Abstract image of a woman sitting on books and studying on a laptop

2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design

NCC Group, profile picture
NCC Group

This document discusses developing mobile apps with security in mind from the start. It notes that considering security early in the design process is cheaper, easier and less likely to result in fundamental flaws compared to addressing security as an afterthought. While building security into apps from the beginning requires more initial effort, it can improve user experience and privacy, lead to more integrated and upgradable security, and provide better ROI long term compared to last minute approaches. When using commercial off-the-shelf apps, gaining security assurances can be challenging and often relies on black box assessments rather than code access. Proper response planning is also important in case issues arise.

Technology
1 of 18
Downloaded 12 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Mobile apps and security by design Ollie Whitehouse, Associate Director - NCC Group
Agenda •Challenges •Benefits • Features • Privacy • Product security •Assurance and COTS •Response planning
Problem Statement “How to develop or purchase COTS mobile apps for my enterprise while ensuring security.”
Real-world challenges •Cost •Timelines •Available security skill-set •Trust in underlying technologies •COTS, the big black box
Reality •Last minute security can lead to •Poor user experience •Risk of fundamental flaws •Implementation issues •Higher expense and wasted effort •…. Band-Aid solutions
How do we know this? •Secure Development Life-cycles! •Security earlier is •Cheaper •Easier •More integrated •Less likely to be wrong
How do we know this? •Issues found during final testing •Back to development •Re-testing (functional) •Issues found after release •All of the above •Customer support costs •Regulatory, press / brand etc. •…
Put another way.. “Those practicing SDL specifically reported visibly better ROI results than the overall population.“ - Forester research
But it’s not without cost… ~14% extra effort
What do we care about? •Functionality •Security has a bad reputation •Security is seen as impeding •Privacy •Users and customers •Security •Risk and regulator •Integrity and data protection
Feature benefits •Meet your risk appetite •User friendly (UX etc.) •Measured •Integrated •Lower risk of fundamental issues
Privacy benefits •Regulatory compliance •Publically acceptable •Consumer versus employee •Internet versus VPN •… concepts like do not track etc … •Consideration around •What we send, how we send, what we store and how we store
Security benefits •Baked in (intrinsic to the fabric) •Defence in depth •Easy (automatic?) to upgrade •Auditing / logging •Authentication / authorisation •Transport security •Data at rest security
Mobile security by design •User experience •Authentication •Authorisation •Storage •Logging •Transport •Upgradability •Device / user identification
The COTS challenge •Marketing buzzword bingo •3rd party development practices •Gaining assurance … in code and processes … ideally via code access (rare!) … likely black-box security assessments … we don’t want to outsource risk
If it all goes wrong •Security response processes •Internally developed •Escalation points? •Vendor relationships •Who would you call? •Legal agreements? •Security SLAs? •Short term mitigations?
Summary •Consider security & risk early •Design security in from the start •Test security early, test often •Bigger locks != better security •Consider user base •Consider underlying technologies •Consider tech/user case constraints •Coax COTS vendors to improve
UK Offices Manchester - Head Office Cheltenham Edinburgh Leatherhead London Thame North American Offices San Francisco Atlanta New York Seattle Australian Offices Sydney European Offices Amsterdam - Netherlands Munich - Germany Zurich - Switzerland Ollie Whitehouse ollie.whitehouse@nccgroup.com Thanks! Questions?

More Related Content

PDF
2012 12-04 --ncc_group_-_mobile_threat_war_room
NCC Group
 
PDF
Current & Emerging Cyber Security Threats
NCC Group
 
PPTX
Practical SME Security on a Shoestring
NCC Group
 
PPTX
The Mobile Internet of Things and Cyber Security
NCC Group
 
PPTX
Valerie Thomas - All Your Door Belong to Me - Attacking Physical Access Systems
centralohioissa
 
PPTX
Understanding passwordless technologies
David Strom
 
PDF
Locking down server and workstation operating systems
Ben Rothke
 
PDF
10 Security issues facing NZ Enterprises
Nigel Hanson
 
2012 12-04 --ncc_group_-_mobile_threat_war_room
NCC Group
 
Current & Emerging Cyber Security Threats
NCC Group
 
Practical SME Security on a Shoestring
NCC Group
 
The Mobile Internet of Things and Cyber Security
NCC Group
 
Valerie Thomas - All Your Door Belong to Me - Attacking Physical Access Systems
centralohioissa
 
Understanding passwordless technologies
David Strom
 
Locking down server and workstation operating systems
Ben Rothke
 
10 Security issues facing NZ Enterprises
Nigel Hanson
 

What's hot (20)

PPTX
Essential Layers of IBM i Security: System-Access Security
Precisely
 
PPTX
Erik Nachbahr "Dealership Technology"
Sean Bradley
 
PPTX
Threat Modeling - Locking the Door to Vulnerabilities
Security Innovation
 
PDF
Securing your presence at the perimeter
Ben Rothke
 
PDF
Zero Trust Model Presentation
Gowdhaman Jothilingam
 
PPT
Qualys user group presentation - vulnerability management - November 2009 v1 3
Tom King
 
PPTX
Cyber Security Overview for Small Businesses
Charles Cline
 
PPTX
2015 Endpoint and Mobile Security Buyers Guide
Lumension
 
PPTX
Security Testing for IoT Systems
Security Innovation
 
PPT
Competitive Cyber Security
Coastal Pet Products, Inc.
 
PDF
Hijacking a Pizza Delivery Robot (using SQL injection)
Priyanka Aash
 
PPTX
How to create a secure IoT device
Abhijeet Rane
 
PDF
Ransomware ly
Lisa Young
 
PDF
New VIPRE_DS_EndpointSecurity_2016
Cyd Isaak Francisco
 
PDF
Controlling Access to IBM i Systems and Data
Precisely
 
PDF
Expand Your Control of Access to IBM i Systems and Data
Precisely
 
PDF
Cybersecurity for modern industrial systems
Itex Solutions
 
PPTX
Cyber Security # Lec 2
Kabul Education University
 
PDF
FLIGHT Amsterdam Presentation - Don’t Let Open Source Software Kill Your Deal
Black Duck by Synopsys
 
PDF
NIST Zero Trust Explained
rtp2009
 
Essential Layers of IBM i Security: System-Access Security
Precisely
 
Erik Nachbahr "Dealership Technology"
Sean Bradley
 
Threat Modeling - Locking the Door to Vulnerabilities
Security Innovation
 
Securing your presence at the perimeter
Ben Rothke
 
Zero Trust Model Presentation
Gowdhaman Jothilingam
 
Qualys user group presentation - vulnerability management - November 2009 v1 3
Tom King
 
Cyber Security Overview for Small Businesses
Charles Cline
 
2015 Endpoint and Mobile Security Buyers Guide
Lumension
 
Security Testing for IoT Systems
Security Innovation
 
Competitive Cyber Security
Coastal Pet Products, Inc.
 
Hijacking a Pizza Delivery Robot (using SQL injection)
Priyanka Aash
 
How to create a secure IoT device
Abhijeet Rane
 
Ransomware ly
Lisa Young
 
New VIPRE_DS_EndpointSecurity_2016
Cyd Isaak Francisco
 
Controlling Access to IBM i Systems and Data
Precisely
 
Expand Your Control of Access to IBM i Systems and Data
Precisely
 
Cybersecurity for modern industrial systems
Itex Solutions
 
Cyber Security # Lec 2
Kabul Education University
 
FLIGHT Amsterdam Presentation - Don’t Let Open Source Software Kill Your Deal
Black Duck by Synopsys
 
NIST Zero Trust Explained
rtp2009
 
Ad

Viewers also liked (14)

PPTX
2013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 0
NCC Group
 
PDF
How we breach small and medium enterprises (SMEs)
NCC Group
 
PDF
Pki 202 Architechture Models and CRLs
NCC Group
 
PPTX
Mobile App Security: Enterprise Checklist
Jignesh Solanki
 
PPTX
Exploiting appliances presentation v1.1-vids-removed
NCC Group
 
PDF
NCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group
 
PDF
Cryptography101
NCC Group
 
PDF
07182013 Hacking Appliances: Ironic exploits in security products
NCC Group
 
PPTX
Cryptography - 101
n|u - The Open Security Community
 
PDF
USB: Undermining Security Barriers
NCC Group
 
PDF
Pki 201 Key Management
NCC Group
 
PDF
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprints
NCC Group
 
PDF
Docking stations andy_davis_ncc_group_slides
NCC Group
 
PDF
Real World Application Threat Modelling By Example
NCC Group
 
2013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 0
NCC Group
 
How we breach small and medium enterprises (SMEs)
NCC Group
 
Pki 202 Architechture Models and CRLs
NCC Group
 
Mobile App Security: Enterprise Checklist
Jignesh Solanki
 
Exploiting appliances presentation v1.1-vids-removed
NCC Group
 
NCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group
 
Cryptography101
NCC Group
 
07182013 Hacking Appliances: Ironic exploits in security products
NCC Group
 
Cryptography - 101
n|u - The Open Security Community
 
USB: Undermining Security Barriers
NCC Group
 
Pki 201 Key Management
NCC Group
 
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprints
NCC Group
 
Docking stations andy_davis_ncc_group_slides
NCC Group
 
Real World Application Threat Modelling By Example
NCC Group
 
Ad

Similar to 2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design (20)

PPTX
Security Imeprative for iOS and Android Apps
Symosis Security (Previously C-Level Security)
 
PPT
Mobile application security and threat modeling
Shantanu Mitra
 
PPT
Sql securitytesting
Thilak Pathirage -Senior IT Gov and Risk Consultant
 
PDF
Application Security in an Agile World - Agile Singapore 2016
Stefan Streichsbier
 
PPT
Security Testing for Mobile and Web Apps
DrKaramHatim
 
PDF
CNIT 128 8: Mobile development security
Sam Bowne
 
PDF
Mobile Application Security by Design
DMI
 
PPTX
Hacker vs Tools: Which to Choose?
Security Innovation
 
PPTX
Hacker vs tools
Geoffrey Vaughan
 
PPTX
Keeping Secrets on the Internet of Things - Mobile Web Application Security
Kelly Robertson
 
PDF
24 031030davidtillemanssecuresdlcpub-110325054740-phpapp02
Smals
 
PDF
Mobile SSO: Give App Users a Break from Typing Passwords
CA API Management
 
PPTX
Owasp summit slides day 2
Dinis Cruz
 
PPT
Embracing the IT Consumerization Imperative NG Security
Barry Caplin
 
PPTX
SOC: Use cases and are we asking the right questions?
Jonathan Sinclair
 
PDF
Threat modelling & apps testing
Adrian Munteanu
 
PDF
Application Security - Your Success Depends on it
WSO2
 
PPSX
You built a security castle and forgot the bridge…now users are climbing your...
Security BSides London
 
PDF
TRUSTe Online Security Guidelines v2.0
TRUSTe
 
PPTX
Agile software security assurance
Ollie Whitehouse
 
Security Imeprative for iOS and Android Apps
Symosis Security (Previously C-Level Security)
 
Mobile application security and threat modeling
Shantanu Mitra
 
Sql securitytesting
Thilak Pathirage -Senior IT Gov and Risk Consultant
 
Application Security in an Agile World - Agile Singapore 2016
Stefan Streichsbier
 
Security Testing for Mobile and Web Apps
DrKaramHatim
 
CNIT 128 8: Mobile development security
Sam Bowne
 
Mobile Application Security by Design
DMI
 
Hacker vs Tools: Which to Choose?
Security Innovation
 
Hacker vs tools
Geoffrey Vaughan
 
Keeping Secrets on the Internet of Things - Mobile Web Application Security
Kelly Robertson
 
24 031030davidtillemanssecuresdlcpub-110325054740-phpapp02
Smals
 
Mobile SSO: Give App Users a Break from Typing Passwords
CA API Management
 
Owasp summit slides day 2
Dinis Cruz
 
Embracing the IT Consumerization Imperative NG Security
Barry Caplin
 
SOC: Use cases and are we asking the right questions?
Jonathan Sinclair
 
Threat modelling & apps testing
Adrian Munteanu
 
Application Security - Your Success Depends on it
WSO2
 
You built a security castle and forgot the bridge…now users are climbing your...
Security BSides London
 
TRUSTe Online Security Guidelines v2.0
TRUSTe
 
Agile software security assurance
Ollie Whitehouse
 

Recently uploaded (20)

PPTX
Microsoft User Copilot Training Slide Deck
zohoron1
 
PDF
giants, standing on the shoulders of - by Daniel Stenberg
Daniel Stenberg
 
PDF
A hybrid framework for wild animal classification using fine-tuned DenseNet12...
IAESIJAI
 
PDF
Transform-Your-Supply-Chain-with-AI-Driven-Quality-Engineering.pdf
Kalilur Rahman
 
PPTX
Internet of Everything -Basic concepts details
sendilkumar66
 
PPTX
MuleSoft-Compete-Deck for midddleware integrations
zupittejas
 
PDF
Dell Pro Micro: Speed customer interactions, patient processing, and learning...
Principled Technologies
 
PDF
The-Future-of-Automotive-Quality-is-Here-AI-Driven-Engineering.pdf
Kalilur Rahman
 
PDF
4 layer Arch & Reference Arch of IoT.pdf
sendilkumar66
 
PDF
The AI Revolution in Customer Service - 2025
Body of Knowledge
 
PDF
IT-ITes Industry bjjbnkmkhkhknbmhkhmjhjkhj
yatharthjutt100311
 
PDF
Human Computer Interaction Miterm Lesson
JasperGarcia9
 
PPTX
SGT Report The Beast Plan and Cyberphysical Systems of Control
hopegirl587
 
PDF
Advancing precision in air quality forecasting through machine learning integ...
IAESIJAI
 
PDF
Lung cancer patients survival prediction using outlier detection and optimize...
IAESIJAI
 
PDF
Transform-Your-Streaming-Platform-with-AI-Driven-Quality-Engineering.pdf
Kalilur Rahman
 
PDF
Auditboard EB SOX Playbook 2023 edition.
DROK2
 
PDF
A symptom-driven medical diagnosis support model based on machine learning te...
IAESIJAI
 
PDF
CXOs-Are-you-still-doing-manual-DevOps-in-the-age-of-AI.pdf
Kalilur Rahman
 
PDF
Transform-Your-Factory-with-AI-Driven-Quality-Engineering.pdf
Kalilur Rahman
 
Microsoft User Copilot Training Slide Deck
zohoron1
 
giants, standing on the shoulders of - by Daniel Stenberg
Daniel Stenberg
 
A hybrid framework for wild animal classification using fine-tuned DenseNet12...
IAESIJAI
 
Transform-Your-Supply-Chain-with-AI-Driven-Quality-Engineering.pdf
Kalilur Rahman
 
Internet of Everything -Basic concepts details
sendilkumar66
 
MuleSoft-Compete-Deck for midddleware integrations
zupittejas
 
Dell Pro Micro: Speed customer interactions, patient processing, and learning...
Principled Technologies
 
The-Future-of-Automotive-Quality-is-Here-AI-Driven-Engineering.pdf
Kalilur Rahman
 
4 layer Arch & Reference Arch of IoT.pdf
sendilkumar66
 
The AI Revolution in Customer Service - 2025
Body of Knowledge
 
IT-ITes Industry bjjbnkmkhkhknbmhkhmjhjkhj
yatharthjutt100311
 
Human Computer Interaction Miterm Lesson
JasperGarcia9
 
SGT Report The Beast Plan and Cyberphysical Systems of Control
hopegirl587
 
Advancing precision in air quality forecasting through machine learning integ...
IAESIJAI
 
Lung cancer patients survival prediction using outlier detection and optimize...
IAESIJAI
 
Transform-Your-Streaming-Platform-with-AI-Driven-Quality-Engineering.pdf
Kalilur Rahman
 
Auditboard EB SOX Playbook 2023 edition.
DROK2
 
A symptom-driven medical diagnosis support model based on machine learning te...
IAESIJAI
 
CXOs-Are-you-still-doing-manual-DevOps-in-the-age-of-AI.pdf
Kalilur Rahman
 
Transform-Your-Factory-with-AI-Driven-Quality-Engineering.pdf
Kalilur Rahman
 

2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design

  • 1. Mobile apps and security by design Ollie Whitehouse, Associate Director - NCC Group
  • 2. Agenda •Challenges •Benefits • Features • Privacy • Product security •Assurance and COTS •Response planning
  • 3. Problem Statement “How to develop or purchase COTS mobile apps for my enterprise while ensuring security.”
  • 4. Real-world challenges •Cost •Timelines •Available security skill-set •Trust in underlying technologies •COTS, the big black box
  • 5. Reality •Last minute security can lead to •Poor user experience •Risk of fundamental flaws •Implementation issues •Higher expense and wasted effort •…. Band-Aid solutions
  • 6. How do we know this? •Secure Development Life-cycles! •Security earlier is •Cheaper •Easier •More integrated •Less likely to be wrong
  • 7. How do we know this? •Issues found during final testing •Back to development •Re-testing (functional) •Issues found after release •All of the above •Customer support costs •Regulatory, press / brand etc. •…
  • 8. Put another way.. “Those practicing SDL specifically reported visibly better ROI results than the overall population.“ - Forester research
  • 9. But it’s not without cost… ~14% extra effort
  • 10. What do we care about? •Functionality •Security has a bad reputation •Security is seen as impeding •Privacy •Users and customers •Security •Risk and regulator •Integrity and data protection
  • 11. Feature benefits •Meet your risk appetite •User friendly (UX etc.) •Measured •Integrated •Lower risk of fundamental issues
  • 12. Privacy benefits •Regulatory compliance •Publically acceptable •Consumer versus employee •Internet versus VPN •… concepts like do not track etc … •Consideration around •What we send, how we send, what we store and how we store
  • 13. Security benefits •Baked in (intrinsic to the fabric) •Defence in depth •Easy (automatic?) to upgrade •Auditing / logging •Authentication / authorisation •Transport security •Data at rest security
  • 14. Mobile security by design •User experience •Authentication •Authorisation •Storage •Logging •Transport •Upgradability •Device / user identification
  • 15. The COTS challenge •Marketing buzzword bingo •3rd party development practices •Gaining assurance … in code and processes … ideally via code access (rare!) … likely black-box security assessments … we don’t want to outsource risk
  • 16. If it all goes wrong •Security response processes •Internally developed •Escalation points? •Vendor relationships •Who would you call? •Legal agreements? •Security SLAs? •Short term mitigations?
  • 17. Summary •Consider security & risk early •Design security in from the start •Test security early, test often •Bigger locks != better security •Consider user base •Consider underlying technologies •Consider tech/user case constraints •Coax COTS vendors to improve
  • 18. UK Offices Manchester - Head Office Cheltenham Edinburgh Leatherhead London Thame North American Offices San Francisco Atlanta New York Seattle Australian Offices Sydney European Offices Amsterdam - Netherlands Munich - Germany Zurich - Switzerland Ollie Whitehouse [email protected] Thanks! Questions?