developer centric application
play

Developer-centric Application Security Scans Ray Kelly, Practice - PowerPoint PPT Presentation

May 20, 2023 •237 likes •694 views

Developer-centric Application Security Scans Ray Kelly, Practice Principal - Fortify Sherman Monroe, Senior Security Consultant Thomas Ryan, Fortify Solutions Architect #MicroFocusCyberSummit Session Agenda Mobile Apps The Bad, The Worse

  1. Developer-centric Application Security Scans Ray Kelly, Practice Principal - Fortify Sherman Monroe, Senior Security Consultant Thomas Ryan, Fortify Solutions Architect #MicroFocusCyberSummit

  2. Session Agenda Mobile Apps – The Bad, The Worse And The Ugly Attacking Web Services using Web Inspect Developer-centric Application Security Scans with Fortify 3

  3. Mobile Apps – The Bad, The Worse And The Ugly Ray Kelly Practice Principal - Fortify #MicroFocusCyberSummit

  4. Agenda Overview of the mobile landscape The mobile threat surface Real world mobile app vulnerabilities Q&A 5

  5. About Me Ray Kelly  Developer for 20 years  Internet Security for 15 years  Lead Developer of WebInspect with SPI Dynamics  Mobile Pen Test Manager 6

  6. Considerations All vulnerabilities discussed in this presentation are either already publicly disclosed or have been anonymized/scrubbed These are developer mistakes that potentially leave users at risk Apps are made by developers with the best of intentions 7

  7. The Mobile Landscape Source: https:// www.statista.com/statistics/274774/forecast-of-mobile-phone-users-worldwide / 8

  8. The Mobile Landscape  Mobile development is the hottest type of development right now. But users may be at risk.  The pressure to release new features on mobile devices may mean that security is not prioritized.  Mobile devices are more vulnerable to threats, so building devices with adequate security and mobile device developers with security training are valuable. 9

  9. Mobile Threat Surface Client Server Network  Credentials in memory  Clear text credentials  Injection flaws  Credentials on file system  Clear text data  Authentication  Data stored on file system  Backdoor data  Session management  Poor certificate management  Data leakage  Access control  Logic flaws 10

  10. Mobile Threat Surface Two key differences: (Compared to traditional apps) Magnified network vulnerability  Your network traffic is more likely to be visible to others with a mobile device than local traffic at work or home Magnified physical vulnerability  As with most other types of hardware, once the attacker has physical access, it’s over 11

  11. Mobile Threat Surface Mobile applications which have at least one critical or high vulnerability 11 89 Source: Micro Focus 2018 Application Security Research Update Report 12

  12. Vulnerabilities Server Side  Vulnerable to all traditional web app vulnerabilities  SQLi, WebDav, XSS etc.  Developers assume APIs are invisible 13

  13. Vulnerabilities Server Side Account enumeration 14

  14. Vulnerabilities Network/Privacy  Privacy/data leakage, clear text data  3 rd party data leakage 15

  15. Vulnerabilities Network/Privacy 16

  16. Vulnerabilities Network/Privacy 17

  17. Vulnerabilities Client Side/Logging Starbucks Mobile App /Library/Caches/com.crashlytics.data/com.starbucks.mystarbucks/session.clslog <input class="field text medium" id="Account_UserName" maxlength="200" name="Account.UserName" tabindex="0" type="text" value="CLEARTEXT" /> <label for="Account_PassWord" class="">Password <span class='req'>*</span></label> <input class="field text medium" id="Account_PassWord" maxlength="200" name="Account.PassWord" tabindex="0" type="password" value="CLEARTEXT" /> “When reached Wednesday, Crashlytics, a Boston-based firm that specializes in crash reporting solutions, couldn’t comment on specific customers but did reiterate that the firm doesn’t recommend developers log sensitive information.” 18 Source: https://threatpost.com/starbucks-app-stores-user-information-passwords-in-clear-text/103649/2/

  18. Vulnerabilities Client Side/Logging 19

  19. Vulnerabilities Client Side/Storage 20

  20. Vulnerabilities Client Side/Debug Screens 21

  21. Vulnerabilities Client Side 22

  22. Fortify on Demand Provides Application Security as a Service Understanding your Comprehensive static, application portfolio is the dynamic/interactive web and mobile first step to securing it testing delivered at the speed of Discover Assess development Integrated workflows to fix Web Continuously monitors vulnerabilities faster and and protects software accelerate a mature AppSec Monitor running in production Remediate program & Protect Mobile Thick-client Leading-edge developer training for Securing DevOps through secure coding best practices and broad Fortify Ecosystem prevent vulnerabilities before integrations and automation check-in Educate Integrate tools 23

  23. Fortify On Demand Mobile Assessments include : Vulnerability analysis of mobile binary Network Endpoint reputation analysis Client Services Security expert review of prioritized results Why Fortify on Demand MAST?  iOS applications Mobile + Assessments include :  Android applications  50+ unique vulnerability categories Manual testing of binary, network and services  Designed for mobile app developers WebInspect analysis of backend services  Manual testing performed on-device 24

  24. #MicroFocusCyberSummit Visit Fortify On Demand at http://microfocus.com/fod Thank You. Follow us on Twitter @MicroFocusSec Ray Kelly Follow me on Twitter: @vbisbest

  25. Attacking Web Services using Web Inspect Sherman Monroe #MicroFocusCyberSummit

  26. Overview Overview of Web Service Scanning SOAP scan setup Manual RESTful Scan setup Automated RESTful Scan setup 27

  27. How does Automated Scanning work? Today employ Crawl Determining Historically only JavaScript attack surface link-based emulation to get dynamic requests Audit Sending known Fuzzing Session-based attack vectors parameters 28

  28. What to look for in a scanner? Understanding Understanding request session generation management (i.e. links) Understanding parameters 29

  29. Discoverability  Endpoints not always explicit in dynamic code  Complex payloads not exposed  URL parameters (e.g. empl/ 38482 /profile)

  30. Demo – Proxies & Web Macros

  31. Identifying Parameters Non-standard parameter specs Patterns in URL segments  As part of URL (e.g. path parameters)  Highly random path nodes  Headers  Numerical values, dates, etc.  Request body Component Values  Upload file content (Content-Type:  Look for structure in parameter values multipart/form-data)  Look for delimiters

  32. Identifying Parameters: Component Values POST /acme/geo/get_feature?uid=68e4cf6a8077912a02b250b230b8abe73265753b HTTP/1.1 Host: acme.com Connection: keep-alive X-CUST-SESSIONID: h57768d18hfr883xc36b53100jeew99sb2b320eb User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36 Content-Type: application/x-www-form-urlencoded Accept: */* Accept-Encoding: gzip, deflate, sdch Accept-Language: ja,en-US;q=0.8,en;q=0.6 {“location":" 48.854325 ",“feature_area_id":”tag=3hks83n3j;name= sector_north ”} HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Date: Mon, 05 May 2017 03:03:56 GMT Content-Length: 138 Connection: keep-alive {“ feature_id":"\u30a4\u30d9\u30f3\u30c8\u3000\u5341\ u4e00",“sz":532,“wght":0.32,"last_photo":"",“resp_code":0} GML Feature Spatial JSON Response Service DBMS Desktop Web SOAP Request Manager Server REST Request Image JPEG Service JPEG

  33. Identifying Parameters: Component Values POST /acme/geo/get_feature?uid= 68e4cf6a8077912a02b250b230b8abe73265753b HTTP/1.1 Host: acme.com Connection: keep-alive X-CUST-SESSIONID: h57768d18hfr883xc36b53100jeew99sb2b320eb User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36 Content-Type: application/x-www-form-urlencoded Accept: */* Accept-Encoding: gzip, deflate, sdch Accept-Language: ja,en-US;q=0.8,en;q=0.6 {“location":" 48.854325 ",“feature_area_id":”tag=3hks83n3j;name= sector_north ”} HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Date: Mon, 05 May 2017 03:03:56 GMT Content-Length: 138 Connection: keep-alive {“ feature_id ":"\u30a4\u30d9\u30f3\u30c8\u3000\u5341\ u4e00",“sz":532,“wght":0.32," last_photo ":"",“resp_code":0} GML Feature Spatial JSON Response Service DBMS Desktop Web SOAP Request Manager Server REST Request Image JPEG Service JPEG

  34. Identifying Parameters  Refer to documentation or use heuristics to determine the parameter data types  Hex strings are typically used as tokens or userids  Tokens and other sensitive data in URL  /acme/profile/set_photo/ 2015/11/20 ?token= fa423b369272e7e19b2a5fa4eeba560e74c0d457  Look for high variance in URL paths of proxied traffic  Examine response codes of parent paths to find start of parameters

  35. Demo – Custom Parameters

  36. Automation: Importing Data  Proxy –  undocumented APIs (e.g. RESTful)  Non web applications (e.g. mobile applications)  Dynamically generated requests (e.g. Web 2.0, AJAX)  Automated (WSDL, WADL, Swagger)  WISwag.exe

  37. Importing Data 38

  38. Importing Data 39

  39. Demo – Service Definition Import

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Application Centric Infrastructure (ACI) The Cisco Application Centric Infrastructure (ACI) allows

Application Centric Infrastructure (ACI) The Cisco Application Centric Infrastructure (ACI) allows

Application Centric Infrastructure (ACI) The Cisco Application Centric Infrastructure (ACI) allows application requirements to dene the network. This architecture simplies, optimizes, and accelerates the entire application deployment life

1.48k views • 130 slides
GeoWEPP ArcGIS 10.1 Development Team Haoyi Xiong Application leading developer

GeoWEPP ArcGIS 10.1 Development Team Haoyi Xiong Application leading developer

GeoWEPP ArcGIS 10.1 Development Team Haoyi Xiong Application leading developer (haoyixio@buffalo.edu) Jonathan Goergen - Application co-lead developer Misa Yasumiishi - Webpage developer Martin Minkowski - GeoWEPP ArcGIS 9.x developer

1.46k views • 24 slides
Creating an API Centric Enterprise Lakmal Kodithuwakku Solutions Engineer 2 Presentation Agenda

Creating an API Centric Enterprise Lakmal Kodithuwakku Solutions Engineer 2 Presentation Agenda

Creating an API Centric Enterprise Lakmal Kodithuwakku Solutions Engineer 2 Presentation Agenda API Management Vision Solution Architecture Product Features and Capabilities API Store / Developer Portal Publishing Application

605 views • 19 slides
erosion project Development Team Haoyi Xiong Application leading developer Jonathan Goergen

erosion project Development Team Haoyi Xiong Application leading developer Jonathan Goergen

GeoWEPP ArcGIS 10.1 for soil erosion project Development Team Haoyi Xiong Application leading developer Jonathan Goergen - Application co-lead developer Misa Yasumiishi - Webpage developer Martin Minkowski - GeoWEPP ArcGIS 9.x developer

440 views • 6 slides
What queries can the Domain mediator answer for me? Developer CLIDE Schema Schema

What queries can the Domain mediator answer for me? Developer CLIDE Schema Schema

Large-Scale Data Integration Systems Exporting and Interactively Querying Application Domain CNET Computer Developer Web Service-Accessed Sources: PCWorld Portals Application Application The CLIDE System

320 views • 9 slides
Public/Private Partnerships 226 Contents Application Selection of a Developer and/or

Public/Private Partnerships 226 Contents Application Selection of a Developer and/or

16 CHAPTER Public/Private Partnerships 226 Contents Application Selection of a Developer and/or Development Partner Procurement Requirements of the Selected Developer Procurement by Parties Other Than the PHA or the Developer

335 views • 14 slides
From Foes to Friends Briefly About Me Trainer, Data Coach, Developer, Project Manager

From Foes to Friends Briefly About Me Trainer, Data Coach, Developer, Project Manager

SQL and NAV: From Foes to Friends Briefly About Me Trainer, Data Coach, Developer, Project Manager Favorites: SQL and PowerShell (and getting into Python) I am data centric not necessarily NAV centric. Accounting and financial

807 views • 47 slides
PerfGuard: Binary-Centric Application Performance Monitoring in Production Environments + *

PerfGuard: Binary-Centric Application Performance Monitoring in Production Environments + *

PerfGuard: Binary-Centric Application Performance Monitoring in Production Environments + * Chung Hwan Kim , Junghwan Rhee , Kyu Hyung Lee , Xiangyu Zhang, Dongyan Xu + * Performance Problems Performance Diagnosis During Development

218 views • 20 slides
Rails Girls Galway Designing Your App @gerryk who am i? * Application Developer * Linux System

Rails Girls Galway Designing Your App @gerryk who am i? * Application Developer * Linux System

Rails Girls Galway Designing Your App @gerryk who am i? * Application Developer * Linux System Administrator * Web &amp; WebApp Developer * Free Open Source Advocate * Telecoms Consultant * Information Security Analyst * Telecoms Platform

402 views • 24 slides
Semantic Centric Solutions for Application and Data Portability in Cloud Computing Ajith H.

Semantic Centric Solutions for Application and Data Portability in Cloud Computing Ajith H.

Semantic Centric Solutions for Application and Data Portability in Cloud Computing Ajith H. Ranabahu , Amit Sheth Kno.e.sis Center Wright State University 2 nd IEEE International Conference on Cloud Computing and Technology Indianapolis IN

575 views • 39 slides
Karl-Johan Dahlstrm Head of Developer Relations developer world sonymobile.com/developer

Karl-Johan Dahlstrm Head of Developer Relations developer world sonymobile.com/developer

Karl-Johan Dahlstrm Head of Developer Relations developer world sonymobile.com/developer @sonyxperiadev 2 2013-02-21 PA1 Confidential Developers Custom ROM Developers Application and Game Developers Tools Tools Support

982 views • 34 slides
Application-Specific Secure Gathering of Consumer Preferences and Feedback in Information-Centric

Application-Specific Secure Gathering of Consumer Preferences and Feedback in Information-Centric

Application-Specific Secure Gathering of Consumer Preferences and Feedback in Information-Centric Networks Reza Tourani, Satyajayant (Jay) Misra, Travis Mick Computer Science Department New Mexico State University New Mexico State University,

601 views • 27 slides
Kristin Van Deusen IT Co-Op Presentation IT Services Application Developer Enterprise Data

Kristin Van Deusen IT Co-Op Presentation IT Services Application Developer Enterprise Data

Kristin Van Deusen IT Co-Op Presentation IT Services Application Developer Enterprise Data Management April 29th 2016 About Me n Born and Raised in California n From Cleveland Area (Hudson) n First Co/Op and First Co/Op with Marathon n IT

548 views • 25 slides
The Worlds First LED Human Centric Fluorescent Tube by Human Centric Optics Inc. 333,

The Worlds First LED Human Centric Fluorescent Tube by Human Centric Optics Inc. 333,

The Worlds First LED Human Centric Fluorescent Tube by Human Centric Optics Inc. 333, 10654-82 Ave NW Edmonton, Alberta info@hcolab.com www.hcolab.com Human Centric LED Medical science discovers a third receptor in our eyes This

714 views • 13 slides
Oracle Developer Day Sponsored by: Sponsored by: Sponsored by: Sponsored by: J2EE Application

Oracle Developer Day Sponsored by: Sponsored by: Sponsored by: Sponsored by: J2EE Application

Oracle Developer Day Sponsored by: Sponsored by: Sponsored by: Sponsored by: J2EE Application Development for Forms and Designer Customers Speaker Speaker Title Page 1 1 Todays Agenda - Morning 09:00 09:45 Session 1: The

252 views • 22 slides
GSMaP - Integrated application with developer and user collaboration - Takuji Kubota and Moeka

GSMaP - Integrated application with developer and user collaboration - Takuji Kubota and Moeka

WIGOS WORKSHOP 2019 Session 2.2 GSMaP - Integrated application with developer and user collaboration - Takuji Kubota and Moeka Yamaji Earth Observation Research Center (EORC) Japan Aerospace Exploration Agency (JAXA) Q2.2-1 Does your

236 views • 23 slides
Profiling Data-Dependence to Assist Parallelization: Framework, Scope, and Optimization Alain

Profiling Data-Dependence to Assist Parallelization: Framework, Scope, and Optimization Alain

Profiling Data-Dependence to Assist Parallelization: Framework, Scope, and Optimization Alain Ketterlin Philippe Clauss Motivation Data dependence is central for: parallelization locality optimization ... Compilers have

249 views • 23 slides
Modeling Discourse Cohesion for Discourse Parsing via Memory Network Yanyan Jia, Yuan Ye, Yansong

Modeling Discourse Cohesion for Discourse Parsing via Memory Network Yanyan Jia, Yuan Ye, Yansong

Modeling Discourse Cohesion for Discourse Parsing via Memory Network Yanyan Jia, Yuan Ye, Yansong Feng, Yuxuan Lai, Rui Yan and Dongyan Zhao Institute of Computer Science and Technology, Peking University Discourse Dependency Parsing EDU means

459 views • 44 slides
TIME MATTERS: Short-Time-Span Petrophysical and Formation Properties Variatione-Span

TIME MATTERS: Short-Time-Span Petrophysical and Formation Properties Variatione-Span

Advancing Reservoir Performance TIME MATTERS: Short-Time-Span Petrophysical and Formation Properties Variatione-Span Petrophysical and Formation Properties Variation Presentation prepared for the Denver DWLS by John Priest, Elton Frost,

563 views • 25 slides
Rambus Investor Presentation Q4 2019 Safe Harbor for Forward-Looking Statements; Other

Rambus Investor Presentation Q4 2019 Safe Harbor for Forward-Looking Statements; Other

Rambus Investor Presentation Q4 2019 Safe Harbor for Forward-Looking Statements; Other Disclosures This presentation contains forward-looking statements under the Private Securities Litigation Reform Act of 1995 including Rambus financial

645 views • 35 slides
AstroAccelerate GPU accelerated signal processing on the path to the Square Kilometre Array Wes

AstroAccelerate GPU accelerated signal processing on the path to the Square Kilometre Array Wes

AstroAccelerate GPU accelerated signal processing on the path to the Square Kilometre Array Wes Armour, Karel Adamek , Sofia Dimoudi, Jan Novotny, Nassim Ouannough, Cees Carels Oxford e-Research Centre, Department of Engineering Science

940 views • 50 slides
Leftmost Longest Regular Expression Matching in Reconfigurable Logic Kubilay Atasu IBM Research

Leftmost Longest Regular Expression Matching in Reconfigurable Logic Kubilay Atasu IBM Research

Leftmost Longest Regular Expression Matching in Reconfigurable Logic Kubilay Atasu IBM Research - Zurich kat@zurich.ibm.com Abstract Regular expression (regex) matching is an essential part of text analytics and network intrusion detection

189 views • 7 slides
xBGAS: Toward a RISC-V Extension for Global, Scalable Shared Memory John Leidel 1 , David

xBGAS: Toward a RISC-V Extension for Global, Scalable Shared Memory John Leidel 1 , David

xBGAS: Toward a RISC-V Extension for Global, Scalable Shared Memory John Leidel 1 , David Donofrio 2 , Farzad Fatollahi-Fard 2 , Kurt Keville 3 , Xi Wang 4 , Frank Conlon 4 , Yong Chen 4 1 Tactical Computing Labs; 2 Lawrence Berkeley National Lab

493 views • 22 slides
Software Design for Persistent Memory Systems Howard Chu CTO, Symas Corp. hyc@symas.com

Software Design for Persistent Memory Systems Howard Chu CTO, Symas Corp. hyc@symas.com

Software Design for Persistent Memory Systems Howard Chu CTO, Symas Corp. hyc@symas.com 2018-03-07 Personal Intro Howard Chu Founder and CTO Symas Corp. Developing Free/Open Source software since 1980s GNU compiler toolchain,

684 views • 37 slides

More recommend