has focused on improving the security of software in general and recently emphasizing mobile application security. As illustrated in Exhibit 1, OWASP has released the top 10 mobile application vulnerabilities that organizations must address when it comes to providing security for mobile applications. Any one of these vulnerabilities can cause serious damage to a financial institution via loss of data, reputation, and consumer confidence all of which lead directly and indirectly to financial losses.

Exhibit 1 Top 10 Mobile Application Vulnerabilities M1 M2 M3 M4 M5 Insecure Data Storage Weak Server Side Controls Insufficient Transport Layer Protection Client Side Injection Poor Authorization & Authentication M6 M7 M8 M9 M10 Improper Session Handling Security Decisions Via Untrusted Inputs Side Channel Data Leakage Broken Cryptography Sensitive Information Disclosure Source: OWASP.org Identifying Vulnerabilities and Malicious Mobile Exploits Booz Allen Hamilton, a leading strategy and technology consulting firm, focuses on defining the vulnerabilities further and identifying the potential mobile security exploits that could harm or damage a business. Several potential exploits are illustrated in Exhibit 2. Our mobile security experts understand the implications these exploits can have on business and consumer confidence and how organizations can best protect themselves against them. Any one of these exploits can lead to loss of private data; loss of usernames, passwords, and personal identification numbers (PIN); unauthorized access to private, business, and financial data; and theft and fraud. For example, a stolen device that may have unencrypted data stored on the device could easily give a bad actor access to a person s private data. A malware on a mobile device could easily forward username and passwords of a banking mobile application to hackers that could result in loss of financial data. Man-in-themiddle attacks were a major threat to web-based and online transactions, but now, they are increasingly more common on mobile devices. Controls such as two factor authentication across same communication channels are helpless against a stolen device or a device with malicious malware. These sophisticated attacks to mobile applications are well orchestrated and must be defended against through a pragmatic and holistic approach to mobile application security. Exhibit 2 Successful Exploits E2 Malicious Application Functions (Back Doors) E3 Attacks on the Mobile Web Service or APIs E4 Decompiling an Application and Changing It E1 Borrowed or Stolen Device Successful Exploits E5 Abuse of a Device Feature Source: Booz Allen Hamilton

Applying a Pragmatic and Holistic Approach to Mobile Security No single product, process, policy, or quick fix exists that organizations can buy or develop to address mobile application security. Booz Allen Hamilton utilizes a holistic risk-based approach that identifies the risks, threats, and vulnerabilities and their impact on the business. Once initial risk identification is conducted, organizations can then start to address the problem in a pragmatic fashion and focus the efforts and budget on the most important assets based on risk and impact profile. Booz Allen Hamilton s approach to an effective mobile application security program starts with addressing three primary pillars of mobile application security: (1) secure mobile applications, (2) secure mobile data transmission, and (3) secure mobile backend infrastructure (see Exhibit 3). All three must be assessed and addressed across all aspects of people, processes, and technology dimensions. Our mobile application security professionals help organizations Develop an understanding of holistic solution and approaches to providing mobile application security Exhibit 3 Secure Mobile Applications Secure Mobile Applications Secure Mobile Applications Secure Mobile Data Transmission Utilize the same basic principles that apply to web and online security to mobile application security Our approach to assess and develop solutions for organizations across mobile applications, mobile data transmission, and mobile backend infrastructure addresses the following categories across People Process and Technology (PP&T) dimensions: Source: Booz Allen Hamilton Secure Mobile Backend Infrastructure Vulnerabilities. Identify vulnerabilities based on risk profiles across PP&T Relevant Security Controls. Identify and implement security controls across PP&T Best Security Practices. Identify relevant security best practices and institutionalize them Useful Frameworks and Standards. Identify and adapt where relevant the various articles, tools, frameworks, and international standards across PP&T When addressing mobile application security, organizations should take into account the following key points: 1 2 3 4 5 There is no one quick and simple solution to mobile application security; address it in a pragmatic and holistic fashion Use defense in depth with information security controls for each component Follow a stringent systems development life cycle (SDLC) focused on developing secure applications and continually review new development environments (integrated development environment [IDE] and software development kit [SDK]) for easier security Do not directly integrate mobile applications into the enterprise Always conduct third-party code reviews and penetration testing and conduct annual third-party assessments

International Office Locations Principal Headquarters Office Principal Offices OperatingOperating OfficeOffices Global Headquarters About Booz Allen Hamilton Booz Allen Hamilton has been at the forefront of strategy and technology consulting for nearly a century. Today, the firm provides services primarily to US and international governments in defense, security, and civil markets, and to major corporations, institutions, and not-for-profit organizations. Booz Allen Hamilton offers clients deep functional knowledge spanning consulting, mission operations, technology, and engineering which it combines with specialized expertise in clients mission and domain areas to help solve their toughest problems. Booz Allen Hamilton is headquartered in McLean, Virginia, employs more than 23,000 people, and had revenue of $5.76 billion for the 12 months ended March 31, 2013. To learn more, visit www.boozallen.com. (NYSE: BAH) For more information contact James Fox Senior Associate fox_james@bah.com +971-56-688-6043 Shahzad Zafar Senior Associate zafar_shahzad@bah.com +971-56-688-3014 To learn more about the firm and to download digital versions of this article and other Booz Allen Hamilton publications, visit www.boozallen.com. www.boozallen.com/international 2013 Booz Allen Hamilton Inc.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information