developer centric application
play

Developer-centric Application Security Scans Ray Kelly, Practice - PowerPoint PPT Presentation

May 20, 2023 •237 likes •694 views

Developer-centric Application Security Scans Ray Kelly, Practice Principal - Fortify Sherman Monroe, Senior Security Consultant Thomas Ryan, Fortify Solutions Architect #MicroFocusCyberSummit Session Agenda Mobile Apps The Bad, The Worse

  1. Developer-centric Application Security Scans Ray Kelly, Practice Principal - Fortify Sherman Monroe, Senior Security Consultant Thomas Ryan, Fortify Solutions Architect #MicroFocusCyberSummit

  2. Session Agenda Mobile Apps – The Bad, The Worse And The Ugly Attacking Web Services using Web Inspect Developer-centric Application Security Scans with Fortify 3

  3. Mobile Apps – The Bad, The Worse And The Ugly Ray Kelly Practice Principal - Fortify #MicroFocusCyberSummit

  4. Agenda Overview of the mobile landscape The mobile threat surface Real world mobile app vulnerabilities Q&A 5

  5. About Me Ray Kelly  Developer for 20 years  Internet Security for 15 years  Lead Developer of WebInspect with SPI Dynamics  Mobile Pen Test Manager 6

  6. Considerations All vulnerabilities discussed in this presentation are either already publicly disclosed or have been anonymized/scrubbed These are developer mistakes that potentially leave users at risk Apps are made by developers with the best of intentions 7

  7. The Mobile Landscape Source: https:// www.statista.com/statistics/274774/forecast-of-mobile-phone-users-worldwide / 8

  8. The Mobile Landscape  Mobile development is the hottest type of development right now. But users may be at risk.  The pressure to release new features on mobile devices may mean that security is not prioritized.  Mobile devices are more vulnerable to threats, so building devices with adequate security and mobile device developers with security training are valuable. 9

  9. Mobile Threat Surface Client Server Network  Credentials in memory  Clear text credentials  Injection flaws  Credentials on file system  Clear text data  Authentication  Data stored on file system  Backdoor data  Session management  Poor certificate management  Data leakage  Access control  Logic flaws 10

  10. Mobile Threat Surface Two key differences: (Compared to traditional apps) Magnified network vulnerability  Your network traffic is more likely to be visible to others with a mobile device than local traffic at work or home Magnified physical vulnerability  As with most other types of hardware, once the attacker has physical access, it’s over 11

  11. Mobile Threat Surface Mobile applications which have at least one critical or high vulnerability 11 89 Source: Micro Focus 2018 Application Security Research Update Report 12

  12. Vulnerabilities Server Side  Vulnerable to all traditional web app vulnerabilities  SQLi, WebDav, XSS etc.  Developers assume APIs are invisible 13

  13. Vulnerabilities Server Side Account enumeration 14

  14. Vulnerabilities Network/Privacy  Privacy/data leakage, clear text data  3 rd party data leakage 15

  15. Vulnerabilities Network/Privacy 16

  16. Vulnerabilities Network/Privacy 17

  17. Vulnerabilities Client Side/Logging Starbucks Mobile App /Library/Caches/com.crashlytics.data/com.starbucks.mystarbucks/session.clslog <input class="field text medium" id="Account_UserName" maxlength="200" name="Account.UserName" tabindex="0" type="text" value="CLEARTEXT" /> <label for="Account_PassWord" class="">Password <span class='req'>*</span></label> <input class="field text medium" id="Account_PassWord" maxlength="200" name="Account.PassWord" tabindex="0" type="password" value="CLEARTEXT" /> “When reached Wednesday, Crashlytics, a Boston-based firm that specializes in crash reporting solutions, couldn’t comment on specific customers but did reiterate that the firm doesn’t recommend developers log sensitive information.” 18 Source: https://threatpost.com/starbucks-app-stores-user-information-passwords-in-clear-text/103649/2/

  18. Vulnerabilities Client Side/Logging 19

  19. Vulnerabilities Client Side/Storage 20

  20. Vulnerabilities Client Side/Debug Screens 21

  21. Vulnerabilities Client Side 22

  22. Fortify on Demand Provides Application Security as a Service Understanding your Comprehensive static, application portfolio is the dynamic/interactive web and mobile first step to securing it testing delivered at the speed of Discover Assess development Integrated workflows to fix Web Continuously monitors vulnerabilities faster and and protects software accelerate a mature AppSec Monitor running in production Remediate program & Protect Mobile Thick-client Leading-edge developer training for Securing DevOps through secure coding best practices and broad Fortify Ecosystem prevent vulnerabilities before integrations and automation check-in Educate Integrate tools 23

  23. Fortify On Demand Mobile Assessments include : Vulnerability analysis of mobile binary Network Endpoint reputation analysis Client Services Security expert review of prioritized results Why Fortify on Demand MAST?  iOS applications Mobile + Assessments include :  Android applications  50+ unique vulnerability categories Manual testing of binary, network and services  Designed for mobile app developers WebInspect analysis of backend services  Manual testing performed on-device 24

  24. #MicroFocusCyberSummit Visit Fortify On Demand at http://microfocus.com/fod Thank You. Follow us on Twitter @MicroFocusSec Ray Kelly Follow me on Twitter: @vbisbest

  25. Attacking Web Services using Web Inspect Sherman Monroe #MicroFocusCyberSummit

  26. Overview Overview of Web Service Scanning SOAP scan setup Manual RESTful Scan setup Automated RESTful Scan setup 27

  27. How does Automated Scanning work? Today employ Crawl Determining Historically only JavaScript attack surface link-based emulation to get dynamic requests Audit Sending known Fuzzing Session-based attack vectors parameters 28

  28. What to look for in a scanner? Understanding Understanding request session generation management (i.e. links) Understanding parameters 29

  29. Discoverability  Endpoints not always explicit in dynamic code  Complex payloads not exposed  URL parameters (e.g. empl/ 38482 /profile)

  30. Demo – Proxies & Web Macros

  31. Identifying Parameters Non-standard parameter specs Patterns in URL segments  As part of URL (e.g. path parameters)  Highly random path nodes  Headers  Numerical values, dates, etc.  Request body Component Values  Upload file content (Content-Type:  Look for structure in parameter values multipart/form-data)  Look for delimiters

  32. Identifying Parameters: Component Values POST /acme/geo/get_feature?uid=68e4cf6a8077912a02b250b230b8abe73265753b HTTP/1.1 Host: acme.com Connection: keep-alive X-CUST-SESSIONID: h57768d18hfr883xc36b53100jeew99sb2b320eb User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36 Content-Type: application/x-www-form-urlencoded Accept: */* Accept-Encoding: gzip, deflate, sdch Accept-Language: ja,en-US;q=0.8,en;q=0.6 {“location":" 48.854325 ",“feature_area_id":”tag=3hks83n3j;name= sector_north ”} HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Date: Mon, 05 May 2017 03:03:56 GMT Content-Length: 138 Connection: keep-alive {“ feature_id":"\u30a4\u30d9\u30f3\u30c8\u3000\u5341\ u4e00",“sz":532,“wght":0.32,"last_photo":"",“resp_code":0} GML Feature Spatial JSON Response Service DBMS Desktop Web SOAP Request Manager Server REST Request Image JPEG Service JPEG

  33. Identifying Parameters: Component Values POST /acme/geo/get_feature?uid= 68e4cf6a8077912a02b250b230b8abe73265753b HTTP/1.1 Host: acme.com Connection: keep-alive X-CUST-SESSIONID: h57768d18hfr883xc36b53100jeew99sb2b320eb User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36 Content-Type: application/x-www-form-urlencoded Accept: */* Accept-Encoding: gzip, deflate, sdch Accept-Language: ja,en-US;q=0.8,en;q=0.6 {“location":" 48.854325 ",“feature_area_id":”tag=3hks83n3j;name= sector_north ”} HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Date: Mon, 05 May 2017 03:03:56 GMT Content-Length: 138 Connection: keep-alive {“ feature_id ":"\u30a4\u30d9\u30f3\u30c8\u3000\u5341\ u4e00",“sz":532,“wght":0.32," last_photo ":"",“resp_code":0} GML Feature Spatial JSON Response Service DBMS Desktop Web SOAP Request Manager Server REST Request Image JPEG Service JPEG

  34. Identifying Parameters  Refer to documentation or use heuristics to determine the parameter data types  Hex strings are typically used as tokens or userids  Tokens and other sensitive data in URL  /acme/profile/set_photo/ 2015/11/20 ?token= fa423b369272e7e19b2a5fa4eeba560e74c0d457  Look for high variance in URL paths of proxied traffic  Examine response codes of parent paths to find start of parameters

  35. Demo – Custom Parameters

  36. Automation: Importing Data  Proxy –  undocumented APIs (e.g. RESTful)  Non web applications (e.g. mobile applications)  Dynamically generated requests (e.g. Web 2.0, AJAX)  Automated (WSDL, WADL, Swagger)  WISwag.exe

  37. Importing Data 38

  38. Importing Data 39

  39. Demo – Service Definition Import

Recommend

Application Centric Infrastructure (ACI) The Cisco Application Centric Infrastructure (ACI) allows

Application Centric Infrastructure (ACI) The Cisco Application Centric Infrastructure (ACI) allows

Application Centric Infrastructure (ACI) The Cisco Application Centric Infrastructure (ACI) allows application requirements to dene the network. This architecture simplies, optimizes, and accelerates the entire application deployment life

1.48k views • 130 slides
GeoWEPP ArcGIS 10.1 Development Team Haoyi Xiong Application leading developer

GeoWEPP ArcGIS 10.1 Development Team Haoyi Xiong Application leading developer

GeoWEPP ArcGIS 10.1 Development Team Haoyi Xiong Application leading developer (haoyixio@buffalo.edu) Jonathan Goergen - Application co-lead developer Misa Yasumiishi - Webpage developer Martin Minkowski - GeoWEPP ArcGIS 9.x developer

1.46k views • 24 slides
Creating an API Centric Enterprise Lakmal Kodithuwakku Solutions Engineer 2 Presentation Agenda

Creating an API Centric Enterprise Lakmal Kodithuwakku Solutions Engineer 2 Presentation Agenda

Creating an API Centric Enterprise Lakmal Kodithuwakku Solutions Engineer 2 Presentation Agenda API Management Vision Solution Architecture Product Features and Capabilities API Store / Developer Portal Publishing Application

605 views • 19 slides
erosion project Development Team Haoyi Xiong Application leading developer Jonathan Goergen

erosion project Development Team Haoyi Xiong Application leading developer Jonathan Goergen

GeoWEPP ArcGIS 10.1 for soil erosion project Development Team Haoyi Xiong Application leading developer Jonathan Goergen - Application co-lead developer Misa Yasumiishi - Webpage developer Martin Minkowski - GeoWEPP ArcGIS 9.x developer

440 views • 6 slides
What queries can the Domain mediator answer for me? Developer CLIDE Schema Schema

What queries can the Domain mediator answer for me? Developer CLIDE Schema Schema

Large-Scale Data Integration Systems Exporting and Interactively Querying Application Domain CNET Computer Developer Web Service-Accessed Sources: PCWorld Portals Application Application The CLIDE System

320 views • 9 slides
Public/Private Partnerships 226 Contents Application Selection of a Developer and/or

Public/Private Partnerships 226 Contents Application Selection of a Developer and/or

16 CHAPTER Public/Private Partnerships 226 Contents Application Selection of a Developer and/or Development Partner Procurement Requirements of the Selected Developer Procurement by Parties Other Than the PHA or the Developer

335 views • 14 slides
From Foes to Friends Briefly About Me Trainer, Data Coach, Developer, Project Manager

From Foes to Friends Briefly About Me Trainer, Data Coach, Developer, Project Manager

SQL and NAV: From Foes to Friends Briefly About Me Trainer, Data Coach, Developer, Project Manager Favorites: SQL and PowerShell (and getting into Python) I am data centric not necessarily NAV centric. Accounting and financial

807 views • 47 slides
PerfGuard: Binary-Centric Application Performance Monitoring in Production Environments + *

PerfGuard: Binary-Centric Application Performance Monitoring in Production Environments + *

PerfGuard: Binary-Centric Application Performance Monitoring in Production Environments + * Chung Hwan Kim , Junghwan Rhee , Kyu Hyung Lee , Xiangyu Zhang, Dongyan Xu + * Performance Problems Performance Diagnosis During Development

218 views • 20 slides
Rails Girls Galway Designing Your App @gerryk who am i? * Application Developer * Linux System

Rails Girls Galway Designing Your App @gerryk who am i? * Application Developer * Linux System

Rails Girls Galway Designing Your App @gerryk who am i? * Application Developer * Linux System Administrator * Web &amp; WebApp Developer * Free Open Source Advocate * Telecoms Consultant * Information Security Analyst * Telecoms Platform

402 views • 24 slides
Semantic Centric Solutions for Application and Data Portability in Cloud Computing Ajith H.

Semantic Centric Solutions for Application and Data Portability in Cloud Computing Ajith H.

Semantic Centric Solutions for Application and Data Portability in Cloud Computing Ajith H. Ranabahu , Amit Sheth Kno.e.sis Center Wright State University 2 nd IEEE International Conference on Cloud Computing and Technology Indianapolis IN

575 views • 39 slides
Karl-Johan Dahlstrm Head of Developer Relations developer world sonymobile.com/developer

Karl-Johan Dahlstrm Head of Developer Relations developer world sonymobile.com/developer

Karl-Johan Dahlstrm Head of Developer Relations developer world sonymobile.com/developer @sonyxperiadev 2 2013-02-21 PA1 Confidential Developers Custom ROM Developers Application and Game Developers Tools Tools Support

982 views • 34 slides
Application-Specific Secure Gathering of Consumer Preferences and Feedback in Information-Centric

Application-Specific Secure Gathering of Consumer Preferences and Feedback in Information-Centric

Application-Specific Secure Gathering of Consumer Preferences and Feedback in Information-Centric Networks Reza Tourani, Satyajayant (Jay) Misra, Travis Mick Computer Science Department New Mexico State University New Mexico State University,

601 views • 27 slides
Kristin Van Deusen IT Co-Op Presentation IT Services Application Developer Enterprise Data

Kristin Van Deusen IT Co-Op Presentation IT Services Application Developer Enterprise Data

Kristin Van Deusen IT Co-Op Presentation IT Services Application Developer Enterprise Data Management April 29th 2016 About Me n Born and Raised in California n From Cleveland Area (Hudson) n First Co/Op and First Co/Op with Marathon n IT

548 views • 25 slides
The Worlds First LED Human Centric Fluorescent Tube by Human Centric Optics Inc. 333,

The Worlds First LED Human Centric Fluorescent Tube by Human Centric Optics Inc. 333,

The Worlds First LED Human Centric Fluorescent Tube by Human Centric Optics Inc. 333, 10654-82 Ave NW Edmonton, Alberta info@hcolab.com www.hcolab.com Human Centric LED Medical science discovers a third receptor in our eyes This

714 views • 13 slides
Oracle Developer Day Sponsored by: Sponsored by: Sponsored by: Sponsored by: J2EE Application

Oracle Developer Day Sponsored by: Sponsored by: Sponsored by: Sponsored by: J2EE Application

Oracle Developer Day Sponsored by: Sponsored by: Sponsored by: Sponsored by: J2EE Application Development for Forms and Designer Customers Speaker Speaker Title Page 1 1 Todays Agenda - Morning 09:00 09:45 Session 1: The

252 views • 22 slides
GSMaP - Integrated application with developer and user collaboration - Takuji Kubota and Moeka

GSMaP - Integrated application with developer and user collaboration - Takuji Kubota and Moeka

WIGOS WORKSHOP 2019 Session 2.2 GSMaP - Integrated application with developer and user collaboration - Takuji Kubota and Moeka Yamaji Earth Observation Research Center (EORC) Japan Aerospace Exploration Agency (JAXA) Q2.2-1 Does your

236 views • 23 slides
Android Activity CS 4720 Mobile Application Development Source: developer.android.com CS

Android Activity CS 4720 Mobile Application Development Source: developer.android.com CS

Android Activity CS 4720 Mobile Application Development Source: developer.android.com CS 4720 Activity Conceptually, an Activity is a single screen of your application In other words, an App really is a collection of related

892 views • 16 slides
2018 Application Process Elements of a Viable Development Application submitted organized

2018 Application Process Elements of a Viable Development Application submitted organized

2018 Application Process Elements of a Viable Development Application submitted organized and complete Indicates developer capacity and experience An application put together well does not equal a competitive application

420 views • 19 slides
MICRO-FRONTENDS @lucamezzalira Luca Mezzalira VP of Architecture at DAZN Google Developer

MICRO-FRONTENDS @lucamezzalira Luca Mezzalira VP of Architecture at DAZN Google Developer

I DONT UNDERSTAND MICRO-FRONTENDS @lucamezzalira Luca Mezzalira VP of Architecture at DAZN Google Developer Expert London JavaScript Community Manager Architecture evolution DB Application Server Single-Page Application

837 views • 64 slides
Android UI Tools CS 4720 Mobile Application Development Resource: developer.android.com CS

Android UI Tools CS 4720 Mobile Application Development Resource: developer.android.com CS

Android UI Tools CS 4720 Mobile Application Development Resource: developer.android.com CS 4720 UI vs. UX An important distinction to make up front is the difference between UI and UX UI User Interface The components of a

659 views • 20 slides
Info- -Centric Scenario Development Centric Scenario Development Info Presentation to 19 th

Info- -Centric Scenario Development Centric Scenario Development Info Presentation to 19 th

Info- -Centric Scenario Development Centric Scenario Development Info Presentation to 19 th ISMOR Oxford, UK 29 August 2002 William J. Krondak Michael P. Coville Abstract: The development of the Future Combat System (FCS) concepts within

303 views • 15 slides
The Inflection Point in the Application Ecosystem The post-PC era the data explosion

The Inflection Point in the Application Ecosystem The post-PC era the data explosion

The Inflection Point in the Application Ecosystem The post-PC era the data explosion 0111010101101010101010101010101010101010110101010101010101010101010101010101 Data-centric app platform Data-centric app platform

397 views • 39 slides
1 Application Event-driven model Introduction Design factors [Akyildiz et al. I n the UC

1 Application Event-driven model Introduction Design factors [Akyildiz et al. I n the UC

Plan Introduction Sensor networks [Estrin, Mobicom 1999] Information gathering and processing Data centric: data is requested based on certain attributes Application specific 1. I ntroduction (10 min.) Energy constraint Real-time I ssues in

576 views • 12 slides
Progressive Web Application on Angular 7 Ramil Kadraliev Lead Software Developer Techinline Ltd

Progressive Web Application on Angular 7 Ramil Kadraliev Lead Software Developer Techinline Ltd

Astrakhan Develop Progressive Web Application on Angular 7 Ramil Kadraliev Lead Software Developer Techinline Ltd Astrakhan What is Angular? Cross Platform Speed and Performance Productivity Full Development Story Astrakhan What is

661 views • 12 slides

More recommend