I’m teaching a 1-day class on June 8th: “Designing, Building and Testing Secure Application on Mobile Devices.” This course provides an introduction to security for mobile and smartphone applications. It walks through a basic threat model for a smartphone application. This threat model is then used as a framework for making good decisions about designing and building applications as well as for testing the security of existing applications. Examples are provided for both iOS (iPhone and iPad) and Android platforms and sample code is provided to demonstrate mobile security assessment techniques. Particular emphasis will be on the unique security challenges that developing software for mobile devices represent, comparing mobile software security concepts to those in the web application world. You can click here to register for OWASP AppSec EU 2011 Training.
Then John Dickson will be giving his presentation “Software Security: Is OK Good Enough” on June 10th. The abstract is:
Widely publicized breaches regularly occur involving insecure software. This is due to the fact that the vast majority of software in use today was not designed to withstand attacks encountered when deployed on hostile networks such as the Internet. What limited vulnerability statistics that exist confirm that most modern software includes coding flaws and design errors that put sensitive customer data at risk. Unfortunately, security officers and software project owners still struggle to justify investment to build secure software. Initial efforts to build justification models have not been embraced beyond the most security conscious organizations. Concepts like the “Rugged Software” are gaining traction, but have yet to make a deep impact. How does an organization – short of a breach – justify expending critical resources to build more secure software? Is it realistic to believe that an industry-driven solution such as the Payment Card Industry’s Data Security Standard (PCI-DSS) can drive secure software investment before headlines prompt government to demand top-down regulation to “fix” the security of software?
This presentation will attempt to characterize the current landscape of software security from the perspective of a practitioner who regularly works with Fortune 500 chief security officers to build business cases for software security initiatives. Given the current status of software security efforts, and the struggles for business justification, industry would be well-served to look further afield to other competing models to identify future justification efforts. There is still much that can be learned from models outside the security and information technology fields. For example, the history of food safety provides lessons that the software security industry can draw from when developing justification models. We can also learn from building code adoption by earthquake-prone communities and draw comparisons to communities that have less rigorous building codes. Finally, we can learn much from certain financial regulations that have or have not improved confidence in our financial system.
I will be following that up with my presentation “Putting the Smart into Smartphones: Security Testing Mobile Applications” later that day:
Security testing techniques for web applications are fairly well-understood and documented. However, mobile applications have different threat models than web applications and also rely on different technologies; therefore the goals of mobile application security testing are different as are the techniques. This presentation outlines a basic threat model for a mobile application and walks through concerns an application developer might have when deploying the application. Different testing techniques that can be used to gain insight into the security properties of the application are discussed and comparisons are made to the testing of web applications and other software to demonstrate the similarities and differences when dealing with mobile applications. Examples are given for both iPhone and Android platforms but the general techniques apply to any mobile application platform.
The OWASP Ireland 1-day conference last year was great and I’m looking forward to heading back over for the full AppSec conference this year. Contact us if you want to meet up at OWASP AppSec EU 2011.
dan _at_ denimgroup.com