Tag Archives: security

Software testing lifecycle: Dealing with security

Addressing security is an essential step in the software testing lifecycle. Yet many QA professionals remain reluctant to assume some responsibility for it. Although security testing can be complex, it is important for software testers to understand the security risks of the applications they test and acquire skills to develop test cases that will expose security vulnerabilities. In this tip, we will look at ways the software test professional can get started with risk-based security testing.

Risk-based thinking
As technology has evolved, security has become an increasingly large concern in the software testing lifecycle. With increased connectivity using the Internet, smartphones, refrigerators, cars and devices of every sort, the risk of security breaches increases, too. At the same time, the growing complexity and extensibility of systems adds to security testing challenges.

As SearchSoftwareQuality site editor Jennifer Lent writes in "Security testing basics: QA professionals take the lead," test professionals are being asked to assume some responsibility for security testing basics. Testers need to use risk-based thinking to assess areas of the code that are at highest risk for security breaches. Start by understanding the probability that a breach might occur, as well as the potential impact of a breach. Areas at highest risk are those with the greatest impact and greatest probability of occurring.

In order to address security concerns most effectively, testers need to work closely with developers, and that involves some exposure to the code. The entire team should be thinking about security early in the development cycle. Requirements and design need to take security into account, and unit testing must be expanded to include security tests.

The first step is to understand the business risks that might be exposed by the application. Is there a possibility of a financial loss? Is there a security exposure that might result in a liability? Tie technical risks to the business. What business losses could potentially result from a technical failure?

Understanding common attacks
Software developers often use patterns to group areas of commonality. There are design patterns, code patterns and also attack patterns. CAPE (Common Attack Pattern Enumeration and Classification) International provides a community-developed taxonomy of common methods that exploit software. As technologies evolve, so do the attack patterns, so the list is constantly changing. However, it is useful for software testers to become familiar with the top attack patterns and understand the circumstances in which they occur.

Understanding attack patterns will help you see where your code is most vulnerable and who is most likely to attack. Once you understand this, you will be able to put the proper defense mechanisms in place.

Web-based applications are easy targets for security breaches, so those who test Web-based applications should understand some of the most common types of attacks, such as SQL injections or cross-site scripting errors.

Checklists, tools and other resources
Another technique used to uncover security risks is using a checklist to help evaluate the security of your application. For example, this Security At a Glance checklist checks things such as financial loss, number of users, security policies, use of logins, security training and so on. This list is included in the book Secure Coding: Principles and Practices.

Of course, there are a variety of tools that will help with detecting security vulnerabilities as well. Static code analysis tools scan an application and highlight possible vulnerabilities in the code. Other resources include OWASP, the Open Web Application Security Project, which provides the global community with insights into security risks. The OWASP website offers a wealth of information for the security tester and includes many educational resources to help software professionals stay informed, including a Getting Started page, which will help those who are new to the field.

Source: http://searchsoftwarequality.techtarget.com/tip/Software-testing-lifecycle-Dealing-with-security

Did you like this? Share it:

Where Does Security Stand On Mobile Cloud Computing?

mobile-cloud

Arguably, security is still one most significant concerns of Cloud customers. As more and more businesses continue to transition their mainstream Cloud-based I.T operations on Mobile-ready applications, it has opened the lid for security vulnerabilities in organizations.

Although, the adoption of Cloud and Mobile computing is getting bigger, with the majority of organizations and enterprises adopting this trend, it is, still, of immense importance for the general public to understand the consequences of any cyber-attack, as well as plan ahead to out-maneuver any such incidents.

The Verdict

Although, organizations seem to be quite concerned about the impeding security threats in the background of Mobile Cloud Computing, they fear such incidents may incur via non-sanctioned Mobile apps used by the I.T departments at organizations. But there are other factors besides the role that I.T can play here. Reckless actions by employees, as well as involuntary decisions by a Cloud Service Provider, can also damage an organization’s reputation, in spite of the many security control points in place. The Cloud and the Mobile can seriously affect organizations if not played on with caution.

In the U.K alone, financial losses from cyber -attacks has been estimated to be £27bn a year. With such high figures, corporate brands, business leaders, and entrepreneurs need to address this issue with extreme urgency, and put measures in place in order to be able to respond quickly and swiftly.

While facts draw a scarier picture of Mobile Cloud Computing environment, there have been many happily-ever-afters. By nature, the Cloud is no Oliver Twist. It is easier to adopt the Cloud, and with Mobile First strategies making successful rounds, the two had to offer something beyond independent solutions. The consonant relationship between the Cloud and the Mobile is an ode to that idea. However, the ease that Mobile adoption of Cloud offers to organizations, makes it one appealing prospect for them. Various organizations are now planning to move up their usage of Mobile-ready Cloud applications. Still, seventy percent of such businesses admit that they use applications that are sanctioned by their own I.T departments. This was found out via a survey of two hundred I.T business professionals on the adoption and relying security issues of Mobile-ready Cloud applications, and was conducted by OneLogic and FlyingPenguin.

The Present Era

We are all indulged in Cloud Computing today in one way or other, without even realizing it. For emails, messaging, online gaming and social networking and even for online tax forms, transactions, credit card payments and what not, this all has been a revolution that now has made “Mobility” a synonym with “Cloud”. However, this is only just beginning.

It is also known that usage of Cloud applications is carried out from nearly 80 percent of the smart phones, 71 percent of tablets and again 80 percent through non-organizational computers. Apart from hacks, data interceptions, it is high time for such masses to cite concerns regarding identity theft, governance or complexity.

Various companies do admit that their employees share credentials with co-workers for various Cloud ready apps through smart phones, and they experience employees being able to log in even after leaving the premises.

We know that the future is going to be held by virtual reins, all accessible through smart handheld devices. It is essential for organizations to inhibit the usage of unsanctioned apps and restrict the sharing of valuable credentials via Smartphones quickly.

It is no secret that organizations need to improve the security for their Cloud apps -not to mention, eliminating the usage of Cloud apps without their consent- and find solutions that are flexible and allow the on-premise addition of more Cloud apps.

The Solution

With constantly emerging new security threats, certain companies have also evolved their methodology in dealing with these risks. Now it is all about “digital hygiene” and according to research most of the companies are now employing a full time security teams. In the past, only 43% of businesses had adequate security measures. However, now more companies are heading to re-examine Cloud security in a more systematic way. However, many organizations still implement such security policies after an incident or because of a new regulation.

These days, many smart organizations are pursuing a rather three-dimensional approach in securing their Cloud architecture from breaches. Previously, businesses felt that only installing technical devices would suffice their security needs but they ended up being by passed all at once. However, now the key to security is diversified by 25% being the technical aspects, 50% being the internal organizational aspects and the rest being regulatory and legal. Here, utilization of various VPN services may also shine in securing your Cloud architectures when it is accessed via Mobiles, tablets etc. The high level encryptions that VPN provides are ideal to safeguard data transition via Mobile phones.  This 3d security protocol is what businesses need to rely on.

Afterwards, businesses also need to encourage training sessions for their employees to make them aware of underlying security threats and vulnerabilities. Organizations also need to manufacture stern I.T security rules, where they would be able to set parameters that could not be bypassed by human resource. Security management here, also need to be in complete coordination with their general management, and they must also remember to consistently update their existing security procedures.

Conclusion

There is no doubt that Mobile Cloud computing is not without any risks. However, with scrutiny and effort taken by the companies involved in this profitable prospect, these risks are addressable and manageable. Once such issues are solved, and companies empower themselves with the three legged security methodology, there I.T processes are sure to go smooth, in so doing, providing numerous benefits to the company.

Source: http://www.cloudtweaks.com/2013/04/where-does-security-stand-on-mobile-cloud-computing/

Did you like this? Share it:

The New Normal: Security Metrics and Cloud Computing

Just a few short years ago, cloud seemed like a far-away thought for businesses, a “nice to have” rather than a “need to have.” Now, cloud is becoming the new normal. Organizations of all sizes are seeing the benefits of cloud. However, as businesses move to the cloud, they must do so safely, and with a well thought-out plan in place. To achieve a safe cloud environment, however, the IT industry needs to enforce rigorous cloud strategies around the protection of policy, information, people and infrastructures. This includes implementing security metrics.

According to the Symantec 2013 Hidden Costs of Cloud survey, rogue cloud deployments are one of the pitfalls of the cloud. It is a surprisingly common problem, found in more than 77 percent of businesses within the last year. It also seems to be an issue experienced more by enterprises (83 percent) than SMBs (70 percent).

Among organizations who reported rogue cloud issues, 40 percent experienced the exposure of confidential information, and more than a quarter faced account takeover issues, defacement of Web properties, or stolen goods or services. And yet the most commonly cited reasons for rogue cloud projects were to save time and money.

This is where implementing security metrics in the organization relating to cloud can help measure, analyze and manage risk. In addition to an organization managing data, customers and business requirements, they now need to keep an eye on their cloud vendors’ security. The organization needs to know all the layers of security and exactly which assets they own in the cloud, and what is accessed both locally and remotely.

So what can cloud security metrics provide?

+ Cloud metrics provide visibility for the company, both into the cloud provider and into itself.

+ Cloud metrics educate and provide a common language for understanding the information security program as applicable to the cloud vendor and to the company.

+ Cloud metrics motivate both the cloud provider and the company to improve.

From a security metrics point of view, while cloud computing may be the new normal, with shared responsibilities as the new cloud security model, some things haven’t changed.

+ Both an organization and its vendor will measure security. Organizations need to define who is doing what.

+ Both an organization and its vendor will manage functional components of an information security program.

+ Security work is never finished. Cloud computing should motivate both an organization and its cloud vendor to assess the threat landscape and what new or different security threats exist in the cloud.

+ In order to correctly assess responsibility, three service models for cloud computing (SaaS, PaaS, IaaS) can be viewed as a stack, with platform building on infrastructure and software building on both infrastructure and platform.

The need for security metrics in the cloud is not much different from the need for security metrics in general. Everyone in the cloud, vendor and purchaser alike, will need to measure the effectiveness of security controls and show their accountability to each other and to regulatory bodies. In the past, there was little benefit for companies to share security metrics as there were risks in doing so. With cloud computing and a world of share d accountabilities across virtual, physical and geographic boundaries, we need to find ways to share information between vendor and tenant across the industry in responsible ways. This implies we need to remove some of the roadblocks to success and work on areas such as common definitions for terms, common metrics deployed in a consistent manner, and a consistent reporting framework. Industry bodies such as the Cloud Security Alliance, of which Symantec is a member, are helping to achieve these goals, and many security practitioners are volunteering their time and talent.

In addition, solutions to protect cloud data keep getting stronger. Symantec O3 enables its partners and customers to embrace the business agility and cost advantages of the cloud. O3 offers a single point of identity and access control, and related policies, for cloud apps for all endpoints. O3 is also easily integrated with existing identity stores, various cloud app authentication and a simple cloud single-sign-on for user.

For information security practitioners, an important first step is to establish a baseline that is appropriate for the business to determine what is the new normal for security in cloud computing. Businesses will need to make decisions based on concrete data, and a comprehensive security metrics program can support important planning and decision making, and drive beneficial changes in an organization.

Source: http://www.indefenseofdata.com/2013/02/the-new-normal-security-metrics-and-cloud-computing/

Did you like this? Share it:

Cloud Computing And Banking Security

Individuals which still worry about cloud security, are those that fall under the financial institution category like banks, brokers, lenders and the like. They do not trust third party cloud computing providers and vendors, at least not with their most sensitive information and data. They might use cloud computing for some things like websites and applications that they think they can risk security with, but they would never consider parting with direct access of their financial and other similar data.

The biggest reason behind this is simpler than most would imagine as it has something to do with numbers and probability, thought they probably would not admit it is something as basic as that and would rather cite some technical issue like migration and data integrity. Those are valid points, but they are not truly even problems. With ease and security of data migration through cloning and inter-server data transfers with services like Cloud Velocity, migration is truly a no pain no worry process. The real reason as I have said is the probability of a successful attack. Government systems and financial data systems are under attack multiple times a day, and a sizeable majority of these fail at the first lines of defense. The probability of a successful attack is always real, and this probability of success increases as the number of attempts increases.

When data systems reside behind closed and secret doors, very few people will be able to access it, never mind knowing about it. However, the moment that data resides in the cloud, a sign bearing the words “Step right! Take your chance to earn millions of dollars!” goes up as well; it is inherently an invite to all attackers of all skill levels to at least try. Inevitably the success of an unscrupulous individual/s will prevail. A basic analogy would be to keeping a jar of cookies on a high table when there are a lot of kids around as opposed to keeping it out of reach and out of sight inside the cupboard.

In this case, it’s not a matter of technology but a matter of probability. No matter how advanced your security measures are men can open locks that are made by other men, it is best to keep those that try to a minimum.

Source: http://www.cloudtweaks.com/2013/02/cloud-computing-and-banking-security/

Did you like this? Share it:

9 top threats to cloud computing security

9 top threats to cloud computing security

Cloud computing has grabbed the spotlight at this year’s RSA Conference 2013 in San Francisco, with vendors aplenty hawking products and services that equip IT with controls to bring order to cloud chaos. But the first step is for organization to identify precisely where the greatest cloud-related threats lie.

To that end, the CSA (Cloud Security Alliance) has identified "The Notorious Nine," the top nine cloud computing threats for 2013. The report reflects the current consensus among industry experts surveyed by CSA, focusing on threats specifically related to the shared, on-demand nature of cloud computing.

First on the list is data breaches. To illustrate the potential magnitude of this threat, CSA pointed to a research paper from last November describing how a virtual machine could use side-channel timing information to extract private cryptographic keys in use by other VMs on the same server. A malicious hacker wouldn’t necessarily need to go to such lengths to pull off that sort of feat, though. If a multitenant cloud service database isn’t designed properly, a single flaw in one client’s application could allow an attacker to get at not just that client’s data, but every other clients’ data as well.

The challenge in addressing this threats of data loss and data leakage is that "the measures you put in place to mitigate one can exacerbate the other," according to the report. You could encrypt your data to reduce the impact of a breach, but if you lose your encryption key, you’ll lose your data. However, if you opt to keep offline backups of your data to reduce data loss, you increase your exposure to data breaches.

The second-greatest threat in a cloud computing environment, according to CSA, is data loss: the prospect of seeing your valuable data disappear into the ether without a trace. A malicious hacker might delete a target’s data out of spite — but then, you could lose your data to a careless cloud service provider or a disaster, such as a fire, flood, or earthquake. Compounding the challenge, encrypting your data to ward off theft can backfire if you lose your encryption key.

Data loss isn’t only problematic in terms of impacting relationships with customers, the report notes. You could also get into hot water with the feds if you’re legally required to store particular data to remain in compliance with certain laws, such as HIPAA.

The third-greatest cloud computing security risk is account or service traffic hijacking. Cloud computing adds a new threat to this landscape, according to CSA. If an attacker gains access to your credentials, he or she can eavesdrop on your activities and transactions, manipulate data, return falsified information, and redirect your clients to illegitimate sites. "Your account or services instances may become a new base for the attacker. From here, they may leverage the power of your reputation to launch subsequent attacks," according to the report. As an example, CSA pointed to an XSS attack on Amazon in 2010 that let attackers hijack credentials to the site.

Source: http://www.infoworld.com/t/cloud-security/9-top-threats-cloud-computing-security-213428

Did you like this? Share it:

IBM Dives Head First Into Mobile

IBM moves into mobile

IBM last week unveiled an expansive new strategy to deliver mobile business solutions under MobileFirst, its new brand of software and services for delivering apps on smartphones and tablets. With MobileFirst, IBM seeks to bring together all of the elements required by an enterprise to successfully roll-out mobile solutions, including development, deployment, device management, and security tools. And, IBM being IBM, it also includes a healthy dose of professional services, but no apparent IBM i hooks at this time.

MobileFirst is an umbrella brand that brings together many pieces of software that already existed in IBM’s portfolio, but it introduces some new software as well. There are literally dozens of products parked under the new MobileFirst banner, including products from familiar IBM brands like WebSphere, Rational, Domino, Tivoli, and Cognos. Recent IBM acquisitions, like Q1 Labs (security), Emptoris (expense and expenditure management), and Tealeaf (customer experience management) also play a part.

IBM breaks MobileFirst products down into four main categories, including MobileFirst Platform, MobileFirst Security, MobileFirst Management, and MobileFirst Analytics. Within these four, there are no less than 28 individually named products and services sitting under Big Blue’s new mobile umbrella. Simplicity has never been IBM’s strong suit, and apparently it’s not going to start now.

The key product under the new MobileFirst Platform is Mobile Foundation, a pre-existing suite that previously combined three tools but now appears to sport only two: Worklight, an HTML 5 mobile application development and runtime environment that includes a Java-based server component and an Eclipse-based studio; and WebSphere Cast Iron, an integration framework for connecting on-premise and cloud applications and systems.

Worklight, you will remember, is on the short list of IBM apps that several prominent IBM i experts, including Roxanne Reynolds-Lair, the Power Systems champion and CIO of the Fashion Institute of Design and Merchandising, want running and supported on IBM i. The work done by Reynolds-Lair and another Power Systems champion, Steve Pitcher, were instrumental in getting other new IBM offerings supported on the platform, including Notes Traveler and IBM Connections, both of which IBM has committed to supporting on IBM i.

And lo! What do we have here but an IBM announcement letter on February 19 for Worklight version 5.0.6. Could it, would it, include a statement of direction in support of IBM i? As diligent readers scroll down, they read:

"IBM intends to provide additional platform support for the IBM Worklight product offerings in response to customer feedback and market demand…IBM anticipates extending support to IBM System z hardware and the IBM z/OS operating system in the future." Actually, IBM committed to supporting z/OS with Worklight back in September, so this isn’t news. What is disheartening is that Worklight apps can be served up from z/OS, Windows, AIX, Solaris, Linux, and Mac OS–every "major" business OS but IBM i (and HP-UX).

Worklight isn’t the only component of MobileFirst Foundation. IBM CLM [collaborative lifecycle management] suite, which in turn is composed of Rational Requirements Composer, Team Concert, and Quality Manager, is also a part of MobileFirst Foundation. Others include Rational Test Workbench; Web Experience Solutions; Lotus Domino Designer; and WebSphere MQ.

MobileFirst Management is based largely on IBM Endpoint Manager for Mobile Devices, which previously was called just Endpoint Manager when it was part of the Mobile Foundation. Endpoint Manager is a Windows/SQL Server-based app that enables businesses to adopt "bring your own device" (BYOD) strategies, and supports all popular mobile platforms, including iOS, Android, Blackberry, Windows Mobile, Windows Phone, and Symbian. MobileFirst Management also includes Tivoli Netcool/OMNIbus, WebSphere Datapower, and Emptoris Rivermine Telecom Expense Management.

MobileFirst Security includes a new release of Security AppScan that has been gussied up to spot potential vulnerabilities in iOS apps; it previously supported Android. The Security Access Manager for Cloud and Mobile component delivers single sign on (SSO) capability for mobile apps–definitively a nice thing to have in enterprise environments. Integration with the security information and event management (SIEM) product QRadar is also part of MobileFirst Security, turning tablets and smartphones into listening posts to detect the activities of hackers and cybercriminals, while Mobile Connect establishes a virtual private network (VPN) connection between a mobile device and a server.

On the analytics front, IBM has crammed several apps into MobileFirst Analytics boat, including: Tealeaf CX Mobile, for detecting potential problems in the mobile user’s experience; Mobile Commerce, for mobile e-commerce; and Cognos Mobile, for accessing Cognos reports, dashboards, and metrics from mobile devices.

Bringing all these tools to bear on customers’ mobile strategies may be difficult, but never fear: IBM Global Services is here! MobileFirst has a wide array of services components, including: mobile application development; integration with back-office systems; infrastructure and planning; network integration; running mobile apps from the cloud; and embedding unified communications and collaboration (UCC) capabilities into mobile apps.

IBM also unveiled a new partnership with AT&T to integrate Worklight apps with AT&T’s cloud APIs. There’s also a new program called "Ready for IBM MobileFirst" to get ISVs going with the new brand, and new initiatives with colleges, too. IBM financing also got into the MobileFirst act.

It is almost as if every department in IBM gets to play a part in MobileFirst, which is undoubtedly what led IBM to call MobileFirst the first "true end-to-end mobile solution" that businesses can use to "transform their entire business model." Considering that most of the tools already existed in IBM’s portfolio, that claim is a stretch. (It is even more of a stretch unless IBM has done the hard work to integrate the tools, not only from a functional aspect, but from a licensing aspect, too). Every organization will have specific needs as it relates to mobile, so there will never be a one-size-fits-all solution, despite whatever messaging IBM’s marketing committees agree on.

With so many components in MobileFirst, it is likely that any given organization will find something that addresses at least some their mobile needs. And customers can even look outside of the MobileFirst family, to tools such as Rational Application Developer and Rational Business Developer, which gained Dojo X Mobile support in 2011, but which missed the first departure of the MobileFirst train.

It is clear that MobileFirst represents the product branding that IBM is using for its smartphone and tablet computing solutions, and it will undoubtedly evolve in the future. Now all that IBM needs to do is support IBM i with Worklight–the foundational element of MobileFirst–and it will have piqued the attention of 150,000 of its best customers.

Source: http://www.itjungle.com/tfh/tfh022513-story05.html

Did you like this? Share it:

IBM brings iPhone mobile security to the enterprise

IBM has launched new software to help developers secure code and data in iPhone and iPad apps.

AppScan Source 8.7 for iOS searches through app code and alerts developers when it finds flaws.

The software also analyses apps that employees may want to use on Apple devices for vulnerabilities and alerts IT security staff to potential threats.

Big blue said the software would improve security without sacrificing the time to market for mobile apps.

Citing Gartner figures, IBM said more than 45.6 billion mobile apps were downloaded in 2012, which is why securing smartphones and other endpoint devices should be a top priority for organisations.

IBM developed AppScan Source by looking at over 40,000 mobile APIs for iOS apps using Apple’s iOS Software Development Kit.

These API profiles have been added to the IBM AppScan Source Security Knowledgebase and tied to the analysis engine.

The software also features complete language support for Objective-C, JavaScript and Java and includes the ability to do call and data flow analysis that will generate trace information. This new capability enables organisations to build secure enterprise mobile apps, regardless of technology choice, for employees and partners.

One of the companies that has been trying out AppScan Source for IOS is mobile technology firm KiwiTech.

Rakesh Gupta, chief executive of KiwiTech, said his firm had developed hundreds of apps for iOS and Android and as the risk from mobile malware and data leakage grows, “our customers are looking for ways to secure their iOS and Android apps and protect corporate data.”

Gupta said the software would help his company “proactively secure mobile apps and automate security testing to ensure our customers can keep pace with constant updates."

Caleb Barlow, director of Application, Data and Mobile Security at IBM, said the new capability would help clients incorporate “security into their infrastructure and solutions from the design, development and testing phases rather than leaving security to become an afterthought.”

AppScan Source for iOS will be available from 25 March. IBM launched its AppScan range of products in 2008, following the $2.1 billion acquisition of Rational Software. It has previously launched a version of the software that scans Android apps.

Source: http://www.itpro.co.uk/smartphones/19276/ibm-brings-iphone-mobile-security-enterprise

Did you like this? Share it:

iPhone lock screen hack prompts another Apple patch

iPhone lock screen

Apple is once again promising to patch iOS 6.1 – this time to address a serious security flaw that allows thieves to bypass the iPhone’s lock screen.

Earlier this week Apple released iOS 6.1.1 to address a flaw that left iPhone 4S users struggling to connect to 3G networks after the upgrade to iOS 6.1. Apple has also promised a further iOS 6.1 patch to fix a problem that sees the phone repeatedly pinging Exchange servers, draining the device’s battery.

Now another more serious bug has emerged, which allows phone thieves to bypass the lock screen on the iPhone 5 without entering the correct PIN code. The rather convoluted method involves making, and then quickly terminating, an emergency phone call, before holding down the power button twice. The hack could give thieves access to a user’s contacts, voicemail and phone call history.

A YouTube video demonstrating the attack is shown below:

iphone lock screen

An Apple spokesperson told All Things Digital that the company "takes user security very seriously" and that it "will deliver a fix in a future software update".

Source: http://www.pcpro.co.uk/news/security/379981/iphone-lock-screen-hack-prompts-another-apple-patch

Did you like this? Share it:

Mobile app security: Always keep the back door locked

In the 1990s, client-server was king. The processing power of PCs and the increasing speed of networks led to more and more desktop applications, often plugging into backend middleware and corporate data sources. But those applications, and the PCs they ran on, were vulnerable to viruses and other attacks. When applications were poorly designed, they could leave sensitive data exposed.

Today, the mobile app is king. The processing power of smartphones and mobile devices based on Android, iOS, and other mobile operating systems combined with the speed of broadband cellular networks have led to more mobile applications with an old-school plan: plug into backend middleware and corporate data sources.

But these apps and the devices they run on are vulnerable… well, you get the picture. It’s déjà vu with one major difference: while most client-server applications ran within the confines of a LAN or corporate WAN, mobile apps are running outside of the confines of corporate networks and are accessing services across the public Internet. That makes mobile applications potentially huge security vulnerabilities—especially if they aren’t architected properly and configured with proper security and access controls.

Speed (to market) kills

Today we have tools like PhoneGap and Appcellerator’s Titanium platform as well as a host of other development tools for mobile platforms that resemble in many ways the integrated development tools of the client-server era (such as Visual Basic and PowerBuilder). So individual developers and small development teams can easily crank out new mobile apps that tie to Web services, hooking them to backend systems launched on Amazon at high speed.

But unfortunately, they all too often do so without considering security up front, creating the potential for exploitation. While a lot of attention has been paid to security on the device itself, the backend connection is just as, if not more, vulnerable.

If companies are lucky, like Montreal-based SkyTech Communications, those holes merely produce public embarrassment. When a computer science student at a vocational college used a freely downloaded security scanner on SkyTech’s mobile app (which allows students to access their records and register for classes), he found major security flaws in the application. These flaws allowed anyone to gain access to students’ personal information.

Small developers aren’t the only ones who can get caught by their mobile app backends. Take, for example, General Motors’ sudden leap forward with its OnStar Web API. The company was forced to accelerate a public API effort when it discovered an enterprising Chevy Volt owner had reverse-engineered its mobile application API for retrieving vehicle statistics from OnStar’s data centers for personal use. Fortunately, he wasn’t malicious. But he did build a website for other drivers to do the same—which potentially exposed personal data in the process by using those drivers’ OnStar account logins, in violation of GM’s privacy rules. The site now runs on a new, more secure API.

Keeping the client (mostly) dumb

"This sort of thing has been a problem since computers started talking to each other," said Kevin Nickels, the president and CEO of "backend as a service" provider FatFractal. To prevent these sorts of problems—or worse—developers need to address issues like security and access control early on. "Too often, developers try to address these after the fact, and not from the very beginning," Nickels explained.

One of the key elements of security design in mobile applications is making sure that the client—the phone app itself, or the browser app—does very little processing. "The general best practice is to let the code on the device do as little as possible," said Danny Boice, the co-founder and CTO of Speek, a cloud-based conference call service that works through native mobile clients and Web browsers. (Boice is also a former executive in charge of Web and mobile development for the SAT testing company, The College Board.) "There are things on a person’s phone that you can’t control. We put most of the heavy lifting off of the client, because you can control what the application sends and receives."

It’s especially important to handle all data integration with other services on the backend and not on the mobile device, says Nickels. "Ads exposed in an app, for example, could have malicious code. We recommend people do that sort of integration via the backend. That way, things coming from outside the app won’t have any access to any system resources at all."

Dan Kuykendall, Co-CEO and chief technology officer of security testing firm NT Objectives, said the less mobile apps store and process data on the client device, the better. "A lot of developers think, ‘The only traffic that’s going to come in is from my mobile app’," Kuykendall explained. "And they build logic into the mobile client"—building queries to be sent to the backend systems and processing raw data sent back. But requests from the app can easily be "sniffed" by someone who has the application on a device of their own, by malicious software on the device that might monitor outbound traffic, or by someone maliciously monitoring what comes off mobile devices. "You don’t want the app passing SQL statements back to the backend," Kuykendall said. "That’s crazy." But as he says, that’s also all too common.

The most basic bit of hardening required for mobile applications is to encrypt traffic to the backend—at a minimum, by using Secure Socket Layer (SSL) encryption. But SSL by itself isn’t enough because of the nature of how mobile devices connect. Many smartphones will automatically connect to available open Wi-Fi networks they remember, making it relatively easy to get them to connect to a rogue device that can act as an SSL proxy, decrypting and re-encrypting traffic while recording everything that passes through.  While SSL is usually a defense against attacks on browser-based sessions on PCs, some mobile apps are vulnerable because they rely on WebKit to handle SSL. WebKit doesn’t fail by default with bad certificates like those used in "man in middle" (MIM) attacks—it sends an error message to the app that a cert is bad, and lets the code decide what to do about it. In some cases, to get around errors, apps get set to accept any cert, so they’re vulnerable to MIM attacks.

"I can sit in a public place, like the mall, with a Wi-Fi Pineapple and my laptop," Kuykendall said, "and deliver real Internet access with me as a ‘man in middle’, and see the traffic coming from people’s smartphones without them knowing their smartphone is connected to me. And when apps fetch updates, I see that." Since many mobile apps fetch updates without user interaction, "the users aren’t instigating the connection—it just happens." If data pulled from a man-in-the-middle attack doesn’t have additional sorts of controls and protection, it could then be used to attack the backend systems.

Another vulnerability caused by putting too much reliance on the client is that it requires more data to be stored on the client—data that could be exploited. Even ephemeral data (information stored locally to be processed for display or to be sent to the backend and then be disposed of) is vulnerable. "It’s not so easy to get into a running app and steal stuff," Nickels said. "It’s more of an issue with a data cache or on-phone storage, using databases like SQLite. You need to obfuscate that data as best as you can, encrypt it at rest, and store things that are not easy to associate with each other."

Source: http://arstechnica.com/security/2013/02/mobile-app-security-always-keep-the-back-door-locked/

Did you like this? Share it:

Code signing: Stamp of approval for Android and iOS apps

An application security technique known as code signing is gaining importance as the Apple and Android mobile distribution centers require developers to provide the apps they write with a stamp of approval.

Code signing indicates that "you know where the code came from and it hasn’t been corrupted," said August Detlefsen, a security consultant for AppSec Consulting, in San Jose CA.

"The purpose is to basically guarantee that when you get some code, you know who it’s from," said Frank Kim, principal of security consultancy ThinkSec and curriculum lead for application security, SANS. "It’s to give you some level of trust."

Mobile application distributors use code signatures to help prevent malicious code from being distributed among mobile devices. "Both iOS and Android enforce the fact that your code must be signed in order to distribute it through the App Store or Google Play Store, so in order to get your software out there, you must sign it so that at least the identity of the person who created the code is verified," Detlefsen said.

Apple goes a step further and adds its signature to the applications distributed via its App Store. Before any code runs on an iOS device — assuming it hasn’t been jailbroken — the device verifies the signatures. This helps ensure the code has not been modified.

Developers who submit code for distribution via Apple’s App Store don’t have to be concerned with the details of code signing. "When I register for the iOS development program, it’s pretty straightforward," Kim said. "Apple makes the process as seamless as possible."

In other scenarios, the process of code signing is a bit more involved. "If you’re developing other types of software, server-side apps, or those distributed to enterprise customers in a different way, then it’s more cumbersome because the infrastructure is not there," Kim said.

Code is signed using public key cryptography. The process begins with the generation of a cryptographic hash. This is done by running the source code or compiled executable through a one-way function that calculates a checksum based on the bits in the code, Detlefsen explained. The resulting cryptographic hash is unique and non-reversible. The hash is sent through another cryptographic function along with a unique key known only to the user, resulting in a signature. It is a short alphanumeric string that is associated with the code. A public key, associated with the private key but freely sharable, can be used to verify the code is signed with the private key by running the signature and the corresponding public key though a signature verification function.

Public and private keys can be generated at no cost using one of the many key generator tools that can be found online, Detlefsen said. However, these keys do not offer verification that you are who you say you are. After all, Detlefsen pointed out, "Just because the code is signed doesn’t mean that the [developer of that code] knows what they’re doing."

An alternative is to purchase keys from a certificate authority, like VeriSign or DigiCert. These companies validate the identities of their customers. Information such as the signer’s name and organization is included with the code signature, and can be verified with the certificate authority.

There are no risks involved with the code signing process itself. However, the private key must be kept private. If an attacker were to obtain the private key, he could modify the code and sign it with the private key, leading people to believe the code came from a trusted source when in fact it did not.

While developers benefit from signing their own code, they also benefit from the signatures on the code they use. "A lot of developers use third-party code and open source libraries. If you’re building significant apps that require security, you should also check the authenticity of the code you’re using," Detlefsen said. An attacker could insert malicious code into an open source library. "Code signing provides one way of knowing that the code you’re downloading is verified to be the original and hasn’t been tainted in some way," he said. "Before you run it, verify the signature."

But not all code is signed in the first place. "Code signing is becoming more well-known and practiced because these distribution centers are requiring it. But as far as code you download over the Internet, or let’s say there’s an applet in your website or a flash app on a website, you might not know where it came from or whether it was something the original developers put there," Detlefsen said.

Source: http://searchsoftwarequality.techtarget.com/news/2240176128/Code-signing-Stamp-of-approval-for-Android-and-iOS-apps

Did you like this? Share it: