app development in a legal and it environment | sherpany @security zone 2014

App Development in a legal and IT environment

Speaker Mathias Brenner Company Sherpany

Agilen;a AG Posi;on Chief Opera;ons Officer

Entrepreneur Mainfacts -‐ B.SC. in Business Administra;on

-‐ Advanced Federal Cer;ficate in IT -‐ Scrum Master

Speaker Sven Vetsch Company Redguard AG Posi;on Partner

Chief Technology Officer Main facts -‐ 10 years of experience

in informa;on security

-‐ B. Sc. Computer Sience (specializa;on IT security)

-‐ Leader OWASP Switzerland Chapter

Mobile eBanking -‐ a secure payment method?

We don‘t receive the votes as casted by the shareholders.

…what if some of the votes where manipulated during transmission?

Technical risks…

… most mobile applica;ons use HTTP as a communica;on protocol -‐ like your web browser

… HTTP is a clear-‐text-‐protocol – all of your traffic from / to the server is unencrypted

… but there is HTTPS (HTTP over SSL/TLS) ?

China Internet Network Informa;on Center

Sécrétariat Général de la Défense Na;onale

Honkong Post (Government of Hong Kong)

Bundesamt für Informa;k und Telekom. (BIT)

Do you trust the following ins;tu;ons with all of your communica;on?

…

… use HSTS Headers

The solu;on is…

… directly connect over HTTPS, never send a single unencrypted HTTP request

… only accept trusted cer;ficates

… Cer;ficate Pinning

But never do this…

Manipula;ng votes from a major shareholder

… or can someone impersonate a shareholder to vote in his/her name?

Technical risks…

… classic web applica;ons use session cookies to keep their users authen;cated for a predefined ;me

… depending on the sensi;vity of your applica;on, you want a user to be logged out even aaer a few minutes of inac;vity

… when did you have to re-‐enter your login creden;als when using a mobile applica;on?

… that is why we use API tokens / keys

Technical risks…

… most of the ;me API keys / tokens have a very long lifespan of several days, weeks, months or they never expire

The solu;on is…

… for sensi;ve ac;ons ask the user to re-‐enter the password

… only allow users to have a limited amount of API keys / tokens

… change the API keys / tokens oaen

… from ;me to ;me force your users to log in again

Thea of the mobile device and manipula;ng exis;ng votes

… or can an abacker overtake the mobile applica;on itself and gather and/or modify

data?

Technical risks…

… SQL injec;on, Cross-‐Site Scrip;ng (XSS)

The solu;on is…

… input / output valida;on, encoding, …

… prepared statements

… you have to secure the communica;on channels

… user input is always dangerous – treat it like that

Security Development Lifecycle

IT Security Management Phase 0 / 1

Phase 1 -‐ Planning / Design

Phase 0 -‐ Before the project Developer Training

Design / Architecture review from a security point of view

Brainstorming and / or challenging security controls

IT Security Management Phase 2 / 3

Phase 2 -‐ Implementa;on Regular security reviews

Security contact where developers can get answers to their ques;ons

Phase 3 -‐ Evaluate / Test Penetra;on tes;ng

Source code review (of cri;cal components)

IT Security Management Phase 4

Phase 4 – Release / Maintenance Reoccurring security tests for the new threats and newly added features

Keep your documenta;on updated

Lessons learned…

… there are real threats to your applica;on and your users

… security as a part of the development process is cheaper and more efficient in the long run

… mobile applica;ons aren’t immune to vulnerabili;es

… get an external partner for security consul;ng and verifica;on

… learn from your past mistakes