LogoSquare

Denim Group Website

About

My Photo
Powered by TypePad
Subscribe to this blog's feed

Recent Posts

Categories

Archives

Add me to your TypePad People list


Programming Blogs - Blog Catalog Blog Directory

Denim Group

March 26, 2013

BSides Austin Recap: Developing Secure Mobile Applications

By Dan Cornell

BSides Austin 2013 was at the end of last week and one of the things I did while I was there was give a short, two hour training session titled "Developing Secure Mobile Applications" This is a (very) cut down version of some of the instructor-led training classes we give on developing secure mobile applications and testing the security of mobile applications. Slides are online:

The abstract for the training was:

This course provides an introduction to security for mobile applications. It walks through a basic threat model for a mobile application. This threat model is then used as a framework for making good decisions about designing and building applications as well as for testing the security of existing applications. Examples are provided for both iOS (iPhone and iPad) and Android platforms and sample code is provided to demonstrate mobile security assessment techniques.

Contact us for help building secure mobile applications and testing the security of mobile applications.

--Dan

dan _at_ denimgroup.com

@danielcornell

March 26, 2013 in Dan Cornell, Denim Group, Information Security, iPhone, Mobile, Security, Speaking Events, ThreadStrong e-Learning, Training, Web 2.0, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , , , , , , , , ,

March 13, 2013

Denim Group at InnoTech San Antonio 2013: Smart Phones Dumb Apps

By Dan Cornell

SA-Header
Folks headed to InnoTech San Antonio on Wednesday April 17th, 2013 should stop by the Denim Group booth and say howdy. Also, I'll be giving an updated version of my Smart Phones Dumb Apps talk at 1:00pm. The abstract for that talk is:

Enterprises are targeting both internal users and customers with smartphone applications for platforms such as Apple iPhone and Google Android.  Many of these applications are constructed without fully considering the associated security implications of their deployment.  Breaches can impact both users as well as the enterprise distributing the application as attackers take advantage of expanded access to sensitive data and network services.  This talk discusses emerging threats associated with deploying  smartphone applications  and provides an overview of the threat modeling process.  The presentation then walks example applications from an attacker’s perspective demonstrating the sort of information they are able to extract allowing for more advanced attacks.

So if your organization is building - or using - mobile applications on platforms like Android and iOS (iPhone/iPad) you probably want to drop by. This is a fun, interactive presentation with a lot of examples that helps demonstrate why mobile security isn't just about MDM and dealing with BYOD. You also need to pay attention to the applications getting deployed on these mobile operating systems if you want to protect both your organization's and your customers' data.

Also if you want a FREE admission to InnoTech San Antonio 2013, head to www.innotechsan.com and use the code SPK13C to register.

 Contact us if you want to meet up at InnoTech San Antonio 2013 and talk about mobile application security.

--Dan

dan _at_ denimgroup.com

@danielcornell

Related articles
Denim Group at BSides Austin 2013: Building Secure Mobile Apps and Software Security Implementation Patterns
Search Software Quality: Understanding Mobile, Web and Cloud Apps and System Architecture
Smart Phones Dumb Apps Scripts Updated

March 13, 2013 in Conferences, Dan Cornell, Denim Group, Information Security, iPhone, Mobile, Security, Speaking Events, Threat Modeling, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

March 10, 2013

Denim Group at BSides Austin 2013: Building Secure Mobile Apps and Software Security Implementation Patterns

By Dan Cornell

 

BSides Texas Logo w color hat
I will be up at BSides Austin 2013 in a couple of weeks. Thursday March 21st I will be giving a short training class from 4:00pm through 6:00pm titled "Developing Secure Mobile Applications." The brief abstract is:

This course provides an introduction to security for mobile applications. It walks through a basic threat model for a mobile application. This threat model is then used as a framework for making good decisions about designing and building applications as well as for testing the security of existing applications. Examples are provided for both iOS (iPhone and iPad) and Android platforms and sample code is provided to demonstrate mobile security assessment techniques.

We've only got two hours so I can't teach you everything about building and testing secure mobile apps (assuming I even knew everything about the subject...) but I can help make you smarter. Should be a good time.

Also on Friday March 22nd from 1:00pm to 2:00pm I will be giving a talk titled "Implementation Patterns for Software Security Programs" The abstract for this talk is:

Every organization’s software security program implementation is different, but patterns exist providing guidance to those looking to plan for their program rollouts. This presentation covers several aspects of this process including the “ownership” of the software security program as well as implementation of static code analysis, dynamic application testing and developer security education.

This should be a fun one because we talk through war stories of things we've seen be successful as well as things we've seen go horribly wrong.

Contact us if you want to meet up at BSides Austin 2013. The last time I checked there were still tickets available.

--Dan

dan _at_ denimgroup.com

@danielcornell

March 10, 2013 in Application Security Remediation, Application Security Tools, Conferences, Dan Cornell, Denim Group, Dynamic Analysis, Information Security, Mobile, Remediation, Scanners, Security, Software Security Remediation, Speaking Events, Static Analysis, Threat Modeling, Training, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

February 19, 2013

Smart Phones Dumb Apps Scripts Updated

By Dan Cornell

Mobile_phone

Last week I pushed some updates to the mobile application assessment scripts we released with my Smart Phones Dumb Apps presentation a while back. These scripts do some light static analysis on Android and (unencrypted) iOS binaries - mainly setting up a list of things to manually examine during a more thorough analysis. Most of these updates are courtesy of Abraham Aranguren ([name] . [surname] @owasp.org, @7a_ on Twitter) who updated a couple of packaged external tools those scripts relied on such as FindBugs and dex2jar (thanks!). You can also check out a great blog post Abraham put up listing a number of really valuable Android application security resources.

Mobile application security continues to be an area organizations struggle with. Everyone feels huge schedule pressures to get new applications and new functionality released. Developers dive into development projects without understanding how to design and build secure mobile applications. The result is pretty predictable - vulnerable mobile apps and, even scarier in most cases, vulnerable web services supporting those mobile apps.

Keep an eye on this space - at Denim Group we've been doing a lot of work both assessing the security of mobile applications as well as helping firms design and build secure mobile apps. In the next couple of months we're looking at making more of what we've been doing publicly available and hopefully organizations will be able to use that to step up their mobile security skills.

Contact us for help building secure mobile applications and setting up security assessment program for your organization's mobile strategy.

--Dan

dan _at_ denimgroup.com

@danielcornell

February 19, 2013 in Application Security Tools, Dan Cornell, Denim Group, Information Security, iPhone, Mobile, Open Source, OWASP, Scanners, Security, Static Analysis, Web 2.0, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

February 13, 2013

Search Software Quality: Understanding Mobile, Web and Cloud Apps and System Architecture

By Dan Cornell

Search_software_quality_logo

Search Software Quality published another of my answers to reader questions:

Can you explain the differences between mobile apps, cloud apps and web apps?

You can see my full answer online where I talk about the importance of understanding how these apps often work together (sorry - registration required). For those looking for a quick preview, I try to move beyond the obvious "mobile apps run on mobile devices" answer and look into the complexity of many modern applications - how they combine aspects of mobile, web and cloud to produce the ultimate user experience. The end result is that system designers - and system testers - need to understand the overall application architecture if they want to have better insight into what parts of their apps are mobile, web-based or cloudy.

Contact us for help building mobile, web and cloud applications.

--Dan

dan _at_ denimgroup.com

@danielcornell

February 13, 2013 in AJAX, Cloud, Dan Cornell, Denim Group, Information Security, Mobile, Security, Threat Modeling, Web 2.0, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

August 10, 2012

Denim Group in the Media: Cloud Migration, Mobile App Security and App Logging

By Lauren Madrid

It’s been a busy few weeks around here, and Denim Group has been quoted in a few articles recently.

Over at TechTarget, Dan Cornell is participating in the Ask the Expert series, answering questions about security. A recent question deal with migrating applications or hardware to the cloud. Check out “Migrating legacy applications to a cloud environment” (registration required) to know what to consider before moving to cloud servers.

And also on TechTarget Dan is talking about mobile application security, and how it’s connected to web services and the cloud.

                Building security requirements into software: Mobile apps, Web services and the cloud

Organizations are more concerned about application security than ever and have a growing awareness of security concerns. SearchSoftwareQuality.com’s newest expert, Dan Cornell, principal of software consulting company Denim Group, discusses mobile security, what organizations can do to build security requirements into software and security challenges in cloud ALM. He views the most serious concerns with mobile software security as falling into two major areas: 1) how organizations expose their users to risk, and 2) how applications expose the companies themselves to risk.

John Dickson gave his two cents about San Antonio as a cybersecurity hub in Global Corporate Xpansion magazine. 

The Security Economy Soars

“There's a critical mass of companies and talent here that realistically make it the No. 2 cybersecurity node outside of the D.C. area — certainly on the services side,” says John Dickson, principal, Denim Group Ltd. “We've got the strong foundation of a good business climate and a very reasonable cost of living, but what's interesting is how in the last few years we've stepped up information sharing that didn't used to happen. Today this cross-pollination between the local commercial sector, UTSA and the military is having a big impact, especially on our workforce. We suspect there will be even more companies that will want to relocate or organically grow here.”

John also recently gave a cool webinar on BrightTALK on better logging for security.

                Top Strategies to Capture Security Intelligence for Applications

Security professionals have years of experience logging and tracking network security events to identify unauthorized or malicious activity on a corporate network. Unfortunately, many of today's attacks are focused on the application layer, where the fidelity of logging for security events is less robust. Most application logs are typically used to see errors and failures and the internal state of the system, not events that might be interesting from a security perspective. Security practitioners are concerned with understanding patterns of user behavior and, in the event of an attack, being able to see an entire user’s session. How are application events different from network events? What type of information should security practitioners ensure software developers log for event analysis? What are the types of technologies that enable application-level logging and analysis? In this presentation, John Dickson will discuss what should be present in application logs to help understand threats and attacks, and better guard against them.

Contact us if you need help with  your mobile application security or software security program.

--Lauren

lmadrid_at_denimgroup.com

August 10, 2012 in Mobile | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , , , , , ,

February 13, 2012

New Webinar: Key Security Questions to Ask Before Building a Mobile Application

By Dan Cornell

Next week, John B. Dickson, Denim Group Principal, is giving a great webinar on things you should think about before you or your organization builds a mobile application. Although there's more awareness these days about mobile security, there's more that can be done. The webinar is on Thursday, February 23 at 1pm CST. See below for details and registration info.

Key Security Questions to Ask Before Building a Mobile Application with John B. Dickson, CISSP
Thursday, February 23
1 p.m. CST
Register now

JohnDickson_portrait_smallThe demand for mobile applications is breathtaking, but the number of experienced mobile developers who understand secure development is incredibly small. Many organizations are relying on internal resources to build mobile applications, and as a result, executives and security leaders are overlooking some key considerations when building a mobile application. In this webinar, John Dickson, CISSP, will discuss they key questions all organizations should ask before building a mobile application, from responsibility for security to data breach processes. Find out what you need to consider, internally and externally, before launching a mobile application.

Contact us for help building your mobile applications.

--Dan

dan _at_ denimgroup.com

@danielcornell

February 13, 2012 in John Dickson, Mobile | | Comments (1) | TrackBack (0)

Technorati Tags: , , , , , ,

February 09, 2012

Making Security Decisions About File Storage for Android Apps

By Dan Cornell

A while back I posted about some static analysis techniques for analyzing file usage in Android applications and this post looks at the same topic but from the standpoint of an application developer making decisions about file storage for their apps.

If you are building applications for Android, you should always create files with the default permissions (Context.MODE_PRIVATE)  This will make it so that only your app should be able to read the file and write to the file.  Other malicious applications – even if they know the file’s location – should not be able to modify it.  If you have to create a file that is readable by other applications (Context.MODE_WORLD_READABLE) you should probably have a good reason and you should assume that any data stored in that file might be read by any other application installed on the device.  If you have to create a file that is writable by other applications (Context.MODE_WORLD_WRITEABLE) you should have an even better reason and you should assume that malicious apps will corrupt the contents of this file.  This means that any time data from this file is used it must be positively validated to make sure that any changes made to the file by other apps do not cause unexpected behavior.

PLEASE NOTE: If a device with your application falls into the hands of a malicious user, or if another application is able to execute an attack that elevates its privileges then they will still have access to the files so you should plan accordingly and never store truly sensitive information on mobile devices.It is much safer to store sensitive data server-side and retrieve it to the device only when needed.

Contact us for help building secure mobile applications.

--Dan

dan _at_ denimgroup.com

@danielcornell

Posted via email from Denim Group's Posterous

February 09, 2012 in Mobile | | Comments (1) | TrackBack (0)

Technorati Tags: , , , , ,

October 05, 2011

Slides from Rochester Security Summit Keynote Online: The Need For Open Software Security Standards In A Mobile And Cloudy World

By Dan Cornell

Slides from my keynote at the Rochester Security Summit are now online here:

The Need For Open Software Security Standards In A Mobile And Cloudy World

View more presentations from Denim Group

 

The title of the talk was “The Need For Open Software Security Standards In A Mobile And Cloudy World” and the abstract was:

The security landscape is changing and the security industry must adapt to stay relevant.  The economic and scale benefits of the cloud are causing organizations to move sensitive business processes and data outside of the safety of the corporate environment.  New business models and other opportunities to create value through innovation are moving sensitive data and code onto untrusted mobile devices.  Organizations are going to adopt these new cloud and mobile technologies and information security practitioners will be forced to evolve current models for risk management and mitigation.  This presentation discusses the need for open software security standards to support this evolution.  Being required to trust cloud service providers leads to a need for increased visibility into the software security practices of those providers.  In addition, reliance on these providers’ software as well as the requirement to place software in untrusted environments such as mobile devices creates a demand for better standards for evaluating the security state of complicated systems.  Many previous efforts have been focused on proprietary models that failed to provide sufficient insight or on models that lacked a level of technical rigor required to provide assurance.  The solutions to these issues are open standards that are based on the real risks organizations encounter when adopting cloud and mobile technologies and the presentation outlines potential paths forward that can provide risk managers with the assurances they need while also freeing up businesses to intelligently consume emerging technologies.

I had a great time at the conference and really appreciate the hospitality of the Rochester crew.

Contact us for help crafting your software assurance program.

--Dan

dan _at_ denimgroup.com

@danielcornell

Posted via email from Denim Group's Posterous

October 05, 2011 in Conferences, Mobile | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , ,

August 16, 2011

Mobile Application Security Code Reviews: BSides Las Vegas Materials Online

By Dan Cornell

David Rook (@securityninja) and I gave a training class at 2011 Security BSides Las Vegas on mobile application security code reviews. We used his Agnitio code review tool to analyze a flawed application and identify potential issues.

The slides are online here:

The code for the intentionally-flawed sample Pandemobium Stock Trader application can be found online here. The code online includes both Android and iOS versions of a vulnerable application as well as the backing web services that support the apps.

Contact us for more information on application security training programs including instructor-led training for and eLearning.

--Dan

dan _at_ denimgroup.com

@danielcornell

Posted via email from Denim Group's Posterous

August 16, 2011 in Mobile | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , , , , , ,

Next »