OWASP Mobile Top Ten 2015 Data Synthesis and Key Trends Part of the OWASP Mobile Security Group Umbrella Project.

Slides:

Advertisements

Similar presentations

A brief for top management Prepared by the Institute of Quality Assurance Integrated Management Special Interest Group Future management is integrated.

Advertisements

Working Together in Faith, Hope and Love

MARKETING RESEARCH Ing. Katarína Kleinová Department of marketing.

Roadmap for Sourcing Decision Review Board (DRB)

Develop an Information Strategy Plan

Qualitative and Observational Research

NASA ESE Community Meeting, Orlando, May 2005Underserved/Underrepresented populations Underserved & Under-represented groups Breakout Session I Thursday,

COMMUNITY INVOLVEMENT AND FOCUSED DETERRENCE Brian P. Schaefer, M.S. Tad Hughes, J.D., Ph.D. Southern Police Institute University of Louisville.

Summit 2011 Outcomes PRESENTED BY __________. About the Summit Over 180 application security experts from over 120 companies, 30 different countries,

ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.

 Reading School Committee January 23,

Copyright © 2010 by Nelson Education Ltd. Chapter 7 Marketing Research, Decision Support Systems, and Sales Forecasting with Duane Weaver.

Building a knowledge platform for agriculture and rural development: Evidence-based learning and results based management in Myanmar. Livelihoods and Food.

Focus Groups. Contents What is a focus group and why use it Methods When to use Focus Groups Advantages and Disadvantages Example.

Chapter 8 The Information Systems Planning Process Meeting the Challenges of Information Systems Planning Charles Cohen Presented by: Pablo De Luca.

SDLC. Information Systems Development Terms SDLC - the development method used by most organizations today for large, complex systems Systems Analysts.

Static Code Analysis and Governance Effectively Using Source Code Scanners.

Lecture 3 Strategic Planning for IT Projects (Chapter 7)

Online Communities Academic Publishing Perspective.

PRESENTATION TO THE STRATEGIC PLAN STEERING COMMITTEE Priorities for an Engaged Community of Employees TRU People Make Things Happen.

Community Planning Training 1-1. Community Plan Implementation Training 1- Community Planning Training 1-3.

MESA INTERNATIONAL Driving Operations Excellence Being a Board Member at MESA IT’S GOOD FOR YOU ! - AND US !

Effective Questioning in the classroom

A N I NTRODUCTION TO A DVOCACY : T RAINING G UIDE Ritu R. Sharma Women Thrive Worldwide Ritu R. Sharma Women Thrive Worldwide.

User Centered Design April 1-3, 2009 Joshua Ganderson Laura Baalman Jay Trimble.

Carrie Lee Herndon Solutions Group WaterSmart Innovations ‘09 August 12, 2010.

May Agenda  PeopleSoft History at Emory  Program Governance  Why Upgrade Now?  Program Guiding Principles  High-Level Roadmap  What Does This.

S/W Project Management

Student Learning Objectives The SLO Process Student Learning Objectives Training Series Module 3 of 3.

Erimo Consulting Executive Development Capabilities Prepared for Maureen Gullo May 13, 2009.

Identifying the Baseline IDESG Security Committee Discussion 10/23/

University of Palestine software engineering department Testing of Software Systems Fundamentals of testing instructor: Tasneem Darwish.

Atlanta Public Schools Project Management Framework Proposed to the Atlanta Board of Education to Complete AdvancED/SACS “Required Actions” January 24,

“Advanced” Data Collection January 27, Slide 2 Innovation Network, Inc. Who We Are: Innovation Network National nonprofit organization Committed.

Market Research The key to the customers wallet …..

Executive Invitation – Oracle Data Finder Service Oracle Corporation.

Chapter VIII Community organizing process

IFS310: Module 3 1/25/2007 Fact Finding Techniques.

Introducing… the Sustainable Energy 4 All Action Accelerator! Adam Cooper Senior Manager, Accenture Sustainability Services United Nations Global Compact.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Create a strategy for the MINI USA brand that: Focuses on increasing overall brand awareness via social media platform engagement. Increases sales among.

CCC Planning & Assessment “Wrap Up” Findings & Recommendations By: Diane Drebin, Kate Gray and Judy Redder (a.k.a.“The Wrappers”) 06/02/08.

IFPRI INTERNATIONAL FOOD POLICY RESEARCH INSTITUTE Mutual Accountability and Joint Sector Reviews in the Implementation of CAADP Godfrey Bahiigwa – IFPRI/ReSAKSS.

West Midlands, NESS Workshop - Sharing Findings Start Mainstreaming Pilots by Geoff White, SQW 19th July 2005 NATIONAL EVALUATION OF SURE START.

1 VGIN’s GIS Strategic Plan Dan Widner VGIN Advisory Board Meeting January 6,

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

American Educational Research Association Annual Meeting AERA San Diego, CA - April 13-17, 2009 Denise Huang Identification of Key Indicators of Quality.

© 2001 South-Western College Publishing1 CHAPTER SEVEN DECISION SUPPORT SYSTEMS AND MARKETING RESEARCH Prepared by Jack Gifford Miami University (Ohio)

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

This information is the property of Digital Management and may not be copied or redistributed without written permission. ADVANCED MOBILITY WORKING GROUP.

NRC Succession Planning Process Executive Order Forum February 2,

Social Media Marketing Strategy

Impact Research 1 Enabling Decision Making Through Business Intelligence: Preview of Report.

1 3:00 PM, EST. 2 Don Hewitt Vice President, Business Operations OSEHRA Ramina Toy Program Manager Brad Triebwasser.

INNOVATIVE DIGITAL SOLUTIONS HOW WE DO BUSINESS….

Abstract # TUAE0102: Health Services Reporting Tool Helps ASOs and Funders Meet Accountability Requirements, Monitor Programs and Identify Emerging Trends.

Introduction Social ecological approach to behavior change

CS10K Community Facilitators and Social Learning Team Meeting January 14, 2013 Portland, OR.

THE SOUND OF SILENCE: AN EVALUATION OF CDC’S PODCAST INITIATIVE Quynh-Chau, M., Myers, Bradford A. (2013). The Sound of Silence: an evaluation of CDC's.

CREATIVE AND STRATEGIC PLANNING. “COPY PLATFORM” Plan or checklist that is useful in guiding the development of an advertising message or campaign 1.

Contents Playbook Objectives Playbook Value Details Playbook Design

Optimizing the Approach

Update from the Faster Payments Task Force

Action Research: The Role of Interviewing

Employee Security Awareness

Accounting Discipline Overview

Lesson 3.2 Product Planning

Basic Systems Management Employing Security Policies

Presentation transcript:

OWASP Mobile Top Ten 2015 Data Synthesis and Key Trends Part of the OWASP Mobile Security Group Umbrella Project

Agenda 1.Strategy of the Project for Marketplace Data – Synthesis Results Call for Data – Synthesis Results 4.“Safe bets” for 2015

STRATEGIC ROADMAP PAST AND PRESENT

Previous 2014 Plan 1.Guide technical audiences around mobile appsec risks 2.Publish a list that prioritizes what organizations should address for mobile app risks 3.Establish the group as an authoritative source for mobile technical guidance that is trustworthy to technical communities  Follow an evidence-based (rather than purely prescriptive) approach to recommendations  Generate / gather vulnerability data by January 2014  Gather feedback from OWASP community over 90 days

Successes of 2014 Plan Objective Outcomes for 2014:  Data was successfully gathered by January 2014;  Data was successfully grouped and presented AppSec Cali 2014  List was finalized in August 2014 Strategic Outcomes for 2014:  Publication of list was achieved;  An evidence-based approach to data collection was executed Goal Outcomes for 2014:  Guiding technical audiences around mobile risk achieved

Lessons Learned From 2014 Plan 1.Goal of providing clear guidance was a partial success  Grouping vulnerabilities and attaining consensus is difficult  Difficulty in understanding who exactly are the primary audiences 2.Goal of establishing legitimacy was a partial success  Not enough data sources / transparency in data analysis  Not enough inclusion of other OWASP projects

2015 Strategic / Objective Plan 1.Clarify who is using the list and why:  Formally analyze the users to help clarify the way the list should be organized and presented 2.Improve transparency of data / existing processes in group:  Increase number of data contributors and their diversity  Provide greater transparency of data / data analysis 3.Increase outreach:  Engage / promote other OWASP projects within list  Promote more feedback opportunities

MARKET ANALYSIS Q: Who is using the list and why? Answering this question helps clarify how to group things and present solutions.

DATA ANALYSIS Q: What does the latest vulnerability data suggest? Answering this question helps clarify what the list can afford to drop or introduce.

Participants

Potential Data Bias from Products Products used to automate analysis results can also skew results: –Static code analysis rules (ease with which to report on things found in source code) –Dynamic analysis rules (ease with which to report on runtime behaviors)

INSIGHTS FROM THE ANALYSIS

Key Observations 1.People believe the MTT is valuable and will serve Software Engineers and Pen Testers the most –Security awareness / training primarily –Remediation prioritization secondarily 2.Substantial number of findings that don’t currently have a home: –code-quality / stability issues 3.Some categories are –M1 M7; M2 M4; M8 4.There are many categories that aren’t being reported very often: –M1; M6; M7; M8; M9

Safe Bets… 1.Categories least often used will get axed 2.M2, M3, and M4 are definitely working and will stay but probably tweaked further 3.M10 will be included but overhauled based on lots of feedback 4.New category will be added to take into account code-quality / stability issues 5.Categories will become less ambiguous 6.Categories will be presented differently for each audience (pen tester; engineer; consumer; etc.)

Next Steps Analysis is now complete Group is currently meeting to debate new groupings / tweaks to existing content After release candidate is formulated, conduct 90- day review cycle with formal market analysis Would you like to join the debate? Join the OWASP Mobile Top Ten mailing list! Subscribe: