Mobile Application Threat Analysis



Similar documents
Threat Modeling. Frank Piessens ) KATHOLIEKE UNIVERSITEIT LEUVEN

Threat modeling. Tuomas Aura T Information security technology. Aalto University, autumn 2011

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP

Entire contents 2011 Praetorian. All rights reserved. Information Security Provider and Research Center

Security Testing. How security testing is different Types of security attacks Threat modelling

Microsoft STRIDE (six) threat categories

Security and Privacy in Cloud Computing

OWASP NZ Day 2011 Testing Mobile Applications

Threat Modeling/ Security Testing. Tarun Banga, Adobe 1. Agenda

Introduction to Information Security

Common Criteria Web Application Security Scoring CCWAPSS

PCI Security Standards Council

Functional vs. Load Testing

What is Web Security? Motivation

Secure By Design: Security in the Software Development Lifecycle

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Threat Modeling Architecting & Designing with Security in Mind OWASP. The OWASP Foundation Venkatesh Jagannathan

Agile and Secure: OWASP AppSec Seattle Oct The OWASP Foundation

Web Application Security

Software Security Touchpoint: Architectural Risk Analysis

OWASP Cornucopia. Ecommerce Website Edition. The OWASP Foundation. OWASP London 3rd June 2013

Agile and Secure Can We Be Both? Chicago OWASP. June 20 th, 2007

Web Application Security Considerations

Development Processes (Lecture outline)

Threat Modeling: The Art of Identifying, Assessing, and Mitigating security threats

External Supplier Control Requirements

A Methodology for Capturing Software Systems Security Requirements

Security within a development lifecycle. Enhancing product security through development process improvement

Lecture Embedded System Security A. R. Darmstadt, Introduction Mobile Security

Barracuda Web Site Firewall Ensures PCI DSS Compliance

Architectural Design Patterns. Design and Use Cases for OWASP. Wei Zhang & Marco Morana OWASP Cincinnati, U.S.A.

THREAT MODELLING FOR SQL SERVERS Designing a Secure Database in a Web Application

Introduction to Web Application Security. Microsoft CSO Roundtable Houston, TX. September 13 th, 2006

Cloud Computing Governance & Security. Security Risks in the Cloud

Security Threats in Demo Steinkjer

WEB 2.0 AND SECURITY

Threat Modeling Using Fuzzy Logic Paradigm

Workday Mobile Security FAQ

IJMIE Volume 2, Issue 9 ISSN:

SETLabs Briefings ENTERPRISE ARCHITECTURE & BUSINESS COMPETITIVENESS VOL 2 NO 4. Oct Dec Threat Modeling in Enterprise Architecture Integration

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Threat Modeling for Secure Embedded Software

Securing Enterprise Web Applications at the Source: An Application Security Perspective

A Practical Approach to Threat Modeling

white SECURITY TESTING WHITE PAPER

Mobile Application Security. Helping Organizations Develop a Secure and Effective Mobile Application Security Program

Penetration Testing Guidelines For the Financial Industry in Singapore. 31 July 2015

IoT IT Security and Secure Development Life Cycle

REPORT ON AUDIT OF LOCAL AREA NETWORK OF C-STAR LAB

Security Testing and Vulnerability Management Process. e-governance

Web Application Report

Web Engineering Web Application Security Issues

Web application testing

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

OPC & Security Agenda

Mobile Application Security

APPLICATION THREAT MODELING

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

3 Web Services Threats, Vulnerabilities, and Countermeasures

BYPASSING THE ios GATEKEEPER

Mobile Application Security Study

A Goal- Driven Security Framework for Cloud Storage: A Preliminary Study

Passing PCI Compliance How to Address the Application Security Mandates

Web App Security Audit Services

Secure Programming Lecture 12: Web Application Security III

Getting software security Right

Software Development: The Next Security Frontier

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Taxonomic Modeling of Security Threats in Software Defined Networking

NIST s Guide to Secure Web Services

A Systems Engineering Approach to Developing Cyber Security Professionals

SECURING MOBILE APPLICATIONS

Security Testing. Vulnerability Assessment vs Penetration Testing. Gabriel Mihai Tanase, Director KPMG Romania. 29 October 2014

The Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

Network Security Audit. Vulnerability Assessment (VA)

Taxonomic Modeling of Security Threats in Software Defined Networking. Jennia Hizver PhD in Computer Science

Thick Client Application Security

VICTORIA UNIVERSITY OF WELLINGTON Te Whare Wānanga o te Ūpoko o te Ika a Māui

OWASP AND APPLICATION SECURITY

Transcription:

The OWASP Foundation http://www.owasp.org Mobile Application Threat Analysis Ari Kesäniemi Nixu Copyright The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

Threat Modeling Assets Threat agents Architecture Threats 2

Thought Process for Discovering Threats 1. What do we want to protect and why? 2. Where could the attack happen? 3. What could go wrong? 4. Do we have appropriate protection? 5. What is the risk we accept? 3

1. What do we want to protect and why? What are the assets worth protecting? What would be the business impact if compromised? Data Money, privacy, credentials Transactions and processes IPR, innovations, algorithms Reputation, customer experience Resources 4

Thought Process for Discovering Threats 1. What do we want to protect and why? 2. Where could the attack happen? 3. What could go wrong? 4. Do we have appropriate protection? 5. What is the risk we accept? 5

2. Where could the attack happen? What is the attack surface? Local storage? (Including logs, caches etc) Connection to back end server? Connection to third party services? Malicious user? Web browsing and content handlers? Exposed API or RPC? Third party components part of the application? 6

Thought Process for Discovering Threats 1. What do we want to protect and why? 2. Where could the attack happen? 3. What could go wrong? 4. Do we have appropriate protection? 5. What is the risk we accept? 7

3. What could go wrong? What are the most feasible attack scenarios? How each of the assets (from step 1) could be compromised Considering confidentiality, integrity, availability and nonrepudiation for information assets? Considering STRIDE* for processes and data flows? Considering attack surfaces (from step 2)? Considering the system as a whole? * STRIDE = Spoofing / Tampering / Repudiation / Information disclosure / Denial of service / Elevation of privilege 8

Thought Process for Discovering Threats 1. What do we want to protect and why? 2. Where could the attack happen? 3. What could go wrong? 4. Do we have appropriate protection? 5. What is the risk we accept? 9

4. Do we have appropriate protection? Consider each scenario individually Is there a best practice protection mechanism? Is it implemented in the system? Build an attack tree when necessary Legend Threat Attack Vector Protection phone_call_fraud modification_of_info identity_theft disclosure_of_info malicious_health_tips stealing_auth_cred sync_modification_from_client_to_server modified_phone_nr forged_authz exploiting_internal_interfaces publish_and_refresh_sync unauthorized_use stolen_id mitm api_protection eavesdropping application_pin stolen_session_token guessing_or_stealing_password rerouting_comms modified_app local_storage_access ip_bound_session social_engineering server_side_attack faking_app_in_app_store exploiting_unencrypted_comm secure_session_storage local_data_encryption attack_from_another_app rooting_device ssl_protection physical_access 10

Attack Tree 11

OWASP Top Ten Mobile Risks (DRAFT) 1. Insecure or unnecessary client-side data storage 2. Lack of data protection in transit 3. Personal data leakage 4. Failure to protect resources with strong authentication 5. Failure to implement least privilege authorization policy 6. Client-side injection 7. Client-side DOS 8. Malicious third-party code 9. Client-side buffer overflow 10. Failure to apply server-side controls 12

and: Abuse of client side paid resources Failure to properly handle inbound SMS messages Failure to properly handle outbound SMS messages Malicious / fake applications from app store Ability of one application to view data or communicate with other applications Switching networks during a transaction Failure to protect sensitive data at rest Failure to disable insecure platform features in application (caching of keystrokes, screen data) 13

Thought Process for Discovering Threats 1. What do we want to protect and why? 2. Where could the attack happen? 3. What could go wrong? 4. Do we have appropriate protection? 5. What is the risk we accept? 14

5. What is the risk we accept? What are the residual risks that can be accepted? Not every scenario is worth protecting For scenarios not having good protection, consider DREAD: Damage Reproducibility Exploitability Affected users Discoverability Is there a known threat agent motivated to perform an attack? 15

Attack Tree 16

Summary & Conclusion

1. What do we want to protect and why? 2. Where could the attack happen? 3. What could go wrong? 4. Do we have appropriate protection? 5. What is the risk we accept? Assets Threat agents Architecture Threats 18

Questions? Resources: OWASP Mobile Security Project ENISA: Top Ten Smartphone Risks Microsoft: STRIDE, DREAD 19

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information