How to scale mobile application security testing
Transcript of How to scale mobile application security testing
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
How to ScaleMobile Application Security Testing
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Connect with NowSecure
Connect with us on Twitter @NowSecureMobile / #SecureTalks
—
Learn more at https://nowsecure.com
Katie StrzempkaServices
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
● Author of IPhone and iOS Forensics
● Masters in Cyber Forensics and Bachelors of Science in Computer Technology from Purdue University
● @kstrzemp
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Contents
● 2016 NowSecure Mobile Security Report
● The Challenges Teams Face
● How You Can Scale
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
2016 NowSecure Mobile Security Report
Released last week
© Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
400K APPSWe tested
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
25% of Android apps have at least one high risk security or privacy flaw
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Percentage of Android Apps with Security Issues
Sensitive Data Leak Issues
Network Issues
File System Issues
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Business apps:
High risk issues exist within each app category
3xmore likely to leak login credentials
more likely to leak login credentials or email address
4x1.5xmore likely to include a high risk vulnerability
Gaming apps: Social apps:
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
82% of devices tested by the Vulnerability Test Suite for Android had at least one of 25 vulnerabilities
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
The ChallengesTeams face a variety of challenges with security in the SDLC
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Teams are overwhelmed with security testing
100+Many enterprises have more than 100
unique, internal apps
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Source code analysis has too many false positives
● Testing reports more false positives instead of identifying actual issues
● Static only
● Misses key tests such as insecure data storage or authentication issues
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Teams lack a process for mobile
● App testing is repetitive and takes time to manually set up testing environments
● Inconsistent methods and results across team members
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information..
Teams are finding vulnerabilities too late in the SDLC
The back-and-forth between developers and analysts wastes time and money
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
The longer you wait, the more it costs
Requirements / Architecture
Coding Integration /Component
Testing
System /Acceptance
Testing
Production / Post-Release
Source: National Institute of Standards and Technology
The cost for fixing vulnerabilities is
30x higher after an application has been deployed
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
How to ScaleYou can save time, money, and effort
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
What needs to be a part of the process for mobile?
● Structure a team that can integrate testing to be efficient
● Emphasize process and similar tools across teams
● Automation (both static and dynamic)
● Test early in the SDLC, with remediation recommendations built in
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information..
Lab WorkstationAnalyst-driven mobile app security testing kit
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Lab AutomatedAutomated app analysis with continuous integration
● Heading to RSA Conference? Stop by our booth # 3235 for a live demo.
● Set up a demo. Contact us at www.nowsecure.com/contact.
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information..
Questions?
[email protected]+1 312.878.1100
@kstrzemp