Securing Mobile Apps - Threat Modeling, Whitebox, Blackbox testing presented at OWASP BASC 2012

by Greg Wolford,

Tags: Security

Summary : Securing mobile applications is a multi-dimensional problem space, carrying with it elements of desktop security, web application security, and network security. Coupled with a large attack space is the additional security issue of technological infancy. Since the mobile application space is still an emerging technology, the threat space is still being defined. This continuously growing, rapidly changing, and large threat space represents a significant risk to the enterprise. Developers can minimize this threat by introducing a number of secure development practices into the SDLC.
Because the technologies behind mobile application development are changing rapidly, secure development tools are not yet comprehensive. However, good processes that combine these tools with design, development, and testing methodologies can bridge the security gap as the tools grow and become more effective. An effective security program will engage available tools across the SDLC. At a minimum, secure mobile application development should include threat modeling, static analysis/whitebox testing, and blackbox testing. This testing should focus on attacks against the network component, the server component, and the client component.
The presentation will focus on implementing secure development methodologies with an emphasis on:
Threat Modeling
Threat modeling methodologies for Mobile Application development
Threat modeling 3rd party applications
Protecting PII on the device
Whitebox Testing
Static analysis availability, strengths, and limitations
Whitebox testing tools
Whitebox client side testing
PII Storage issues
Client side attack vectors
Blackbox Testing
Blackbox testing tools
Blackbox proxy issues
Blackbox server issues