Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Slides:



Advertisements
Similar presentations
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Advertisements

OWASP Mobile Top 10 Beau Woods
OWASP Top 10 Mobile Risks Appsec USA Minneapolis, MN
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
SEC835 OWASP Top Ten Project.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Man-In-The-Front Ray Kelly.
A Demo of and Preventing XSS in.NET Applications.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.
Metro (down the Tube) Security Testing Windows Store Apps Marion McCune – ScotSTS Ltd.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
OWASP Mobile Top 10 Why They Matter and What We Can Do
Telenet for Business Mobile & Security? Brice Mees Security Services Operations Manager.
Introduction to Application Penetration Testing
PV213 Enterprise Information Systems in Practice 09 – Security, Configuration management PV213 EIS in Practice: 09 – Security, Configuration management.
OWASP Zed Attack Proxy Project Lead
A Framework for Automated Web Application Security Evaluation
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
An Inside Look at Mobile Security Android & iOS Zachary Hance & Andrew Phifer Dr Harold Grossman.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
CSCE 548 Secure Software Development Final Exam – Review.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
OWASP Top Ten #1 Unvalidated Input. Agenda What is the OWASP Top 10? Where can I find it? What is Unvalidated Input? What environments are effected? How.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
SEC835 Runtime authentication Secure session management Secure use of cryptomaterials.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
OWASP ESAPI SwingSet An introduction by Fabio Cerullo.
Copyright © - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
OWASP Building Secure Web Applications And the OWASP top 10 vulnerabilities.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP Denver February 2012.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Web Security.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
James F. Fox MENA Cyber Security Practice Lead Presenters Cyber Security in a Mobile and “Always-on” World Booz | Allen | Hamilton.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
INTRODUCTION CHARLES MUIRURI
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Canberra OWASP Chapter meeting
Cyber Security for REDCap Extended Features Protecting REDCap extended features (Twilio, Mobile App, API, and more). – Staying ahead of the bad guys.
Sioux Falls OWASP Jan-2018 Mobile Top 10
An Introduction to Web Application Security
Presentation transcript:

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP OWASP Mobile Security Project Top 10 Mobile security threats 2014 Neil 29 Sept 2015

OWASP Introduction Previously: In a movie ‘fly me to heaven’ with Cat from Red Dwarf Platform Team for First Union National Bank Tombola Sage Currently: at Atom Bank in Durham

OWASP Tonight's Agenda Mobile Security? OWASP Mobile Security Project A run down of the top ten mobile threats Interspersed with some of the other resources available from OWASP Go to the pub

OWASP OWASP Mobile Security Project …is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications The OWASP Mobile Security project was announced in Q32010 Top 10 Mobile Threats Emmy's Tools Cheat Sheets

OWASP

M1 - Weak Server Side Controls Basically its the server team's fault Implement a SDLC on the server team Start with the OWASP Top 10

OWASP M2 - Insecure Data Storage Don't store anything on the device Use OAuth 2 for authentication

OWASP M3 - Insufficient Transport Layer Protection Know and trust your certificates Don't use insecure channels like SMS Certificate Pinning

OWASP M4 - Unintended Data Leakage What are you logging? String Constants Cryptography Keys

OWASP Tools Part 1 iMas MobiSec Slaughtered Goats

OWASP MobiSec

OWASP iMAS - iOS Mobile Application Security

OWASP Slaughtered Goats

OWASP M5 - Poor Authorisation and Authentication No local authentication Use device specific token Avoid spoof-able metrics

OWASP M6 - Broken Cryptography You didn’t make up your own did you? Hard coded keys Depreciated Algorythms

OWASP M7 - Client Side Injection Webviews still vunerable Data read from SQLLite or local databases Classic ‘C’ code overruns

OWASP M8 - Security Decisions by Untrusted Inputs Inter Process Communication vulnerabilities Workflow resources Serialization

OWASP Tools Part 2 NowSecure Lab: Community Edition OWASP SeraphimDroid Project Cheat Sheets

OWASP NowSecure Lab: Community Edition

OWASP OWASP SeraphimDroid Project

OWASP Cheat Sheets Cheat sheets provide the information most relevant to a developer or security engineer with minimal "fluff" Device specific mitigations

OWASP M9 - Improper Session Handling Failure to invalidate sessions Timeout and background handling

OWASP M10 - Lack of Binary Protections Obfuscation is difficult OWASP RECMPP

OWASP Get Involved! Join the mailing lists Submit to the mailing lists Write Open Source Code Present at an OWASP Chapter

OWASP Conclusion I only do this for the free beer