app development in a legal and it environment | sherpany @security zone 2014
DESCRIPTION
Sherpany hat im Frühling 2014 entschieden für die bereits etablierte Weblösung Investor Webservice zur elektronischen Fernabstimmung eine mobile Version für iOS & Android zu veröffentlichen. Dabei spielen im Spannungsfeld zwischen IT & Recht nebst der allgemeinen Security insbesondere Vertraulichkeit und Integrität der Daten auf dem Endgerät eine entscheidende Rolle. Mathias Brenner beschreibt den Projektverlauf und führt aus Businesssicht durch die hohen Anforderungen von Kunden wie Swiss Re, Nestlé, Novartis sowie weiteren namhaften Unternehmen aus SPI / SMI.TRANSCRIPT
App Development in a legal and IT environment
Speaker Mathias Brenner Company Sherpany
Agilen;a AG Posi;on Chief Opera;ons Officer
Entrepreneur Mainfacts -‐ B.SC. in Business Administra;on
-‐ Advanced Federal Cer;ficate in IT -‐ Scrum Master
Speaker Sven Vetsch Company Redguard AG Posi;on Partner
Chief Technology Officer Main facts -‐ 10 years of experience
in informa;on security
-‐ B. Sc. Computer Sience (specializa;on IT security)
-‐ Leader OWASP Switzerland Chapter
Mobile eBanking -‐ a secure payment method?
We don‘t receive the votes as casted by the shareholders.
…what if some of the votes where manipulated during transmission?
Technical risks…
… most mobile applica;ons use HTTP as a communica;on protocol -‐ like your web browser
… HTTP is a clear-‐text-‐protocol – all of your traffic from / to the server is unencrypted
… but there is HTTPS (HTTP over SSL/TLS) ?
China Internet Network Informa;on Center
Sécrétariat Général de la Défense Na;onale
Honkong Post (Government of Hong Kong)
Bundesamt für Informa;k und Telekom. (BIT)
Do you trust the following ins;tu;ons with all of your communica;on?
…
DEMO
… use HSTS Headers
The solu;on is…
… directly connect over HTTPS, never send a single unencrypted HTTP request
… only accept trusted cer;ficates
… Cer;ficate Pinning
But never do this…
Manipula;ng votes from a major shareholder
… or can someone impersonate a shareholder to vote in his/her name?
Technical risks…
… classic web applica;ons use session cookies to keep their users authen;cated for a predefined ;me
… depending on the sensi;vity of your applica;on, you want a user to be logged out even aaer a few minutes of inac;vity
… when did you have to re-‐enter your login creden;als when using a mobile applica;on?
… that is why we use API tokens / keys
Technical risks…
… most of the ;me API keys / tokens have a very long lifespan of several days, weeks, months or they never expire
The solu;on is…
… for sensi;ve ac;ons ask the user to re-‐enter the password
… only allow users to have a limited amount of API keys / tokens
… change the API keys / tokens oaen
… from ;me to ;me force your users to log in again
Thea of the mobile device and manipula;ng exis;ng votes
… or can an abacker overtake the mobile applica;on itself and gather and/or modify
data?
Technical risks…
… SQL injec;on, Cross-‐Site Scrip;ng (XSS)
DEMO
The solu;on is…
… input / output valida;on, encoding, …
… prepared statements
… you have to secure the communica;on channels
… user input is always dangerous – treat it like that
Security Development Lifecycle
IT Security Management Phase 0 / 1
Phase 1 -‐ Planning / Design
Phase 0 -‐ Before the project Developer Training
Design / Architecture review from a security point of view
Brainstorming and / or challenging security controls
IT Security Management Phase 2 / 3
Phase 2 -‐ Implementa;on Regular security reviews
Security contact where developers can get answers to their ques;ons
Phase 3 -‐ Evaluate / Test Penetra;on tes;ng
Source code review (of cri;cal components)
IT Security Management Phase 4
Phase 4 – Release / Maintenance Reoccurring security tests for the new threats and newly added features
Keep your documenta;on updated
Lessons learned…
… there are real threats to your applica;on and your users
… security as a part of the development process is cheaper and more efficient in the long run
… mobile applica;ons aren’t immune to vulnerabili;es
… get an external partner for security consul;ng and verifica;on
… learn from your past mistakes
Q & A