SlideShare a Scribd company logo

Standards and methodology for application security assessment

Download as PPTX, PDF
M
Mykhailo Antonishyn

Based on the research results, it can be concluded that the ISO / IEC 27034 standard regulates that vulnerability testing should be carried out, but it is not specified how and what should be tested for vulnerabilities, but how and what is not described. NIST and NIAP both refer to OWASP MASVS and contain controls by which the mobile application is tested, mainly focusing on vulnerabilities that relate to vulnerabilities in data storage and authorization. This is confirmed by statistics provided by Digital Security. The most recognized is MASVS. One of the parts of MASVS describes what, how and how to test. It should be noted that all standards rather weakly assess vulnerabilities that relate to interaction with the API. As can be seen from the tests described in Section 2.2, the most critical vulnerabilities are vulnerabilities that are associated with interaction with the application server.

1 of 21
Download to read offline
Standards and methodology for application security assessment
Agenda  ISO 27034  National Information Assurance Partnership (NIAP)  NIST SP 800-163  E-Com Security  OWASP MASVS  Statistics
ISO 27034 – Information technology – Application security ISO/IEC 27034 offers guidance on information security to those specifying, designing and programming or procuring, implementing and using application systems, in other words business and IT managers, developers and auditors, and ultimately the end-users of ICT. The aim is to ensure that computer applications deliver the desired or necessary level of security in support of the organization’s Information Security Management System, adequately addressing many ICT security risks. This multi-part standard provides guidance on specifying, designing/selecting and implementing information security controls through a set of processes integrated throughout an organization’s Systems Development Life Cycle/s (SDLC). It is process oriented.
National Information Assurance Partnership (NIAP) This document presents functional and assurance requirements found in the Protection Profile for Application Software which are appropriate for vetting mobile application software ("apps") outside formal Common Criteria (ISO/IEC 15408) evaluations. Common Criteria evaluation, facilitated in the U.S. by the National Information Assurance Partnership (NIAP), is required for IA and IA-enabled products in National Security Systems according to CNSS Policy #11. Such evaluations, including those for mobile apps, must use the complete Protection Profile. However, even apps without IA functionality may impose some security risks, and concern about these risks has motivated the vetting of such apps in government and industry.
National Information Assurance Partnership (NIAP) 1.3.1. Random Bit Generation Services. 1.3.2. Storage of Credentials. 1.3.3. Access to Platform Resources. 1.3.4. Network Communications. 1.3.5. Encryption of Sensitive Application Data. 1.3.6. Supported Configuration Mechanism 1.3.7. Secure by Default Configuration. 1.3.8. Specification of Management Functions. 1.3.9. User Consent for Transmission of Personally Identifiable Information. 1.3.10. Use of Supported Services and APIs. 1.3.11. Anti-Exploitation Capabilities. 1.3.12. Integrity for Installation and Update. 1.3.13. Use of Third-Party Libraries. 1.3.14. Protection of Data in Transit.
NIST SP 800-163 This document defines an app vetting process and provides guidance on planning and implementing an app vetting process, developing security requirements for mobile apps, identifying appropriate tools for testing mobile apps and determining if a mobile app is acceptable for deployment on an organization’s mobile devices. An overview of techniques commonly used by software assurance professionals is provided, including methods of testing for discrete software vulnerabilities and misconfigurations related to mobile app software.
NIST SP 800-163  1.2.1 Incorrect Permissions. Permissions allow accessing controlled functionality such as the camera or Global Positioning System (GPS) and are requested in the program. Permissions can be implicitly granted to an app without the user’s consent.  1.2.2 Exposed Communications. Internal communications protocols are the means by which an app passes messages internally within the device, either to itself or to other apps. External communications allow information to leave the device.  1.2.3 Exposed Data Storage. Files created by apps on Android can be stored in Internal Storage, External Storage, or the Keystore. Files stored in External Storage may be read and modified by all other apps with the External Storage permission.  1.2.4 Potentially Dangerous Functionality. Controlled functionality that accesses system-critical resources or the user’s personal information. This functionality can be invoked through API calls or hard coded into an app.
NIST SP 800-163  1.2.5 App Collusion. Two or more apps passing information to each other in order to increase the capabilities of one or both apps beyond their declared scope.  1.2.6. Obfuscation. Functionality or control flows that are hidden or obscured from the user. For the purposes of this appendix, obfuscation was defined as three criteria: external library calls, reflection, and native code usage.  1.2.7. Excessive Power Consumption. Excessive functions or unintended apps running on a device which intentionally or unintentionally drain the battery.  1.2.8. Traditional Software Vulnerabilities. All vulnerabilities associated with traditional Java code including: Authentication and Access Control, Buffer Handling, Control Flow Management, Encryption and Randomness, Error Handling, File Handling, Information Leaks, Initialization and Shutdown, Injection, Malicious Logic, Number Handling, and Pointer and Reference Handling.
E-Com Security Application Security Assessments provide assurance that your mobile applications, web applications and APIs are secure. Leveraging our deep knowledge of the Tactics, Techniques and Procedures (TTP) threat actors use, our security consultants assess and test the state of your applications and provide actionable recommendations to enhance their security. A software “vulnerability” is an unintended flaw or weakness in the software that leads it to process critical data in an insecure way. By exploiting these “holes” in applications, cybercriminals can gain entry into an organization’s systems and steal confidential data.
E-Com Security
OWASP MASVS The MASVS is a community effort to establish a framework of security requirements needed to design, develop and test secure mobile apps on iOS and Android. MASVS contains three parts:
OWASP MASVS The Mobile Application Security Verification Standard (MASVS): This standard document defines a mobile app security model and lists generic security requirements for mobile apps. It can be used by architects, developers, testers, security professionals, and consumers to define what a secure mobile application is. Check controls:  V1: Architecture, Design and Threat Modeling Requirements  V2: Data Storage and Privacy Requirements  V3: Cryptography Requirements  V4: Authentication and Session Management Requirements  V5: Network Communication Requirements  V6: Platform Interaction Requirements  V7: Code Quality and Build Setting Requirements  V8: Resilience Requirements
OWASP MASVS The Mobile Security Testing Guide (MSTG): The MSTG is a manual for testing the security of mobile apps. It provides verification instructions for the requirements in the MASVS along with operating-system-specific best practices (currently for Android and iOS). The MSTG helps ensure completeness and consistency of mobile app security test. It is also useful as a standalone learning resource and reference guide for mobile application security testers.
Статистика Компанією DigitalSecurity було проведено статистику по мобільним програмним застосункам  Запуск програмного застосунку на ROOT-ованому пристрої – 1/16.  Зберігання пароля після завершення сесії– 1/16.  Відсутність 2FA – 3/16.  Розкриття інформацію про тестове середовище– 4/16.  Розкриття геолокації користувача– 4/16.  Можливе розкриття даних через резервне копіювання – 5/16.  Збереження паролю у пам’яті після завершення сесії– 5/16.  Відсутність повідомлення, що програмний застосунок запущений на ROOT-ованому пристрої – 12/16.
Статистика Cryptocurrency exchanger 1 High level vulnerabilities Medium level vulnerabilities Low level vulnerabilities Information level vulnerabilities Sensitive data in logs SMS spam Session fixation Application uses old library Bruteforce password Mobile phone number enumeration SSL certificate potential vulnerable Cross-origin resource sharing OTP return in response No Certificate and Public Key Pinning Vulnerability in old version of WebView Absence of source code obfuscation Application data can be backup
Статистика Cryptocurrency exchanger 2 High level vulnerabilities Medium level vulnerabilities Low level vulnerabilities Information level vulnerabilities No Certificate and Public Key Pinning Application can run on rooting application SSL certificate potential vulnerable Application can be backup
Статистика Cryptocurrency wallet 1 High level vulnerabilities Medium level vulnerabilities Low level vulnerabilities Information level vulnerabilities Sensitive data in logs Absence of source code obfuscation Backup private key explicity visible Application uses old library Sensitive data saves in local files Insecure communication – application uses HTTP No Certificate and Public Key Pinning
Статистика Cryptocurrency wallet 2 High level vulnerabilities Medium level vulnerabilities Low level vulnerabilities Information level vulnerabilities Root and developer mode bypass Absence of source code obfuscation Application data can be backup Vulnerability in old version of WebView Critical bug in money transfer Check modify source code No Certificate and Public Key Pinning Personal data in logs User Enumeration
Статистика Mobile marketplace High level vulnerabilities Medium level vulnerabilities Low level vulnerabilities Information level vulnerabilities Two vulnerabilities – OTP value return in response Absence of source code obfuscation Unrestricted user creation Four vulnerabilities – Insecure direct object Cleartext password submission No Certificate and Public Key Pinning User`s info enumeration Password changed attack
References Based on the research results, it can be concluded that the ISO / IEC 27034 standard regulates that vulnerability testing should be carried out, but it is not specified how and what should be tested for vulnerabilities, but how and what is not described. NIST and NIAP both refer to OWASP MASVS and contain controls by which the mobile application is tested, mainly focusing on vulnerabilities that relate to vulnerabilities in data storage and authorization. This is confirmed by statistics provided by Digital Security. The most recognized is MASVS. One of the parts of MASVS describes what, how and how to test. It should be noted that all standards rather weakly assess vulnerabilities that relate to interaction with the API. As can be seen from the tests described in Section 2.2, the most critical vulnerabilities are vulnerabilities that are associated with interaction with the application server.
Any questions???
Ad

Recommended

Android application security testing
Android application security testingAndroid application security testing
Android application security testing
Mykhailo Antonishyn
 
Android pentesting
Android pentestingAndroid pentesting
Android pentesting
Mykhailo Antonishyn
 
Android pentesting
Android pentestingAndroid pentesting
Android pentesting
Mykhailo Antonishyn
 
Advanced Threat Protection - Sandboxing 101
Advanced Threat Protection - Sandboxing 101Advanced Threat Protection - Sandboxing 101
Advanced Threat Protection - Sandboxing 101
Blue Coat
 
Humla workshop on Android Security Testing - null Singapore
Humla workshop on Android Security Testing - null SingaporeHumla workshop on Android Security Testing - null Singapore
Humla workshop on Android Security Testing - null Singapore
n|u - The Open Security Community
 
Security testing fundamentals
Security testing fundamentalsSecurity testing fundamentals
Security testing fundamentals
Cygnet Infotech
 
The Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secureThe Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secure
Kaspersky
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
Moataz Kamel
 
Content Analysis System and Advanced Threat Protection
Content Analysis System and Advanced Threat ProtectionContent Analysis System and Advanced Threat Protection
Content Analysis System and Advanced Threat Protection
Blue Coat
 
Secure Coding 2013
Secure Coding 2013 Secure Coding 2013
Secure Coding 2013
The eCore Group
 
DeepContentInspection Lato
DeepContentInspection LatoDeepContentInspection Lato
DeepContentInspection Lato
Brian Stoner
 
CAS MAA Infographic
CAS MAA InfographicCAS MAA Infographic
CAS MAA Infographic
Blue Coat
 
Getting started with Android pentesting
Getting started with Android pentestingGetting started with Android pentesting
Getting started with Android pentesting
Minali Arora
 
Preventing Today's Malware
Preventing Today's MalwarePreventing Today's Malware
Preventing Today's Malware
David Perkins
 
[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020
OWASP
 
Fortify dev ops (002)
Fortify dev ops (002)Fortify dev ops (002)
Fortify dev ops (002)
Madhavan Marimuthu
 
Advanced Threat Protection
Advanced Threat ProtectionAdvanced Threat Protection
Advanced Threat Protection
Lan & Wan Solutions
 
Penetration Testing
Penetration Testing Penetration Testing
Penetration Testing
RomSoft SRL
 
Forti web
Forti webForti web
Forti web
Lan & Wan Solutions
 
Security Testing
Security TestingSecurity Testing
Security Testing
Qualitest
 
Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]
Prathan Phongthiproek
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
Cybersecurity Education and Research Centre
 
Advanced Threat Protection Lifecycle Infographic
Advanced Threat Protection Lifecycle InfographicAdvanced Threat Protection Lifecycle Infographic
Advanced Threat Protection Lifecycle Infographic
Blue Coat
 
[OPD 2019] Life after pentest
[OPD 2019] Life after pentest[OPD 2019] Life after pentest
[OPD 2019] Life after pentest
OWASP
 
we45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Studywe45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Study
we45
 
Web application Security tools
Web application Security toolsWeb application Security tools
Web application Security tools
Nico Penaredondo
 
"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman
Rinaldi Rampen
 
Хакеро-машинный интерфейс
Хакеро-машинный интерфейсХакеро-машинный интерфейс
Хакеро-машинный интерфейс
Positive Hack Days
 
Best Practices for Secure Web Application Development by Site Invention.pdf
Best Practices for Secure Web Application Development by Site Invention.pdfBest Practices for Secure Web Application Development by Site Invention.pdf
Best Practices for Secure Web Application Development by Site Invention.pdf
siteseo
 
Mobile Apps Security Testing -1
Mobile Apps Security Testing -1Mobile Apps Security Testing -1
Mobile Apps Security Testing -1
Krisshhna Daasaarii
 
Ad

More Related Content

What's hot (20)

Content Analysis System and Advanced Threat Protection
Content Analysis System and Advanced Threat ProtectionContent Analysis System and Advanced Threat Protection
Content Analysis System and Advanced Threat Protection
Blue Coat
 
Secure Coding 2013
Secure Coding 2013 Secure Coding 2013
Secure Coding 2013
The eCore Group
 
DeepContentInspection Lato
DeepContentInspection LatoDeepContentInspection Lato
DeepContentInspection Lato
Brian Stoner
 
CAS MAA Infographic
CAS MAA InfographicCAS MAA Infographic
CAS MAA Infographic
Blue Coat
 
Getting started with Android pentesting
Getting started with Android pentestingGetting started with Android pentesting
Getting started with Android pentesting
Minali Arora
 
Preventing Today's Malware
Preventing Today's MalwarePreventing Today's Malware
Preventing Today's Malware
David Perkins
 
[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020
OWASP
 
Fortify dev ops (002)
Fortify dev ops (002)Fortify dev ops (002)
Fortify dev ops (002)
Madhavan Marimuthu
 
Advanced Threat Protection
Advanced Threat ProtectionAdvanced Threat Protection
Advanced Threat Protection
Lan & Wan Solutions
 
Penetration Testing
Penetration Testing Penetration Testing
Penetration Testing
RomSoft SRL
 
Forti web
Forti webForti web
Forti web
Lan & Wan Solutions
 
Security Testing
Security TestingSecurity Testing
Security Testing
Qualitest
 
Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]
Prathan Phongthiproek
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
Cybersecurity Education and Research Centre
 
Advanced Threat Protection Lifecycle Infographic
Advanced Threat Protection Lifecycle InfographicAdvanced Threat Protection Lifecycle Infographic
Advanced Threat Protection Lifecycle Infographic
Blue Coat
 
[OPD 2019] Life after pentest
[OPD 2019] Life after pentest[OPD 2019] Life after pentest
[OPD 2019] Life after pentest
OWASP
 
we45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Studywe45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Study
we45
 
Web application Security tools
Web application Security toolsWeb application Security tools
Web application Security tools
Nico Penaredondo
 
"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman
Rinaldi Rampen
 
Хакеро-машинный интерфейс
Хакеро-машинный интерфейсХакеро-машинный интерфейс
Хакеро-машинный интерфейс
Positive Hack Days
 
Content Analysis System and Advanced Threat Protection
Content Analysis System and Advanced Threat ProtectionContent Analysis System and Advanced Threat Protection
Content Analysis System and Advanced Threat Protection
Blue Coat
 
Secure Coding 2013
Secure Coding 2013 Secure Coding 2013
Secure Coding 2013
The eCore Group
 
DeepContentInspection Lato
DeepContentInspection LatoDeepContentInspection Lato
DeepContentInspection Lato
Brian Stoner
 
CAS MAA Infographic
CAS MAA InfographicCAS MAA Infographic
CAS MAA Infographic
Blue Coat
 
Getting started with Android pentesting
Getting started with Android pentestingGetting started with Android pentesting
Getting started with Android pentesting
Minali Arora
 
Preventing Today's Malware
Preventing Today's MalwarePreventing Today's Malware
Preventing Today's Malware
David Perkins
 
[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020
OWASP
 
Fortify dev ops (002)
Fortify dev ops (002)Fortify dev ops (002)
Fortify dev ops (002)
Madhavan Marimuthu
 
Advanced Threat Protection
Advanced Threat ProtectionAdvanced Threat Protection
Advanced Threat Protection
Lan & Wan Solutions
 
Penetration Testing
Penetration Testing Penetration Testing
Penetration Testing
RomSoft SRL
 
Forti web
Forti webForti web
Forti web
Lan & Wan Solutions
 
Security Testing
Security TestingSecurity Testing
Security Testing
Qualitest
 
Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]
Prathan Phongthiproek
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
Cybersecurity Education and Research Centre
 
Advanced Threat Protection Lifecycle Infographic
Advanced Threat Protection Lifecycle InfographicAdvanced Threat Protection Lifecycle Infographic
Advanced Threat Protection Lifecycle Infographic
Blue Coat
 
[OPD 2019] Life after pentest
[OPD 2019] Life after pentest[OPD 2019] Life after pentest
[OPD 2019] Life after pentest
OWASP
 
we45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Studywe45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Study
we45
 
Web application Security tools
Web application Security toolsWeb application Security tools
Web application Security tools
Nico Penaredondo
 
"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman
Rinaldi Rampen
 
Хакеро-машинный интерфейс
Хакеро-машинный интерфейсХакеро-машинный интерфейс
Хакеро-машинный интерфейс
Positive Hack Days
 

Similar to Standards and methodology for application security assessment (20)

Best Practices for Secure Web Application Development by Site Invention.pdf
Best Practices for Secure Web Application Development by Site Invention.pdfBest Practices for Secure Web Application Development by Site Invention.pdf
Best Practices for Secure Web Application Development by Site Invention.pdf
siteseo
 
Mobile Apps Security Testing -1
Mobile Apps Security Testing -1Mobile Apps Security Testing -1
Mobile Apps Security Testing -1
Krisshhna Daasaarii
 
Application security testing an integrated approach
Application security testing an integrated approachApplication security testing an integrated approach
Application security testing an integrated approach
Idexcel Technologies
 
WHAT IS APP SECURITY – THE COMPLETE PROCESS AND THE TOOLS & TESTS TO RUN IT
WHAT IS APP SECURITY – THE COMPLETE PROCESS AND THE TOOLS & TESTS TO RUN ITWHAT IS APP SECURITY – THE COMPLETE PROCESS AND THE TOOLS & TESTS TO RUN IT
WHAT IS APP SECURITY – THE COMPLETE PROCESS AND THE TOOLS & TESTS TO RUN IT
TekRevol LLC
 
Mobile Banking Security: Challenges, Solutions
Mobile Banking Security: Challenges, SolutionsMobile Banking Security: Challenges, Solutions
Mobile Banking Security: Challenges, Solutions
Cognizant
 
C01461422
C01461422C01461422
C01461422
IOSR Journals
 
Application Security 101_ Protecting Software from Cyber Threats.pdf
Application Security 101_ Protecting Software from Cyber Threats.pdfApplication Security 101_ Protecting Software from Cyber Threats.pdf
Application Security 101_ Protecting Software from Cyber Threats.pdf
aashinn15
 
Penetration Testing Services_ Comprehensive Guide 2024.pdf
Penetration Testing Services_ Comprehensive Guide 2024.pdfPenetration Testing Services_ Comprehensive Guide 2024.pdf
Penetration Testing Services_ Comprehensive Guide 2024.pdf
qualysectechnology98
 
Mobile App Security: Best Practices for Protecting User Data
Mobile App Security: Best Practices for Protecting User DataMobile App Security: Best Practices for Protecting User Data
Mobile App Security: Best Practices for Protecting User Data
JohnParker598570
 
Introduction to security testing raj
Introduction to security testing rajIntroduction to security testing raj
Introduction to security testing raj
Rajakrishnan S, MCA,MBA,MA Phil,PMP,CSM,ISTQB-Test Mgr,ITIL
 
AKS IT Corporate Presentation
AKS IT Corporate PresentationAKS IT Corporate Presentation
AKS IT Corporate Presentation
aksit_services
 
Aksit profile final
Aksit profile finalAksit profile final
Aksit profile final
Saurabh Kumar
 
Untitled 1
Untitled 1Untitled 1
Untitled 1
Sergey Kochergan
 
Secure Software Development Life Cycle
Secure Software Development Life CycleSecure Software Development Life Cycle
Secure Software Development Life Cycle
Maurice Dawson
 
Web Application Hacking tools .pptx
Web Application Hacking tools .pptxWeb Application Hacking tools .pptx
Web Application Hacking tools .pptx
Guna Dhondwad
 
Thick Client Penetration Testing Modern Approaches and Techniques.pdf
Thick Client Penetration Testing Modern Approaches and Techniques.pdfThick Client Penetration Testing Modern Approaches and Techniques.pdf
Thick Client Penetration Testing Modern Approaches and Techniques.pdf
ElanusTechnologies
 
ByteCode pentest report example
ByteCode pentest report exampleByteCode pentest report example
ByteCode pentest report example
Ihor Uzhvenko
 
Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applications
GTestClub
 
Mobile App Security How Bahrain Development Companies Ensure Protection.edite...
Mobile App Security How Bahrain Development Companies Ensure Protection.edite...Mobile App Security How Bahrain Development Companies Ensure Protection.edite...
Mobile App Security How Bahrain Development Companies Ensure Protection.edite...
madhuri871014
 
Protecting Windows Networks From Malware
Protecting Windows Networks From MalwareProtecting Windows Networks From Malware
Protecting Windows Networks From Malware
Rishu Mehra
 
Best Practices for Secure Web Application Development by Site Invention.pdf
Best Practices for Secure Web Application Development by Site Invention.pdfBest Practices for Secure Web Application Development by Site Invention.pdf
Best Practices for Secure Web Application Development by Site Invention.pdf
siteseo
 
Mobile Apps Security Testing -1
Mobile Apps Security Testing -1Mobile Apps Security Testing -1
Mobile Apps Security Testing -1
Krisshhna Daasaarii
 
Application security testing an integrated approach
Application security testing an integrated approachApplication security testing an integrated approach
Application security testing an integrated approach
Idexcel Technologies
 
WHAT IS APP SECURITY – THE COMPLETE PROCESS AND THE TOOLS & TESTS TO RUN IT
WHAT IS APP SECURITY – THE COMPLETE PROCESS AND THE TOOLS & TESTS TO RUN ITWHAT IS APP SECURITY – THE COMPLETE PROCESS AND THE TOOLS & TESTS TO RUN IT
WHAT IS APP SECURITY – THE COMPLETE PROCESS AND THE TOOLS & TESTS TO RUN IT
TekRevol LLC
 
Mobile Banking Security: Challenges, Solutions
Mobile Banking Security: Challenges, SolutionsMobile Banking Security: Challenges, Solutions
Mobile Banking Security: Challenges, Solutions
Cognizant
 
C01461422
C01461422C01461422
C01461422
IOSR Journals
 
Application Security 101_ Protecting Software from Cyber Threats.pdf
Application Security 101_ Protecting Software from Cyber Threats.pdfApplication Security 101_ Protecting Software from Cyber Threats.pdf
Application Security 101_ Protecting Software from Cyber Threats.pdf
aashinn15
 
Penetration Testing Services_ Comprehensive Guide 2024.pdf
Penetration Testing Services_ Comprehensive Guide 2024.pdfPenetration Testing Services_ Comprehensive Guide 2024.pdf
Penetration Testing Services_ Comprehensive Guide 2024.pdf
qualysectechnology98
 
Mobile App Security: Best Practices for Protecting User Data
Mobile App Security: Best Practices for Protecting User DataMobile App Security: Best Practices for Protecting User Data
Mobile App Security: Best Practices for Protecting User Data
JohnParker598570
 
Introduction to security testing raj
Introduction to security testing rajIntroduction to security testing raj
Introduction to security testing raj
Rajakrishnan S, MCA,MBA,MA Phil,PMP,CSM,ISTQB-Test Mgr,ITIL
 
AKS IT Corporate Presentation
AKS IT Corporate PresentationAKS IT Corporate Presentation
AKS IT Corporate Presentation
aksit_services
 
Aksit profile final
Aksit profile finalAksit profile final
Aksit profile final
Saurabh Kumar
 
Untitled 1
Untitled 1Untitled 1
Untitled 1
Sergey Kochergan
 
Secure Software Development Life Cycle
Secure Software Development Life CycleSecure Software Development Life Cycle
Secure Software Development Life Cycle
Maurice Dawson
 
Web Application Hacking tools .pptx
Web Application Hacking tools .pptxWeb Application Hacking tools .pptx
Web Application Hacking tools .pptx
Guna Dhondwad
 
Thick Client Penetration Testing Modern Approaches and Techniques.pdf
Thick Client Penetration Testing Modern Approaches and Techniques.pdfThick Client Penetration Testing Modern Approaches and Techniques.pdf
Thick Client Penetration Testing Modern Approaches and Techniques.pdf
ElanusTechnologies
 
ByteCode pentest report example
ByteCode pentest report exampleByteCode pentest report example
ByteCode pentest report example
Ihor Uzhvenko
 
Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applications
GTestClub
 
Mobile App Security How Bahrain Development Companies Ensure Protection.edite...
Mobile App Security How Bahrain Development Companies Ensure Protection.edite...Mobile App Security How Bahrain Development Companies Ensure Protection.edite...
Mobile App Security How Bahrain Development Companies Ensure Protection.edite...
madhuri871014
 
Protecting Windows Networks From Malware
Protecting Windows Networks From MalwareProtecting Windows Networks From Malware
Protecting Windows Networks From Malware
Rishu Mehra
 
Ad

More from Mykhailo Antonishyn (7)

Arcantos - web applications pentest tools
Arcantos - web applications pentest toolsArcantos - web applications pentest tools
Arcantos - web applications pentest tools
Mykhailo Antonishyn
 
Правила_кибер_гигиены_при_работе_с_криптовалютами.pdf
Правила_кибер_гигиены_при_работе_с_криптовалютами.pdfПравила_кибер_гигиены_при_работе_с_криптовалютами.pdf
Правила_кибер_гигиены_при_работе_с_криптовалютами.pdf
Mykhailo Antonishyn
 
Правила_кибер_гигиены.pdf
Правила_кибер_гигиены.pdfПравила_кибер_гигиены.pdf
Правила_кибер_гигиены.pdf
Mykhailo Antonishyn
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.
Mykhailo Antonishyn
 
Masters of transformation part 2
Masters of transformation part 2Masters of transformation part 2
Masters of transformation part 2
Mykhailo Antonishyn
 
Masterstvo transformacii part 1
Masterstvo transformacii part 1Masterstvo transformacii part 1
Masterstvo transformacii part 1
Mykhailo Antonishyn
 
Android application security assessment
Android application security assessmentAndroid application security assessment
Android application security assessment
Mykhailo Antonishyn
 
Arcantos - web applications pentest tools
Arcantos - web applications pentest toolsArcantos - web applications pentest tools
Arcantos - web applications pentest tools
Mykhailo Antonishyn
 
Правила_кибер_гигиены_при_работе_с_криптовалютами.pdf
Правила_кибер_гигиены_при_работе_с_криптовалютами.pdfПравила_кибер_гигиены_при_работе_с_криптовалютами.pdf
Правила_кибер_гигиены_при_работе_с_криптовалютами.pdf
Mykhailo Antonishyn
 
Правила_кибер_гигиены.pdf
Правила_кибер_гигиены.pdfПравила_кибер_гигиены.pdf
Правила_кибер_гигиены.pdf
Mykhailo Antonishyn
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.
Mykhailo Antonishyn
 
Masters of transformation part 2
Masters of transformation part 2Masters of transformation part 2
Masters of transformation part 2
Mykhailo Antonishyn
 
Masterstvo transformacii part 1
Masterstvo transformacii part 1Masterstvo transformacii part 1
Masterstvo transformacii part 1
Mykhailo Antonishyn
 
Android application security assessment
Android application security assessmentAndroid application security assessment
Android application security assessment
Mykhailo Antonishyn
 
Ad

Standards and methodology for application security assessment

  • 1. Standards and methodology for application security assessment
  • 2. Agenda  ISO 27034  National Information Assurance Partnership (NIAP)  NIST SP 800-163  E-Com Security  OWASP MASVS  Statistics
  • 3. ISO 27034 – Information technology – Application security ISO/IEC 27034 offers guidance on information security to those specifying, designing and programming or procuring, implementing and using application systems, in other words business and IT managers, developers and auditors, and ultimately the end-users of ICT. The aim is to ensure that computer applications deliver the desired or necessary level of security in support of the organization’s Information Security Management System, adequately addressing many ICT security risks. This multi-part standard provides guidance on specifying, designing/selecting and implementing information security controls through a set of processes integrated throughout an organization’s Systems Development Life Cycle/s (SDLC). It is process oriented.
  • 4. National Information Assurance Partnership (NIAP) This document presents functional and assurance requirements found in the Protection Profile for Application Software which are appropriate for vetting mobile application software ("apps") outside formal Common Criteria (ISO/IEC 15408) evaluations. Common Criteria evaluation, facilitated in the U.S. by the National Information Assurance Partnership (NIAP), is required for IA and IA-enabled products in National Security Systems according to CNSS Policy #11. Such evaluations, including those for mobile apps, must use the complete Protection Profile. However, even apps without IA functionality may impose some security risks, and concern about these risks has motivated the vetting of such apps in government and industry.
  • 5. National Information Assurance Partnership (NIAP) 1.3.1. Random Bit Generation Services. 1.3.2. Storage of Credentials. 1.3.3. Access to Platform Resources. 1.3.4. Network Communications. 1.3.5. Encryption of Sensitive Application Data. 1.3.6. Supported Configuration Mechanism 1.3.7. Secure by Default Configuration. 1.3.8. Specification of Management Functions. 1.3.9. User Consent for Transmission of Personally Identifiable Information. 1.3.10. Use of Supported Services and APIs. 1.3.11. Anti-Exploitation Capabilities. 1.3.12. Integrity for Installation and Update. 1.3.13. Use of Third-Party Libraries. 1.3.14. Protection of Data in Transit.
  • 6. NIST SP 800-163 This document defines an app vetting process and provides guidance on planning and implementing an app vetting process, developing security requirements for mobile apps, identifying appropriate tools for testing mobile apps and determining if a mobile app is acceptable for deployment on an organization’s mobile devices. An overview of techniques commonly used by software assurance professionals is provided, including methods of testing for discrete software vulnerabilities and misconfigurations related to mobile app software.
  • 7. NIST SP 800-163  1.2.1 Incorrect Permissions. Permissions allow accessing controlled functionality such as the camera or Global Positioning System (GPS) and are requested in the program. Permissions can be implicitly granted to an app without the user’s consent.  1.2.2 Exposed Communications. Internal communications protocols are the means by which an app passes messages internally within the device, either to itself or to other apps. External communications allow information to leave the device.  1.2.3 Exposed Data Storage. Files created by apps on Android can be stored in Internal Storage, External Storage, or the Keystore. Files stored in External Storage may be read and modified by all other apps with the External Storage permission.  1.2.4 Potentially Dangerous Functionality. Controlled functionality that accesses system-critical resources or the user’s personal information. This functionality can be invoked through API calls or hard coded into an app.
  • 8. NIST SP 800-163  1.2.5 App Collusion. Two or more apps passing information to each other in order to increase the capabilities of one or both apps beyond their declared scope.  1.2.6. Obfuscation. Functionality or control flows that are hidden or obscured from the user. For the purposes of this appendix, obfuscation was defined as three criteria: external library calls, reflection, and native code usage.  1.2.7. Excessive Power Consumption. Excessive functions or unintended apps running on a device which intentionally or unintentionally drain the battery.  1.2.8. Traditional Software Vulnerabilities. All vulnerabilities associated with traditional Java code including: Authentication and Access Control, Buffer Handling, Control Flow Management, Encryption and Randomness, Error Handling, File Handling, Information Leaks, Initialization and Shutdown, Injection, Malicious Logic, Number Handling, and Pointer and Reference Handling.
  • 9. E-Com Security Application Security Assessments provide assurance that your mobile applications, web applications and APIs are secure. Leveraging our deep knowledge of the Tactics, Techniques and Procedures (TTP) threat actors use, our security consultants assess and test the state of your applications and provide actionable recommendations to enhance their security. A software “vulnerability” is an unintended flaw or weakness in the software that leads it to process critical data in an insecure way. By exploiting these “holes” in applications, cybercriminals can gain entry into an organization’s systems and steal confidential data.
  • 11. OWASP MASVS The MASVS is a community effort to establish a framework of security requirements needed to design, develop and test secure mobile apps on iOS and Android. MASVS contains three parts:
  • 12. OWASP MASVS The Mobile Application Security Verification Standard (MASVS): This standard document defines a mobile app security model and lists generic security requirements for mobile apps. It can be used by architects, developers, testers, security professionals, and consumers to define what a secure mobile application is. Check controls:  V1: Architecture, Design and Threat Modeling Requirements  V2: Data Storage and Privacy Requirements  V3: Cryptography Requirements  V4: Authentication and Session Management Requirements  V5: Network Communication Requirements  V6: Platform Interaction Requirements  V7: Code Quality and Build Setting Requirements  V8: Resilience Requirements
  • 13. OWASP MASVS The Mobile Security Testing Guide (MSTG): The MSTG is a manual for testing the security of mobile apps. It provides verification instructions for the requirements in the MASVS along with operating-system-specific best practices (currently for Android and iOS). The MSTG helps ensure completeness and consistency of mobile app security test. It is also useful as a standalone learning resource and reference guide for mobile application security testers.
  • 14. Статистика Компанією DigitalSecurity було проведено статистику по мобільним програмним застосункам  Запуск програмного застосунку на ROOT-ованому пристрої – 1/16.  Зберігання пароля після завершення сесії– 1/16.  Відсутність 2FA – 3/16.  Розкриття інформацію про тестове середовище– 4/16.  Розкриття геолокації користувача– 4/16.  Можливе розкриття даних через резервне копіювання – 5/16.  Збереження паролю у пам’яті після завершення сесії– 5/16.  Відсутність повідомлення, що програмний застосунок запущений на ROOT-ованому пристрої – 12/16.
  • 15. Статистика Cryptocurrency exchanger 1 High level vulnerabilities Medium level vulnerabilities Low level vulnerabilities Information level vulnerabilities Sensitive data in logs SMS spam Session fixation Application uses old library Bruteforce password Mobile phone number enumeration SSL certificate potential vulnerable Cross-origin resource sharing OTP return in response No Certificate and Public Key Pinning Vulnerability in old version of WebView Absence of source code obfuscation Application data can be backup
  • 16. Статистика Cryptocurrency exchanger 2 High level vulnerabilities Medium level vulnerabilities Low level vulnerabilities Information level vulnerabilities No Certificate and Public Key Pinning Application can run on rooting application SSL certificate potential vulnerable Application can be backup
  • 17. Статистика Cryptocurrency wallet 1 High level vulnerabilities Medium level vulnerabilities Low level vulnerabilities Information level vulnerabilities Sensitive data in logs Absence of source code obfuscation Backup private key explicity visible Application uses old library Sensitive data saves in local files Insecure communication – application uses HTTP No Certificate and Public Key Pinning
  • 18. Статистика Cryptocurrency wallet 2 High level vulnerabilities Medium level vulnerabilities Low level vulnerabilities Information level vulnerabilities Root and developer mode bypass Absence of source code obfuscation Application data can be backup Vulnerability in old version of WebView Critical bug in money transfer Check modify source code No Certificate and Public Key Pinning Personal data in logs User Enumeration
  • 19. Статистика Mobile marketplace High level vulnerabilities Medium level vulnerabilities Low level vulnerabilities Information level vulnerabilities Two vulnerabilities – OTP value return in response Absence of source code obfuscation Unrestricted user creation Four vulnerabilities – Insecure direct object Cleartext password submission No Certificate and Public Key Pinning User`s info enumeration Password changed attack
  • 20. References Based on the research results, it can be concluded that the ISO / IEC 27034 standard regulates that vulnerability testing should be carried out, but it is not specified how and what should be tested for vulnerabilities, but how and what is not described. NIST and NIAP both refer to OWASP MASVS and contain controls by which the mobile application is tested, mainly focusing on vulnerabilities that relate to vulnerabilities in data storage and authorization. This is confirmed by statistics provided by Digital Security. The most recognized is MASVS. One of the parts of MASVS describes what, how and how to test. It should be noted that all standards rather weakly assess vulnerabilities that relate to interaction with the API. As can be seen from the tests described in Section 2.2, the most critical vulnerabilities are vulnerabilities that are associated with interaction with the application server.