A white paper analysis from Orasi Software. Enterprise Security. Attacking the problems of application and mobile security



Similar documents
HP Fortify Software Security Center

Assuring Application Security: Deploying Code that Keeps Data Safe

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

HP Application Security Center

Business white paper. Missioncritical. defense. Creating a coordinated response to application security attacks

Application Security in the Software Development Lifecycle

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Breaking down silos of protection: An integrated approach to managing application security

Application Security 101. A primer on Application Security best practices

How To Create An Insight Analysis For Cyber Security

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

Cisco Security Optimization Service

Readiness Assessments: Vital to Secure Mobility

El costo oculto de las aplicaciones Vulnerables. Faustino Sanchez. WW Security Sales Enablement. IBM Canada

I D C A N A L Y S T C O N N E C T I O N

White Paper. Intelligent DDoS Protection Use cases for applying DDoS Intelligence to improve preparation, detection and mitigation

Advanced Threat Protection with Dell SecureWorks Security Services

Single-Vendor Security Ecosystems Offer Concrete Benefits Over Point Solutions

WHITE PAPER AUTOMATED, REAL-TIME RISK ANALYSIS AND REMEDIATION

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.

Teradata and Protegrity High-Value Protection for High-Value Data

Continuous Network Monitoring

Mobile Application Security. Helping Organizations Develop a Secure and Effective Mobile Application Security Program

Risk-based solutions for managing application security

Security Intelligence Services.

The Evolution of Application Monitoring

Staying a step ahead of the hackers: the importance of identifying critical Web application vulnerabilities.

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security.

How To Protect Your Network From Attack From A Network Security Threat

CYBER SECURITY TRAINING SAFE AND SECURE

Fortify. Securing Your Entire Software Portfolio

How To Protect Your Cloud From Attack

CORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT

Rational AppScan & Ounce Products

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

From the Bottom to the Top: The Evolution of Application Monitoring

Cisco Advanced Malware Protection

Security Intelligence Services. Cybersecurity training.

FINANCIAL FRAUD: THE IMPACT ON CORPORATE SPEND IT SECURITY RISKS SPECIAL REPORT SERIES

SAST, DAST and Vulnerability Assessments, = 4

How Companies Can Improve Website & Web Application Security. Even with a Tight IT Budget

PRIVATE NETWORK Take control of your network with Verizon Wireless Private Network and 4G LTE.

Mobile Application Security Study

Changing the Enterprise Security Landscape

Technical Testing. Application, Network and Red Team Testing DATA SHEET. Test your security defenses. Expert Testing, Analysis and Assessments

CYBER SECURITY, A GROWING CIO PRIORITY

A BUSINESS CASE FOR BEHAVIORAL ANALYTICS. White Paper

SANS Top 20 Critical Controls for Effective Cyber Defense

Service Virtualization

Real-time hybrid analysis:

Redhawk Network Security, LLC Layton Ave., Suite One, Bend, OR

Preparing your network for the mobile onslaught

How we see malware introduced Phishing Targeted Phishing Water hole Download (software (+ free ), music, films, serialz)

Integrated Threat & Security Management.

Technical Testing. Network Testing DATA SHEET

8 Ways to Better Monitor Network Security Threats in the Age of BYOD January 2014

End-to-End Application Security from the Cloud

INDUSTRY OVERVIEW: HEALTHCARE

Unified Cyber Security Monitoring and Management Framework By Vijay Bharti Happiest Minds, Security Services Practice

BEST PRACTICES IN WEB CONFERENCING SECURITY. A Spire Research Report April By Pete Lindstrom, Research Director. Sponsored By:

Combatting the Biggest Cyber Threats to the Financial Services Industry. A White Paper Presented by: Lockheed Martin Corporation

Manage the unexpected

Introducing IBM s Advanced Threat Protection Platform

Six Essential Elements of Web Application Security. Cost Effective Strategies for Defending Your Business

Kaspersky Security for Mobile

Enabling Seamless & Secure Mobility in BYOD, Corporate-Owned and Hybrid Environments

Leveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs

CYBER4SIGHT TM THREAT INTELLIGENCE SERVICES ANTICIPATORY AND ACTIONABLE INTELLIGENCE TO FIGHT ADVANCED CYBER THREATS

Fighting Advanced Threats

Italy. EY s Global Information Security Survey 2013

External Supplier Control Requirements

Managing IT Security with Penetration Testing

Beyond passwords: Protect the mobile enterprise with smarter security solutions

Technology Blueprint. Protect Your Servers. Guard the data and availability that enable business-critical communications

IBM Security QRadar Vulnerability Manager

Securing the Cloud Infrastructure

Why should I care about PDF application security?

Doyourwebsitebot defensesaddressthe changingthreat landscape?

Cisco Remote Management Services for Security

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

A BETTER SOLUTION FOR MAINTAINING HEALTHCARE DATA SECURITY IN THE CLOUD

Session 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness

How To Protect Your Network From Attack From A Cyber Threat

Safeguarding the cloud with IBM Security solutions

Board Portal Security: How to keep one step ahead in an ever-evolving game

Cutting the Cost of Application Security

Extreme Networks Security Analytics G2 Vulnerability Manager

IBM Rational AppScan: Application security and risk management

IBM Security re-defines enterprise endpoint protection against advanced malware

The Web AppSec How-to: The Defenders Toolbox

Retail Security: Enabling Retail Business Innovation with Threat-Centric Security.

Managing Web Security in an Increasingly Challenging Threat Landscape

Capturing the New Frontier:

Application Security Center overview

Getting real about cyber threats: where are you headed?

Enterprise Apps: Bypassing the Gatekeeper

PCI Solution for Retail: Addressing Compliance and Security Best Practices

Transcription:

A white paper analysis from Orasi Software Enterprise Security Attacking the problems of application and mobile security

Introduction: Securing the Mobile Enterprise The mobile enterprise has created vast opportunities and serious new challenges. IT is increasingly consumerized. Bring Your Own Device (BYOD) is the new byword of today s on-the-move workforce. Hackers, whether seeking profit or Intellectual Property (IP) and often working behind the protection of Nation States, continue to penetrate personal computers and organizational IT environments and have added mobile devices to their targets. Mobile phones, mobile applications, and the network infrastructure are particularly vulnerable to attack and intrusion and can all too often be the weak link in an otherwise secure enterprise infrastructure. Smartphones and mobile apps are being adopted at a phenomenal rate worldwide, with business users driving uptake in many markets. The burgeoning mobile Internet presents a tempting target for hackers and cybercriminals. So it is not surprising that for many enterprises, perhaps the most pressing security concern is the need to protect mobile phones, applications, networks, and sensitive information in the ongoing age of mobility. In this Orasi white paper, we examine the current threats and realities affecting mobile enterprise security, and evaluate Best Practices in the areas of mobile testing and security. The authors recommend a comprehensive approach to enterprise security, one that addresses the device, network, servers, and the full secure development lifecycle (SDL) of mobile applications. We also offer a brief summary of Orasi mobile security, offered in partnership with enterprise security solutions from HP. Trends in Enterprise Security As businesses adapt to the new anywhere/anytime realities of the always-on environment that comes with mobility, they are presented with real opportunities and significant new challenges. Companies can leverage mobility to expand their market reach, to accelerate innovation, and to forge closer and more rewarding relationships with customers and partners. Mobile storefronts make products and solutions available worldwide at the touch of a keystroke. Mobility also allows a workforce to respond more quickly and productively. Business software is more accessible, and even legacy and in-house applications can be made available via the web, across the cloud, and on mobile devices. However, enterprise mobility also poses real challenges and difficulties. While websites and ecommerce were once sufficient, today s on-the move stakeholders expect interactive and engaging mobile experiences that are accessible via smartphones, tablets, and other devices. Without a mobile presence, organizations lose standing and business to more nimble competitors. As enterprise mobility grows, so does the realization of the serious threats this still-emerging technology can pose to an organization s infrastructure, applications, and information. Because software is now extended far beyond the traditional IT perimeter defenses, those applications and a vast store of highly-sensitive enterprise information are often left surprisingly vulnerable to loss, fraud, and cyber-crime. Threats of many kinds from hackers and organized crime cartels to competitors and hostile governments work constantly to exploit vulnerabilities in enterprise software. Those attackers might seek to steal customer identities, account information, or corporate intellectual property. Others might work to disrupt normal business operations, inflict damage to a brand image, or put employees or the general public at risk. 2

Research from leading security and technology organizations confirm the ongoing threats. In almost all of the compiled material referencing mobile computing (also referred to as mobile systems), an exponential increase in threats is being predicted. This trend follows the relevant market trends of mobile devices, consumerization of IT, BYOD and mobile user empowerment. (ENISA ENISA Threat Landscape: Responding to the Evolving Threat Environment) Mobile Malware Trends 16,000 14,000 12,000 10,000 8,000 6,000 4,000 2,000 0 936 3658 Mobile applications are different, but the same. In addition to the broader information leakage problems presented by changing use cases and platforms, mobile applications are designed to leak data. (HP - 2011 Top Cyber Security Risks report) The beginning of 2012 was marked by a qualitative change in the botnet ecosystem. Botmasters, who had begun to feel overcrowded in the Windows world, actively targeted the mobile and Mac OS segments. Unfortunately, few users realize that their smartphones are fully-functional computers which contain valuable data that may be of interest to cybercriminals. (Kaspersky Lab - IT Threat Evolution: Q1 2012) Cross-site scripting has been one of the most persistent exploits of the Internet. This attack works on any web browsing technology, including mobile devices. The attack is extremely popular and can pose a significant security risk. (IBM - IBM X-Force 2012 Mid-year Trend and Risk Report) and the problem will only grow. 5441 Kaspersky Lab 14,923 Q3 2011 Q4 2011 Q1 2012 Q2 2012 By the end of 2012, the number of mobile-connected devices will exceed the number of people on earth, and by 2016 there will be 1.4 mobile devices per capita. There will be over 10 billion mobile-connected devices in 2016, including machine-to-machine (M2M) modules-exceeding the world s population at that time (7.3 billion). (Cisco Visual Networking Index: Global Mobile Data Traffic Forecast) With the explosive growth of mobile devices and applications, the need to secure them is critical. BYOD often means one device shared between corporate and personal use and needs. They are designed to be out-of-the-box capable of connecting to many sites and services. It takes an active effort on the part of the user to disable these unneeded connections. It is not only the people within your organization, over whom you can attempt to exert some level of control, who must be considered, but threats can also come from anyone these people interact with through social media or other applications using their mobile device. Screen size of mobile devices further increases exposure and risk. The smaller screen size makes it difficult even for trained users to recognize a fake or counterfeit website. Understanding the Source The inherent openness of mobility creates a number of security risks. Mobile software vulnerabilities can vary greatly depending on the vector, or source, of the threat. A robust, enterprise-class security program should evaluate and protect against risks that originate from any quarter. Threats against enterprise applications originate from one of three principal sources: devices, servers, and networks. Devices Device-oriented attacks often begin when a tablet, smartphone, or other on-the-move asset is lost or stolen. Bad actors may then exploit cached data or unencrypted credentials to connect to an enterprise system to remove or damage sensitive information. Attackers may work to install malware on a system, reconfigure proxy settings, or compromise certificates to allow what is called man-in-themiddle intrusions into mobile transactions. Mobile applications that reside on phones and PDAs may also be vulnerable to the exploitation of text messages, email, and other user inputs. Mobile applications increase the attack surface for any organization, and BYOD policies accentuate those vulnerabilities. When users access social media via their mobile devices, they may expose enterprise environments to new and dangerous threats. 3

Networks Modern enterprises depend heavily on communications networks, but that same network infrastructure can be one of the most common and dangerous sources of security risk to mobile applications. An on-the-go workforce is particularly vulnerable in public places, where easily-available hacking tools allow bad actors to pull information directly from unsecured WiFi signals. Other network-based vulnerabilities include poorly secured TLS/SSL certificates, networks that encrypt only at login and then switch to cleartext, and code that transparently reveals network communication protocols. Servers Servers are the crucial touchpoints between mobile devices and an enterprise, and those web-based assets can be vulnerable to a wide range of attacks. Mobile applications typically interact with back-end web sites, and many of those sites use web services that can be exploited by SQL injection, cross-site scripting, and other well-known attack strategies. Because most IT units focus on the security issues relating to devices, applications, and end user behavior, threats to servers may be overlooked. In addition to testing devices and mobile software, a reliable security program will also assess the web infrastructure that hosts the application on the server side. Given the dynamics and sophistication of the mobile deviceoriented threat landscape and extended attack surfaces, organizations are advised to employ robust security protections, including both manual and automated code reviews, dynamic testing techniques, comprehensive testing of all devices under real-world operating conditions, and implementing network and perimeter controls to counter the mobile threats. Application and Mobile Security In partnership with HP, Orasi recommends a proactive, holistic approach to application and mobile security in the enterprise environment. This approach is based on the principle of securing applications during the development stage, when it is more effective and less costly to do so. The best of today s security programs offer a comprehensive and disciplined framework designed to eliminate vulnerability and risk in the software organizations use to communicate and work whether those applications are deployed in traditional enterprise networks, the cloud, or across mobile technologies. Thus, the goals of any reliable application security effort should be to identify and remove risks in existing applications, but also to apply secure software development practices. These objectives are met through two primary techniques: testing and development. Application Security Testing Application testing is a crucial element in any enterprise security regimen, and a workable testing program should be calibrated to quickly and economically identify exploitable vulnerabilities. Testing should provide an accurate view of threats regardless of the source of an application whether it was developed in-house, purchased off-the-shelf, or provided by third-party vendors. There are three basic types of application testing: Static Analysis: Also known as Static Application Security Testing (SAST). Designed to detect a very broad range of potential vulnerabilities and is ideally suited for detecting security threats during application development. Also identifies vulnerabilities at a line-of-code level of detail, providing very precise information on potential threats to mission-critical software, greatly easing remediation efforts and speeding resolution of the security issue. Dynamic Analysis: Also called Dynamic Application Security Testing (DAST). Simulates various attack scenarios to detect vulnerabilities in deployed Web-oriented applications and services. By validating whether a specific vulnerability is indeed exploitable, dynamic analysis allows organizations to recognize and remediate the most serious security threats. Hybrid Analysis: Developed by HP and recommended by Orasi, real-time hybrid analysis combines robust vulnerability verification with broad application coverage and codelevel insight into current and potential threats. This hybrid approach can greatly improve the scope and accuracy of static and dynamic testing techniques. Hybrid analysis generates highly relevant results including the exact cause and precise source code location of each threat thus giving organizations the insights needed to recognize and counter their most significant security threats. Secure Application Development To ensure optimum effectiveness, the software testing techniques described previously should be applied as part of a broader program designed to eliminate software risk across the enterprise. A secure development lifecycle must encompass internal and external third-party vendor development teams, and should address the security of software applications that are currently deployed, in development, or being planned. A systematic approach allows organizations to find and fix current threats, while ensuring that security is a fundamental element in all future application deployments. There are five basic elements in a reliable lifecycle approach to software security. 4

Threat Intelligence Because cybercriminals work constantly to find and exploit new software vulnerabilities, organizations must create and maintain a constant, in-depth, proactive approach to application security. Good threat intelligence leverages up-todate information on current and emerging security issues and risks, as well as ongoing research into vulnerability levels and remediation priorities. An Application & Mobile Security Checklist As noted, the testing of mobile software applications is a crucial aspect of any reliable enterprise security program. HP and Orasi recommend that organizations consider the following checklist to ensure mobile applications are fully tested. Bad actors will probe and attack software when it is deployed and running, so to ensure optimum protection, mobile applications should be tested dynamically in full and operating configurations. Since most mobile applications are multi-tiered, complete tests should incorporate all three tiers of the mobile stack client, network, and server components. For best results, perform both dynamic and static tests of mobile applications. Both automated and manual testing offer specific advantages, and in many cases manual testing should be used to supplement automated testing for dynamic and static tests. Remediation Management Once a threat has been identified and understood, the lifecycle approach calls for a rapid response to triage, repair, validate, monitor, and manage each specific vulnerability. Those efforts should be pursued by a coordinated team of software security and development specialists, working in a collaborative environment and leveraging advanced techniques. Today s most effective remediation programs employ automated detection processes, audit toolsets, bug tracking systems, quality assurance tools, integrated development environments, and other technologies to address threats more quickly and at a lower cost. Proactive Management An ongoing, forward-looking software security management approach allows organizations to embed security into all application-related activities, processes, and output. A holistic management program provides a centralized place for tools and templates, and allows the automation and orchestration of security efforts. When considering a proactive security management effort, organizations should carefully evaluate appropriate policies and best practices, and then apply those guidelines across the entire application lifecycle. A Comprehensive Approach Of course, mobile security testing is just one key element in any successful enterprise strategy. A more comprehensive approach will also address quality assurance (QA), performance validation, application security, business service automation and management, and demand and portfolio management. Key test and quality components may include mobility testing, functional and performance tests, test automation, load testing, application security, and specific QA software technologies. Orasi and HP: Application and Mobile Security Solutions Orasi is an Atlanta-based software reseller and professional services company focused on enterprise software quality testing and management. Orasi is an HP Specialist Enhanced Partner and authorized Support partner. Orasi partners with HP to provide solutions for the entire application and security lifecycle. Those solutions are designed to mitigate risk, strengthen compliance, and defend against advanced and emerging threats. The HP Security Intelligence Platform uniquely delivers the robust correlation, application protection, and network defense needed to protect today s mobile IT infrastructure. HP Enterprise Security delivers comprehensive security solutions in the areas of: Application Security enables developers, QA teams, and security experts to find and fix vulnerabilities throughout the application development lifecycle. HP Fortify software delivers advanced and proactive security testing to protect mission-critical enterprise software. Enterprise Security allows organizations of all sizes to achieve comprehensive security management, compliance, control, and risk mitigation. The HP ArcSight security monitoring and detection suite helps organizations understand who is on their network, what information they are seeing, and which actions they are taking with that information. Network Security protects physical, virtual, and cloud infrastructures from network-based threats and intrusions. The HP TippingPoint adaptive network defense solution leverages deep research and intrusion prevention techniques to automatically block attacks. 5

Conclusion Application and mobile security presents both promise and problems for today s enterprise. Mobile technologies can open amazing opportunities to extend market reach, drive productivity and innovation, and build closer relationships with customers, suppliers, and partners. Mobility is no longer a luxury: for many organizations it is a competitive requirement. But mobility can be a challenge. On-the-go employees are bringing their own devices to the workplace, and expect anywhere/anytime access to corporate systems and data. Customers and consumers now demand a responsive and interactive mobile experience. About Orasi An HP Software Specialist Enhanced Partner and authorized Support partner, Orasi resells HP s security, test management, and automated testing solutions. Orasi also is a leading provider of software testing services, and offers mobile testing and cloud-based testing and monitoring solutions. For over 10 years, Orasi has consistently helped customers successfully implement and integrate software testing environments to reduce the cost and risk of software failures. Orasi was named HP Software US Solution Partner of the Year in 2011 and 2013, and was Support Partner of the Year for 2009, 2011 and 2012. Orasi offers proven solutions for the installation, implementation, configuration, and use of the HP Security Intelligence Platform. Smartphones, mobile apps, and mobile networks are highly vulnerable to cyber-attacks. In fact, current research indicates that mobile infrastructure is the fastest-growing source of fraud and intrusion. That is why forward-looking organizations are making application and mobile security a key priority. As discussed here, a robust mobile security program must address devices, networks and servers, and the complete lifecycle of applications and mobile assets. By applying Best Practice testing and security management, organizations can protect their operations, their sensitive information, and their stakeholders. Orasi and HP are uniquely positioned to assist organizations in assessing their application and mobile security posture, and in deploying a robust and cost-effective testing and security program. Learn More: www.orasi.com sales@orasi.com 678-819-5300 2013 Orasi Software, Inc. The information contained herein is subject to change without notice. Orasi is a trademark of Orasi Software, Inc. All other product and company names are trademarks or registered trademarks of their respective owners. 6

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information