developing secure software: from mobile apps to erp systems...developing secure software: from...
TRANSCRIPT
Developing Secure Software From Mobile Apps to ERP Systems
Achim D Bruckerachimbruckersapcom httpwwwbruckerch
SAP SE Vincenz-Priessnitz-Str 1 76131 Karlsruhe Germany
ZertApps AbschlussveranstaltungldquoSichere und datenschutzgerechte Entwicklung von mobilen Appsrdquo
TeleTrusT Bremen November 17 2015
Developing Secure Software From Mobile Apps to ERP Systems
Abstract
Developing secure software is in general challenging and requires and end-to-end secure softwaredevelopment lifecycle It is particular challenging if the secure software development lifecycle needs to fit thewhole range of software products from small mobile apps to large scale enterprise system and needs to beapplicable to a wide range of software development methodologiesIn this presentation we will present SAPrsquos approach to developing secure software in general and inparticular highlight the challenges of developing mobile applications securely
copy 2015 SAP SE All Rights Reserved Page 2 of 30
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 3 of 30
SAP SE
bull Leader in Business Softwarebull Cloudbull Mobilebull On premise
bull Many different technologies and platforms egbull In-memory database and application server (HANA)bull Netweaver for ABAP and Java
bull More than 25 industries
bull 63 of the worldrsquos transaction revenuetouches an SAP system
bull over 68 000 employees worldwideover 25 000 software developers
bull Headquarters Walldorf Germany (close to Heidelberg)
copy 2015 SAP SE All Rights Reserved Page 4 of 30
Personal Background
bull I wear two hatsbull (Global) Security Testing Strategistbull Research ExpertArchitect
Working for the central software security team
bull BackgroundSecurity Formal Methods Software Engineering
bull Current work areas
bull Static code analysisbull (Dynamic) Security Testingbull Mobile Securitybull Security Development Lifecyclebull Secure Software Development Lifecycle
httpwwwbruckerch
copy 2015 SAP SE All Rights Reserved Page 5 of 30
SAP Uses a De-centralised Secure Development Approach
bull Central security expert team (S2DL owner)bull Organizes security trainingsbull Defines product standard ldquoSecurityrdquobull Defines risk and threat assessment methodsbull Defines security testing strategybull Selects and provides security testing toolsbull Validates productsbull Defines and executes response process
bull Local security expertsbull Embedded into development teamsbull Organize local security activitiesbull Support developers and architectsbull Support product owners (responsibles)
bull Development teamsbull Select technologiesbull Select development modelbull Design and execute security testing
planbull
copy 2015 SAP SE All Rights Reserved Page 6 of 30
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 7 of 30
Vulnerability Distribution
1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 20140
500
1000
1500
2000
2500
3000
Code Execution DoS Overflow Memory Corruption Sql InjectionXSS Directory Traversal Bypass something Gain Privileges CSRF
copy 2015 SAP SE All Rights Reserved Page 8 of 30
When Do We Fix Bugs
copy 2015 SAP SE All Rights Reserved Page 9 of 30
Microsoftrsquos SDL
copy 2015 SAP SE All Rights Reserved Page 10 of 30
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 11 of 30
Our Start SAST as a Baseline
ABAP
Java
C
JavaScript
Others
SAST tools used at SAP
Language Tool Vendor
ABAP CVA (SLIN_SEC) SAPJavaScript Checkmarx CxSAST Checkmarx
CC++ Coverity CoverityOthers Fortify HP
bull Since 2010 mandatory for all SAP products
bull Multiple billions lines analyzed
bull Constant improvement of tool configuration
bull Further detailsDeploying Static Application Security Testing on a LargeScale In GI Sicherheit 2014 Lecture Notes in Informatics228 pages 91-101 GI 2014
copy 2015 SAP SE All Rights Reserved Page 12 of 30
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 13 of 30
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx (JavaScript)
Fortify (Java) Coverity (CC++)
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 13 of 30
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx (JavaScript)
Fortify (Java)
DO
Min
ato
r
Coverity (CC++)
HP
We
bIn
sp
ect
IB
M A
pp
Sca
n
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 13 of 30
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx
Fortify (Java)
DO
Min
ato
r
HP
We
bIn
sp
ect
IB
M A
pp
Sca
n
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 13 of 30
A Risk-based Test Plan
Select from a list of
predefined application
types
Implementation detaos eg programming languages frameworks
Priority of SAP Security
Requirements
Security Test Plan
RISK ASSESMENT
(eg SECURIM Threat Modelling OWASP ASVS) bull Combines multiple security testing methods eg
code scans dynamic analysis manual penetrationtesting or fuzzing
bull Selects the most efficient test tools and test casesbased on the risks and the technologies used in theproject
bull Re-adjusts priorities of test cases based on identifiedrisks for the project
bull Monitors false negative findings in the results of riskassessment
copy 2015 SAP SE All Rights Reserved Page 14 of 30
SAPrsquo Secure Software Development Lifecycle (S2DL)
copy 2015 SAP SE All Rights Reserved Page 15 of 30
Security Validation
bull Acts as first customer
bull Is not a replacement for security testing during development
bull Security Validationbull Check for ldquoflawsrdquo in the implementation of the S2DLbull Ideally security validation findsbull No issues that can be fixeddetected earlierbull Only issues that cannot be detect earlier
(eg insecure default configurations missing security documentation)
Penetration tests in productive environments are different
bull They test the actual configuration
bull They test the productive environment (eg cloudhosting)
copy 2015 SAP SE All Rights Reserved Page 16 of 30
Security Validation
bull Acts as first customer
bull Is not a replacement for security testing during development
bull Security Validationbull Check for ldquoflawsrdquo in the implementation of the S2DLbull Ideally security validation findsbull No issues that can be fixeddetected earlierbull Only issues that cannot be detect earlier
(eg insecure default configurations missing security documentation)
Penetration tests in productive environments are different
bull They test the actual configuration
bull They test the productive environment (eg cloudhosting)
copy 2015 SAP SE All Rights Reserved Page 16 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
NewlyCovered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 18 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important
but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Listen to Your Developers
We are often talking about a lack of security awareness and by thatforget the problem of lacking development awareness
bull Building a secure system more difficult than finding a successful attack
bull Do not expect your developers to become penetration testers (or security experts)
copy 2015 SAP SE All Rights Reserved Page 20 of 30
Security Testing for Developers
Security testing tools for developers need to
bull Be applicable from the start ofdevelopment
bull Automate the security knowledge
bull Be deeply integrated into the dev enveg
bull IDE (instant feedback)bull Continuous integration
bull Provide easy to understand fixrecommendations
bull Declare their ldquosweet spotsrdquo
copy 2015 SAP SE All Rights Reserved Page 21 of 30
Collaborate
Security experts need to collaborate with development experts to
bull Create easy to use security APIs (ever tried to use an SSL API securely)
bull Create languages and frameworks that make it hard to implement insecure systems
bull Explain how to program securely
copy 2015 SAP SE All Rights Reserved Page 22 of 30
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 23 of 30
Mobile App Development at SAP
Key take aways
bull Hybrid applications are becoming thepre-dominant development model (at SAP)
bull the challenges of hybrid apps aretransferable to
bull web frameworks(EJB Rails PHP)
bull enterprise applications(XSJS SQLScript ABAP JS)
bull even mobile apps contain gt 500kLOC
bull there are a lot of open and interestingsecurity research questions in the area ofhybrid development models
copy 2015 SAP SE All Rights Reserved Page 24 of 30
Why Are Mobile Apps SpecialOrganisational Aspects
bull Partly not developed by thedevelopment organisations(eg marketing)
bull Fast update cycles(to app store not necessarily ldquoon devicerdquo)
bull Mobile apps are not patched(instead new release)
bull Processes partly defined by App Store operators(eg Google Apple )
copy 2015 SAP SE All Rights Reserved Page 25 of 30
Why Are Mobile Apps SpecialTechnical Aspects
bull Limiteddifferent user interface
bull High volume of apps released
bull Development tools are not fully under own control
bull Programming languages might not be usedelsewhere
bull Lot of frameworks thatbull rather newbull not as maturebull might track users (data privacy)
bull They are not independent
copy 2015 SAP SE All Rights Reserved Page 26 of 30
The Hidden Beast mdash ServerAs a mobile app you never be alone
A final remark
bull usually there is at least one server ldquoin the backgroundrdquo
bull many security and data privacy issues are caused bybull the communication of the app and its ldquoownrdquo serverbull the implementation of its ldquoownrdquo serverbull external servers andor services
copy 2015 SAP SE All Rights Reserved Page 27 of 30
Conclusion
bull Secure software development is abull Prerequisite for the secure and compliant operation
We need SecDevOpsbull Risk of operating and maintaining IT systems
bull Security requires an end-to-end approachbull Training of developers architects product ownersbull Security testing during developmentbull Validation of your security testing effortsbull Maintenance and security patch management
bull Developers are your most important allybull Make life easy for them
copy 2015 SAP SE All Rights Reserved Page 28 of 30
Thank you
httpxkcdcom327
Dr Achim D Bruckerachimbruckersapcomhttpswwwbruckerchhttpslogicalhackingcom
Related Publications
Ruediger Bachmann and Achim D Brucker
Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014
Achim D Brucker Lukas Bruumlgger and Burkhart Wolff
Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
Achim D Brucker and Uwe Sodan
Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014
Achim D Brucker and Burkhart Wolff
On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
copy 2015 SAP SE All Rights Reserved Page 30 of 30
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 31 of 30
- Background
- Motivation
- Risk-based Security Testing as Part of SAPs Smath text inlined[fg]math text inlinedfgmath text inlined[fg]math text inlinedfg2DL
- Lessons Learned
- How Does This Apply to Mobile Development
- Conclusion
-
Developing Secure Software From Mobile Apps to ERP Systems
Abstract
Developing secure software is in general challenging and requires and end-to-end secure softwaredevelopment lifecycle It is particular challenging if the secure software development lifecycle needs to fit thewhole range of software products from small mobile apps to large scale enterprise system and needs to beapplicable to a wide range of software development methodologiesIn this presentation we will present SAPrsquos approach to developing secure software in general and inparticular highlight the challenges of developing mobile applications securely
copy 2015 SAP SE All Rights Reserved Page 2 of 30
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 3 of 30
SAP SE
bull Leader in Business Softwarebull Cloudbull Mobilebull On premise
bull Many different technologies and platforms egbull In-memory database and application server (HANA)bull Netweaver for ABAP and Java
bull More than 25 industries
bull 63 of the worldrsquos transaction revenuetouches an SAP system
bull over 68 000 employees worldwideover 25 000 software developers
bull Headquarters Walldorf Germany (close to Heidelberg)
copy 2015 SAP SE All Rights Reserved Page 4 of 30
Personal Background
bull I wear two hatsbull (Global) Security Testing Strategistbull Research ExpertArchitect
Working for the central software security team
bull BackgroundSecurity Formal Methods Software Engineering
bull Current work areas
bull Static code analysisbull (Dynamic) Security Testingbull Mobile Securitybull Security Development Lifecyclebull Secure Software Development Lifecycle
httpwwwbruckerch
copy 2015 SAP SE All Rights Reserved Page 5 of 30
SAP Uses a De-centralised Secure Development Approach
bull Central security expert team (S2DL owner)bull Organizes security trainingsbull Defines product standard ldquoSecurityrdquobull Defines risk and threat assessment methodsbull Defines security testing strategybull Selects and provides security testing toolsbull Validates productsbull Defines and executes response process
bull Local security expertsbull Embedded into development teamsbull Organize local security activitiesbull Support developers and architectsbull Support product owners (responsibles)
bull Development teamsbull Select technologiesbull Select development modelbull Design and execute security testing
planbull
copy 2015 SAP SE All Rights Reserved Page 6 of 30
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 7 of 30
Vulnerability Distribution
1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 20140
500
1000
1500
2000
2500
3000
Code Execution DoS Overflow Memory Corruption Sql InjectionXSS Directory Traversal Bypass something Gain Privileges CSRF
copy 2015 SAP SE All Rights Reserved Page 8 of 30
When Do We Fix Bugs
copy 2015 SAP SE All Rights Reserved Page 9 of 30
Microsoftrsquos SDL
copy 2015 SAP SE All Rights Reserved Page 10 of 30
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 11 of 30
Our Start SAST as a Baseline
ABAP
Java
C
JavaScript
Others
SAST tools used at SAP
Language Tool Vendor
ABAP CVA (SLIN_SEC) SAPJavaScript Checkmarx CxSAST Checkmarx
CC++ Coverity CoverityOthers Fortify HP
bull Since 2010 mandatory for all SAP products
bull Multiple billions lines analyzed
bull Constant improvement of tool configuration
bull Further detailsDeploying Static Application Security Testing on a LargeScale In GI Sicherheit 2014 Lecture Notes in Informatics228 pages 91-101 GI 2014
copy 2015 SAP SE All Rights Reserved Page 12 of 30
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 13 of 30
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx (JavaScript)
Fortify (Java) Coverity (CC++)
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 13 of 30
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx (JavaScript)
Fortify (Java)
DO
Min
ato
r
Coverity (CC++)
HP
We
bIn
sp
ect
IB
M A
pp
Sca
n
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 13 of 30
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx
Fortify (Java)
DO
Min
ato
r
HP
We
bIn
sp
ect
IB
M A
pp
Sca
n
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 13 of 30
A Risk-based Test Plan
Select from a list of
predefined application
types
Implementation detaos eg programming languages frameworks
Priority of SAP Security
Requirements
Security Test Plan
RISK ASSESMENT
(eg SECURIM Threat Modelling OWASP ASVS) bull Combines multiple security testing methods eg
code scans dynamic analysis manual penetrationtesting or fuzzing
bull Selects the most efficient test tools and test casesbased on the risks and the technologies used in theproject
bull Re-adjusts priorities of test cases based on identifiedrisks for the project
bull Monitors false negative findings in the results of riskassessment
copy 2015 SAP SE All Rights Reserved Page 14 of 30
SAPrsquo Secure Software Development Lifecycle (S2DL)
copy 2015 SAP SE All Rights Reserved Page 15 of 30
Security Validation
bull Acts as first customer
bull Is not a replacement for security testing during development
bull Security Validationbull Check for ldquoflawsrdquo in the implementation of the S2DLbull Ideally security validation findsbull No issues that can be fixeddetected earlierbull Only issues that cannot be detect earlier
(eg insecure default configurations missing security documentation)
Penetration tests in productive environments are different
bull They test the actual configuration
bull They test the productive environment (eg cloudhosting)
copy 2015 SAP SE All Rights Reserved Page 16 of 30
Security Validation
bull Acts as first customer
bull Is not a replacement for security testing during development
bull Security Validationbull Check for ldquoflawsrdquo in the implementation of the S2DLbull Ideally security validation findsbull No issues that can be fixeddetected earlierbull Only issues that cannot be detect earlier
(eg insecure default configurations missing security documentation)
Penetration tests in productive environments are different
bull They test the actual configuration
bull They test the productive environment (eg cloudhosting)
copy 2015 SAP SE All Rights Reserved Page 16 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
NewlyCovered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 18 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important
but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Listen to Your Developers
We are often talking about a lack of security awareness and by thatforget the problem of lacking development awareness
bull Building a secure system more difficult than finding a successful attack
bull Do not expect your developers to become penetration testers (or security experts)
copy 2015 SAP SE All Rights Reserved Page 20 of 30
Security Testing for Developers
Security testing tools for developers need to
bull Be applicable from the start ofdevelopment
bull Automate the security knowledge
bull Be deeply integrated into the dev enveg
bull IDE (instant feedback)bull Continuous integration
bull Provide easy to understand fixrecommendations
bull Declare their ldquosweet spotsrdquo
copy 2015 SAP SE All Rights Reserved Page 21 of 30
Collaborate
Security experts need to collaborate with development experts to
bull Create easy to use security APIs (ever tried to use an SSL API securely)
bull Create languages and frameworks that make it hard to implement insecure systems
bull Explain how to program securely
copy 2015 SAP SE All Rights Reserved Page 22 of 30
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 23 of 30
Mobile App Development at SAP
Key take aways
bull Hybrid applications are becoming thepre-dominant development model (at SAP)
bull the challenges of hybrid apps aretransferable to
bull web frameworks(EJB Rails PHP)
bull enterprise applications(XSJS SQLScript ABAP JS)
bull even mobile apps contain gt 500kLOC
bull there are a lot of open and interestingsecurity research questions in the area ofhybrid development models
copy 2015 SAP SE All Rights Reserved Page 24 of 30
Why Are Mobile Apps SpecialOrganisational Aspects
bull Partly not developed by thedevelopment organisations(eg marketing)
bull Fast update cycles(to app store not necessarily ldquoon devicerdquo)
bull Mobile apps are not patched(instead new release)
bull Processes partly defined by App Store operators(eg Google Apple )
copy 2015 SAP SE All Rights Reserved Page 25 of 30
Why Are Mobile Apps SpecialTechnical Aspects
bull Limiteddifferent user interface
bull High volume of apps released
bull Development tools are not fully under own control
bull Programming languages might not be usedelsewhere
bull Lot of frameworks thatbull rather newbull not as maturebull might track users (data privacy)
bull They are not independent
copy 2015 SAP SE All Rights Reserved Page 26 of 30
The Hidden Beast mdash ServerAs a mobile app you never be alone
A final remark
bull usually there is at least one server ldquoin the backgroundrdquo
bull many security and data privacy issues are caused bybull the communication of the app and its ldquoownrdquo serverbull the implementation of its ldquoownrdquo serverbull external servers andor services
copy 2015 SAP SE All Rights Reserved Page 27 of 30
Conclusion
bull Secure software development is abull Prerequisite for the secure and compliant operation
We need SecDevOpsbull Risk of operating and maintaining IT systems
bull Security requires an end-to-end approachbull Training of developers architects product ownersbull Security testing during developmentbull Validation of your security testing effortsbull Maintenance and security patch management
bull Developers are your most important allybull Make life easy for them
copy 2015 SAP SE All Rights Reserved Page 28 of 30
Thank you
httpxkcdcom327
Dr Achim D Bruckerachimbruckersapcomhttpswwwbruckerchhttpslogicalhackingcom
Related Publications
Ruediger Bachmann and Achim D Brucker
Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014
Achim D Brucker Lukas Bruumlgger and Burkhart Wolff
Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
Achim D Brucker and Uwe Sodan
Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014
Achim D Brucker and Burkhart Wolff
On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
copy 2015 SAP SE All Rights Reserved Page 30 of 30
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 31 of 30
- Background
- Motivation
- Risk-based Security Testing as Part of SAPs Smath text inlined[fg]math text inlinedfgmath text inlined[fg]math text inlinedfg2DL
- Lessons Learned
- How Does This Apply to Mobile Development
- Conclusion
-
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 3 of 30
SAP SE
bull Leader in Business Softwarebull Cloudbull Mobilebull On premise
bull Many different technologies and platforms egbull In-memory database and application server (HANA)bull Netweaver for ABAP and Java
bull More than 25 industries
bull 63 of the worldrsquos transaction revenuetouches an SAP system
bull over 68 000 employees worldwideover 25 000 software developers
bull Headquarters Walldorf Germany (close to Heidelberg)
copy 2015 SAP SE All Rights Reserved Page 4 of 30
Personal Background
bull I wear two hatsbull (Global) Security Testing Strategistbull Research ExpertArchitect
Working for the central software security team
bull BackgroundSecurity Formal Methods Software Engineering
bull Current work areas
bull Static code analysisbull (Dynamic) Security Testingbull Mobile Securitybull Security Development Lifecyclebull Secure Software Development Lifecycle
httpwwwbruckerch
copy 2015 SAP SE All Rights Reserved Page 5 of 30
SAP Uses a De-centralised Secure Development Approach
bull Central security expert team (S2DL owner)bull Organizes security trainingsbull Defines product standard ldquoSecurityrdquobull Defines risk and threat assessment methodsbull Defines security testing strategybull Selects and provides security testing toolsbull Validates productsbull Defines and executes response process
bull Local security expertsbull Embedded into development teamsbull Organize local security activitiesbull Support developers and architectsbull Support product owners (responsibles)
bull Development teamsbull Select technologiesbull Select development modelbull Design and execute security testing
planbull
copy 2015 SAP SE All Rights Reserved Page 6 of 30
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 7 of 30
Vulnerability Distribution
1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 20140
500
1000
1500
2000
2500
3000
Code Execution DoS Overflow Memory Corruption Sql InjectionXSS Directory Traversal Bypass something Gain Privileges CSRF
copy 2015 SAP SE All Rights Reserved Page 8 of 30
When Do We Fix Bugs
copy 2015 SAP SE All Rights Reserved Page 9 of 30
Microsoftrsquos SDL
copy 2015 SAP SE All Rights Reserved Page 10 of 30
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 11 of 30
Our Start SAST as a Baseline
ABAP
Java
C
JavaScript
Others
SAST tools used at SAP
Language Tool Vendor
ABAP CVA (SLIN_SEC) SAPJavaScript Checkmarx CxSAST Checkmarx
CC++ Coverity CoverityOthers Fortify HP
bull Since 2010 mandatory for all SAP products
bull Multiple billions lines analyzed
bull Constant improvement of tool configuration
bull Further detailsDeploying Static Application Security Testing on a LargeScale In GI Sicherheit 2014 Lecture Notes in Informatics228 pages 91-101 GI 2014
copy 2015 SAP SE All Rights Reserved Page 12 of 30
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 13 of 30
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx (JavaScript)
Fortify (Java) Coverity (CC++)
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 13 of 30
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx (JavaScript)
Fortify (Java)
DO
Min
ato
r
Coverity (CC++)
HP
We
bIn
sp
ect
IB
M A
pp
Sca
n
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 13 of 30
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx
Fortify (Java)
DO
Min
ato
r
HP
We
bIn
sp
ect
IB
M A
pp
Sca
n
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 13 of 30
A Risk-based Test Plan
Select from a list of
predefined application
types
Implementation detaos eg programming languages frameworks
Priority of SAP Security
Requirements
Security Test Plan
RISK ASSESMENT
(eg SECURIM Threat Modelling OWASP ASVS) bull Combines multiple security testing methods eg
code scans dynamic analysis manual penetrationtesting or fuzzing
bull Selects the most efficient test tools and test casesbased on the risks and the technologies used in theproject
bull Re-adjusts priorities of test cases based on identifiedrisks for the project
bull Monitors false negative findings in the results of riskassessment
copy 2015 SAP SE All Rights Reserved Page 14 of 30
SAPrsquo Secure Software Development Lifecycle (S2DL)
copy 2015 SAP SE All Rights Reserved Page 15 of 30
Security Validation
bull Acts as first customer
bull Is not a replacement for security testing during development
bull Security Validationbull Check for ldquoflawsrdquo in the implementation of the S2DLbull Ideally security validation findsbull No issues that can be fixeddetected earlierbull Only issues that cannot be detect earlier
(eg insecure default configurations missing security documentation)
Penetration tests in productive environments are different
bull They test the actual configuration
bull They test the productive environment (eg cloudhosting)
copy 2015 SAP SE All Rights Reserved Page 16 of 30
Security Validation
bull Acts as first customer
bull Is not a replacement for security testing during development
bull Security Validationbull Check for ldquoflawsrdquo in the implementation of the S2DLbull Ideally security validation findsbull No issues that can be fixeddetected earlierbull Only issues that cannot be detect earlier
(eg insecure default configurations missing security documentation)
Penetration tests in productive environments are different
bull They test the actual configuration
bull They test the productive environment (eg cloudhosting)
copy 2015 SAP SE All Rights Reserved Page 16 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
NewlyCovered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 18 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important
but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Listen to Your Developers
We are often talking about a lack of security awareness and by thatforget the problem of lacking development awareness
bull Building a secure system more difficult than finding a successful attack
bull Do not expect your developers to become penetration testers (or security experts)
copy 2015 SAP SE All Rights Reserved Page 20 of 30
Security Testing for Developers
Security testing tools for developers need to
bull Be applicable from the start ofdevelopment
bull Automate the security knowledge
bull Be deeply integrated into the dev enveg
bull IDE (instant feedback)bull Continuous integration
bull Provide easy to understand fixrecommendations
bull Declare their ldquosweet spotsrdquo
copy 2015 SAP SE All Rights Reserved Page 21 of 30
Collaborate
Security experts need to collaborate with development experts to
bull Create easy to use security APIs (ever tried to use an SSL API securely)
bull Create languages and frameworks that make it hard to implement insecure systems
bull Explain how to program securely
copy 2015 SAP SE All Rights Reserved Page 22 of 30
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 23 of 30
Mobile App Development at SAP
Key take aways
bull Hybrid applications are becoming thepre-dominant development model (at SAP)
bull the challenges of hybrid apps aretransferable to
bull web frameworks(EJB Rails PHP)
bull enterprise applications(XSJS SQLScript ABAP JS)
bull even mobile apps contain gt 500kLOC
bull there are a lot of open and interestingsecurity research questions in the area ofhybrid development models
copy 2015 SAP SE All Rights Reserved Page 24 of 30
Why Are Mobile Apps SpecialOrganisational Aspects
bull Partly not developed by thedevelopment organisations(eg marketing)
bull Fast update cycles(to app store not necessarily ldquoon devicerdquo)
bull Mobile apps are not patched(instead new release)
bull Processes partly defined by App Store operators(eg Google Apple )
copy 2015 SAP SE All Rights Reserved Page 25 of 30
Why Are Mobile Apps SpecialTechnical Aspects
bull Limiteddifferent user interface
bull High volume of apps released
bull Development tools are not fully under own control
bull Programming languages might not be usedelsewhere
bull Lot of frameworks thatbull rather newbull not as maturebull might track users (data privacy)
bull They are not independent
copy 2015 SAP SE All Rights Reserved Page 26 of 30
The Hidden Beast mdash ServerAs a mobile app you never be alone
A final remark
bull usually there is at least one server ldquoin the backgroundrdquo
bull many security and data privacy issues are caused bybull the communication of the app and its ldquoownrdquo serverbull the implementation of its ldquoownrdquo serverbull external servers andor services
copy 2015 SAP SE All Rights Reserved Page 27 of 30
Conclusion
bull Secure software development is abull Prerequisite for the secure and compliant operation
We need SecDevOpsbull Risk of operating and maintaining IT systems
bull Security requires an end-to-end approachbull Training of developers architects product ownersbull Security testing during developmentbull Validation of your security testing effortsbull Maintenance and security patch management
bull Developers are your most important allybull Make life easy for them
copy 2015 SAP SE All Rights Reserved Page 28 of 30
Thank you
httpxkcdcom327
Dr Achim D Bruckerachimbruckersapcomhttpswwwbruckerchhttpslogicalhackingcom
Related Publications
Ruediger Bachmann and Achim D Brucker
Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014
Achim D Brucker Lukas Bruumlgger and Burkhart Wolff
Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
Achim D Brucker and Uwe Sodan
Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014
Achim D Brucker and Burkhart Wolff
On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
copy 2015 SAP SE All Rights Reserved Page 30 of 30
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 31 of 30
- Background
- Motivation
- Risk-based Security Testing as Part of SAPs Smath text inlined[fg]math text inlinedfgmath text inlined[fg]math text inlinedfg2DL
- Lessons Learned
- How Does This Apply to Mobile Development
- Conclusion
-
SAP SE
bull Leader in Business Softwarebull Cloudbull Mobilebull On premise
bull Many different technologies and platforms egbull In-memory database and application server (HANA)bull Netweaver for ABAP and Java
bull More than 25 industries
bull 63 of the worldrsquos transaction revenuetouches an SAP system
bull over 68 000 employees worldwideover 25 000 software developers
bull Headquarters Walldorf Germany (close to Heidelberg)
copy 2015 SAP SE All Rights Reserved Page 4 of 30
Personal Background
bull I wear two hatsbull (Global) Security Testing Strategistbull Research ExpertArchitect
Working for the central software security team
bull BackgroundSecurity Formal Methods Software Engineering
bull Current work areas
bull Static code analysisbull (Dynamic) Security Testingbull Mobile Securitybull Security Development Lifecyclebull Secure Software Development Lifecycle
httpwwwbruckerch
copy 2015 SAP SE All Rights Reserved Page 5 of 30
SAP Uses a De-centralised Secure Development Approach
bull Central security expert team (S2DL owner)bull Organizes security trainingsbull Defines product standard ldquoSecurityrdquobull Defines risk and threat assessment methodsbull Defines security testing strategybull Selects and provides security testing toolsbull Validates productsbull Defines and executes response process
bull Local security expertsbull Embedded into development teamsbull Organize local security activitiesbull Support developers and architectsbull Support product owners (responsibles)
bull Development teamsbull Select technologiesbull Select development modelbull Design and execute security testing
planbull
copy 2015 SAP SE All Rights Reserved Page 6 of 30
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 7 of 30
Vulnerability Distribution
1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 20140
500
1000
1500
2000
2500
3000
Code Execution DoS Overflow Memory Corruption Sql InjectionXSS Directory Traversal Bypass something Gain Privileges CSRF
copy 2015 SAP SE All Rights Reserved Page 8 of 30
When Do We Fix Bugs
copy 2015 SAP SE All Rights Reserved Page 9 of 30
Microsoftrsquos SDL
copy 2015 SAP SE All Rights Reserved Page 10 of 30
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 11 of 30
Our Start SAST as a Baseline
ABAP
Java
C
JavaScript
Others
SAST tools used at SAP
Language Tool Vendor
ABAP CVA (SLIN_SEC) SAPJavaScript Checkmarx CxSAST Checkmarx
CC++ Coverity CoverityOthers Fortify HP
bull Since 2010 mandatory for all SAP products
bull Multiple billions lines analyzed
bull Constant improvement of tool configuration
bull Further detailsDeploying Static Application Security Testing on a LargeScale In GI Sicherheit 2014 Lecture Notes in Informatics228 pages 91-101 GI 2014
copy 2015 SAP SE All Rights Reserved Page 12 of 30
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 13 of 30
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx (JavaScript)
Fortify (Java) Coverity (CC++)
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 13 of 30
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx (JavaScript)
Fortify (Java)
DO
Min
ato
r
Coverity (CC++)
HP
We
bIn
sp
ect
IB
M A
pp
Sca
n
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 13 of 30
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx
Fortify (Java)
DO
Min
ato
r
HP
We
bIn
sp
ect
IB
M A
pp
Sca
n
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 13 of 30
A Risk-based Test Plan
Select from a list of
predefined application
types
Implementation detaos eg programming languages frameworks
Priority of SAP Security
Requirements
Security Test Plan
RISK ASSESMENT
(eg SECURIM Threat Modelling OWASP ASVS) bull Combines multiple security testing methods eg
code scans dynamic analysis manual penetrationtesting or fuzzing
bull Selects the most efficient test tools and test casesbased on the risks and the technologies used in theproject
bull Re-adjusts priorities of test cases based on identifiedrisks for the project
bull Monitors false negative findings in the results of riskassessment
copy 2015 SAP SE All Rights Reserved Page 14 of 30
SAPrsquo Secure Software Development Lifecycle (S2DL)
copy 2015 SAP SE All Rights Reserved Page 15 of 30
Security Validation
bull Acts as first customer
bull Is not a replacement for security testing during development
bull Security Validationbull Check for ldquoflawsrdquo in the implementation of the S2DLbull Ideally security validation findsbull No issues that can be fixeddetected earlierbull Only issues that cannot be detect earlier
(eg insecure default configurations missing security documentation)
Penetration tests in productive environments are different
bull They test the actual configuration
bull They test the productive environment (eg cloudhosting)
copy 2015 SAP SE All Rights Reserved Page 16 of 30
Security Validation
bull Acts as first customer
bull Is not a replacement for security testing during development
bull Security Validationbull Check for ldquoflawsrdquo in the implementation of the S2DLbull Ideally security validation findsbull No issues that can be fixeddetected earlierbull Only issues that cannot be detect earlier
(eg insecure default configurations missing security documentation)
Penetration tests in productive environments are different
bull They test the actual configuration
bull They test the productive environment (eg cloudhosting)
copy 2015 SAP SE All Rights Reserved Page 16 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
NewlyCovered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 18 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important
but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Listen to Your Developers
We are often talking about a lack of security awareness and by thatforget the problem of lacking development awareness
bull Building a secure system more difficult than finding a successful attack
bull Do not expect your developers to become penetration testers (or security experts)
copy 2015 SAP SE All Rights Reserved Page 20 of 30
Security Testing for Developers
Security testing tools for developers need to
bull Be applicable from the start ofdevelopment
bull Automate the security knowledge
bull Be deeply integrated into the dev enveg
bull IDE (instant feedback)bull Continuous integration
bull Provide easy to understand fixrecommendations
bull Declare their ldquosweet spotsrdquo
copy 2015 SAP SE All Rights Reserved Page 21 of 30
Collaborate
Security experts need to collaborate with development experts to
bull Create easy to use security APIs (ever tried to use an SSL API securely)
bull Create languages and frameworks that make it hard to implement insecure systems
bull Explain how to program securely
copy 2015 SAP SE All Rights Reserved Page 22 of 30
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 23 of 30
Mobile App Development at SAP
Key take aways
bull Hybrid applications are becoming thepre-dominant development model (at SAP)
bull the challenges of hybrid apps aretransferable to
bull web frameworks(EJB Rails PHP)
bull enterprise applications(XSJS SQLScript ABAP JS)
bull even mobile apps contain gt 500kLOC
bull there are a lot of open and interestingsecurity research questions in the area ofhybrid development models
copy 2015 SAP SE All Rights Reserved Page 24 of 30
Why Are Mobile Apps SpecialOrganisational Aspects
bull Partly not developed by thedevelopment organisations(eg marketing)
bull Fast update cycles(to app store not necessarily ldquoon devicerdquo)
bull Mobile apps are not patched(instead new release)
bull Processes partly defined by App Store operators(eg Google Apple )
copy 2015 SAP SE All Rights Reserved Page 25 of 30
Why Are Mobile Apps SpecialTechnical Aspects
bull Limiteddifferent user interface
bull High volume of apps released
bull Development tools are not fully under own control
bull Programming languages might not be usedelsewhere
bull Lot of frameworks thatbull rather newbull not as maturebull might track users (data privacy)
bull They are not independent
copy 2015 SAP SE All Rights Reserved Page 26 of 30
The Hidden Beast mdash ServerAs a mobile app you never be alone
A final remark
bull usually there is at least one server ldquoin the backgroundrdquo
bull many security and data privacy issues are caused bybull the communication of the app and its ldquoownrdquo serverbull the implementation of its ldquoownrdquo serverbull external servers andor services
copy 2015 SAP SE All Rights Reserved Page 27 of 30
Conclusion
bull Secure software development is abull Prerequisite for the secure and compliant operation
We need SecDevOpsbull Risk of operating and maintaining IT systems
bull Security requires an end-to-end approachbull Training of developers architects product ownersbull Security testing during developmentbull Validation of your security testing effortsbull Maintenance and security patch management
bull Developers are your most important allybull Make life easy for them
copy 2015 SAP SE All Rights Reserved Page 28 of 30
Thank you
httpxkcdcom327
Dr Achim D Bruckerachimbruckersapcomhttpswwwbruckerchhttpslogicalhackingcom
Related Publications
Ruediger Bachmann and Achim D Brucker
Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014
Achim D Brucker Lukas Bruumlgger and Burkhart Wolff
Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
Achim D Brucker and Uwe Sodan
Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014
Achim D Brucker and Burkhart Wolff
On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
copy 2015 SAP SE All Rights Reserved Page 30 of 30
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 31 of 30
- Background
- Motivation
- Risk-based Security Testing as Part of SAPs Smath text inlined[fg]math text inlinedfgmath text inlined[fg]math text inlinedfg2DL
- Lessons Learned
- How Does This Apply to Mobile Development
- Conclusion
-
Personal Background
bull I wear two hatsbull (Global) Security Testing Strategistbull Research ExpertArchitect
Working for the central software security team
bull BackgroundSecurity Formal Methods Software Engineering
bull Current work areas
bull Static code analysisbull (Dynamic) Security Testingbull Mobile Securitybull Security Development Lifecyclebull Secure Software Development Lifecycle
httpwwwbruckerch
copy 2015 SAP SE All Rights Reserved Page 5 of 30
SAP Uses a De-centralised Secure Development Approach
bull Central security expert team (S2DL owner)bull Organizes security trainingsbull Defines product standard ldquoSecurityrdquobull Defines risk and threat assessment methodsbull Defines security testing strategybull Selects and provides security testing toolsbull Validates productsbull Defines and executes response process
bull Local security expertsbull Embedded into development teamsbull Organize local security activitiesbull Support developers and architectsbull Support product owners (responsibles)
bull Development teamsbull Select technologiesbull Select development modelbull Design and execute security testing
planbull
copy 2015 SAP SE All Rights Reserved Page 6 of 30
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 7 of 30
Vulnerability Distribution
1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 20140
500
1000
1500
2000
2500
3000
Code Execution DoS Overflow Memory Corruption Sql InjectionXSS Directory Traversal Bypass something Gain Privileges CSRF
copy 2015 SAP SE All Rights Reserved Page 8 of 30
When Do We Fix Bugs
copy 2015 SAP SE All Rights Reserved Page 9 of 30
Microsoftrsquos SDL
copy 2015 SAP SE All Rights Reserved Page 10 of 30
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 11 of 30
Our Start SAST as a Baseline
ABAP
Java
C
JavaScript
Others
SAST tools used at SAP
Language Tool Vendor
ABAP CVA (SLIN_SEC) SAPJavaScript Checkmarx CxSAST Checkmarx
CC++ Coverity CoverityOthers Fortify HP
bull Since 2010 mandatory for all SAP products
bull Multiple billions lines analyzed
bull Constant improvement of tool configuration
bull Further detailsDeploying Static Application Security Testing on a LargeScale In GI Sicherheit 2014 Lecture Notes in Informatics228 pages 91-101 GI 2014
copy 2015 SAP SE All Rights Reserved Page 12 of 30
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 13 of 30
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx (JavaScript)
Fortify (Java) Coverity (CC++)
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 13 of 30
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx (JavaScript)
Fortify (Java)
DO
Min
ato
r
Coverity (CC++)
HP
We
bIn
sp
ect
IB
M A
pp
Sca
n
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 13 of 30
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx
Fortify (Java)
DO
Min
ato
r
HP
We
bIn
sp
ect
IB
M A
pp
Sca
n
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 13 of 30
A Risk-based Test Plan
Select from a list of
predefined application
types
Implementation detaos eg programming languages frameworks
Priority of SAP Security
Requirements
Security Test Plan
RISK ASSESMENT
(eg SECURIM Threat Modelling OWASP ASVS) bull Combines multiple security testing methods eg
code scans dynamic analysis manual penetrationtesting or fuzzing
bull Selects the most efficient test tools and test casesbased on the risks and the technologies used in theproject
bull Re-adjusts priorities of test cases based on identifiedrisks for the project
bull Monitors false negative findings in the results of riskassessment
copy 2015 SAP SE All Rights Reserved Page 14 of 30
SAPrsquo Secure Software Development Lifecycle (S2DL)
copy 2015 SAP SE All Rights Reserved Page 15 of 30
Security Validation
bull Acts as first customer
bull Is not a replacement for security testing during development
bull Security Validationbull Check for ldquoflawsrdquo in the implementation of the S2DLbull Ideally security validation findsbull No issues that can be fixeddetected earlierbull Only issues that cannot be detect earlier
(eg insecure default configurations missing security documentation)
Penetration tests in productive environments are different
bull They test the actual configuration
bull They test the productive environment (eg cloudhosting)
copy 2015 SAP SE All Rights Reserved Page 16 of 30
Security Validation
bull Acts as first customer
bull Is not a replacement for security testing during development
bull Security Validationbull Check for ldquoflawsrdquo in the implementation of the S2DLbull Ideally security validation findsbull No issues that can be fixeddetected earlierbull Only issues that cannot be detect earlier
(eg insecure default configurations missing security documentation)
Penetration tests in productive environments are different
bull They test the actual configuration
bull They test the productive environment (eg cloudhosting)
copy 2015 SAP SE All Rights Reserved Page 16 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
NewlyCovered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 18 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important
but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Listen to Your Developers
We are often talking about a lack of security awareness and by thatforget the problem of lacking development awareness
bull Building a secure system more difficult than finding a successful attack
bull Do not expect your developers to become penetration testers (or security experts)
copy 2015 SAP SE All Rights Reserved Page 20 of 30
Security Testing for Developers
Security testing tools for developers need to
bull Be applicable from the start ofdevelopment
bull Automate the security knowledge
bull Be deeply integrated into the dev enveg
bull IDE (instant feedback)bull Continuous integration
bull Provide easy to understand fixrecommendations
bull Declare their ldquosweet spotsrdquo
copy 2015 SAP SE All Rights Reserved Page 21 of 30
Collaborate
Security experts need to collaborate with development experts to
bull Create easy to use security APIs (ever tried to use an SSL API securely)
bull Create languages and frameworks that make it hard to implement insecure systems
bull Explain how to program securely
copy 2015 SAP SE All Rights Reserved Page 22 of 30
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 23 of 30
Mobile App Development at SAP
Key take aways
bull Hybrid applications are becoming thepre-dominant development model (at SAP)
bull the challenges of hybrid apps aretransferable to
bull web frameworks(EJB Rails PHP)
bull enterprise applications(XSJS SQLScript ABAP JS)
bull even mobile apps contain gt 500kLOC
bull there are a lot of open and interestingsecurity research questions in the area ofhybrid development models
copy 2015 SAP SE All Rights Reserved Page 24 of 30
Why Are Mobile Apps SpecialOrganisational Aspects
bull Partly not developed by thedevelopment organisations(eg marketing)
bull Fast update cycles(to app store not necessarily ldquoon devicerdquo)
bull Mobile apps are not patched(instead new release)
bull Processes partly defined by App Store operators(eg Google Apple )
copy 2015 SAP SE All Rights Reserved Page 25 of 30
Why Are Mobile Apps SpecialTechnical Aspects
bull Limiteddifferent user interface
bull High volume of apps released
bull Development tools are not fully under own control
bull Programming languages might not be usedelsewhere
bull Lot of frameworks thatbull rather newbull not as maturebull might track users (data privacy)
bull They are not independent
copy 2015 SAP SE All Rights Reserved Page 26 of 30
The Hidden Beast mdash ServerAs a mobile app you never be alone
A final remark
bull usually there is at least one server ldquoin the backgroundrdquo
bull many security and data privacy issues are caused bybull the communication of the app and its ldquoownrdquo serverbull the implementation of its ldquoownrdquo serverbull external servers andor services
copy 2015 SAP SE All Rights Reserved Page 27 of 30
Conclusion
bull Secure software development is abull Prerequisite for the secure and compliant operation
We need SecDevOpsbull Risk of operating and maintaining IT systems
bull Security requires an end-to-end approachbull Training of developers architects product ownersbull Security testing during developmentbull Validation of your security testing effortsbull Maintenance and security patch management
bull Developers are your most important allybull Make life easy for them
copy 2015 SAP SE All Rights Reserved Page 28 of 30
Thank you
httpxkcdcom327
Dr Achim D Bruckerachimbruckersapcomhttpswwwbruckerchhttpslogicalhackingcom
Related Publications
Ruediger Bachmann and Achim D Brucker
Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014
Achim D Brucker Lukas Bruumlgger and Burkhart Wolff
Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
Achim D Brucker and Uwe Sodan
Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014
Achim D Brucker and Burkhart Wolff
On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
copy 2015 SAP SE All Rights Reserved Page 30 of 30
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 31 of 30
- Background
- Motivation
- Risk-based Security Testing as Part of SAPs Smath text inlined[fg]math text inlinedfgmath text inlined[fg]math text inlinedfg2DL
- Lessons Learned
- How Does This Apply to Mobile Development
- Conclusion
-
SAP Uses a De-centralised Secure Development Approach
bull Central security expert team (S2DL owner)bull Organizes security trainingsbull Defines product standard ldquoSecurityrdquobull Defines risk and threat assessment methodsbull Defines security testing strategybull Selects and provides security testing toolsbull Validates productsbull Defines and executes response process
bull Local security expertsbull Embedded into development teamsbull Organize local security activitiesbull Support developers and architectsbull Support product owners (responsibles)
bull Development teamsbull Select technologiesbull Select development modelbull Design and execute security testing
planbull
copy 2015 SAP SE All Rights Reserved Page 6 of 30
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 7 of 30
Vulnerability Distribution
1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 20140
500
1000
1500
2000
2500
3000
Code Execution DoS Overflow Memory Corruption Sql InjectionXSS Directory Traversal Bypass something Gain Privileges CSRF
copy 2015 SAP SE All Rights Reserved Page 8 of 30
When Do We Fix Bugs
copy 2015 SAP SE All Rights Reserved Page 9 of 30
Microsoftrsquos SDL
copy 2015 SAP SE All Rights Reserved Page 10 of 30
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 11 of 30
Our Start SAST as a Baseline
ABAP
Java
C
JavaScript
Others
SAST tools used at SAP
Language Tool Vendor
ABAP CVA (SLIN_SEC) SAPJavaScript Checkmarx CxSAST Checkmarx
CC++ Coverity CoverityOthers Fortify HP
bull Since 2010 mandatory for all SAP products
bull Multiple billions lines analyzed
bull Constant improvement of tool configuration
bull Further detailsDeploying Static Application Security Testing on a LargeScale In GI Sicherheit 2014 Lecture Notes in Informatics228 pages 91-101 GI 2014
copy 2015 SAP SE All Rights Reserved Page 12 of 30
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 13 of 30
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx (JavaScript)
Fortify (Java) Coverity (CC++)
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 13 of 30
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx (JavaScript)
Fortify (Java)
DO
Min
ato
r
Coverity (CC++)
HP
We
bIn
sp
ect
IB
M A
pp
Sca
n
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 13 of 30
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx
Fortify (Java)
DO
Min
ato
r
HP
We
bIn
sp
ect
IB
M A
pp
Sca
n
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 13 of 30
A Risk-based Test Plan
Select from a list of
predefined application
types
Implementation detaos eg programming languages frameworks
Priority of SAP Security
Requirements
Security Test Plan
RISK ASSESMENT
(eg SECURIM Threat Modelling OWASP ASVS) bull Combines multiple security testing methods eg
code scans dynamic analysis manual penetrationtesting or fuzzing
bull Selects the most efficient test tools and test casesbased on the risks and the technologies used in theproject
bull Re-adjusts priorities of test cases based on identifiedrisks for the project
bull Monitors false negative findings in the results of riskassessment
copy 2015 SAP SE All Rights Reserved Page 14 of 30
SAPrsquo Secure Software Development Lifecycle (S2DL)
copy 2015 SAP SE All Rights Reserved Page 15 of 30
Security Validation
bull Acts as first customer
bull Is not a replacement for security testing during development
bull Security Validationbull Check for ldquoflawsrdquo in the implementation of the S2DLbull Ideally security validation findsbull No issues that can be fixeddetected earlierbull Only issues that cannot be detect earlier
(eg insecure default configurations missing security documentation)
Penetration tests in productive environments are different
bull They test the actual configuration
bull They test the productive environment (eg cloudhosting)
copy 2015 SAP SE All Rights Reserved Page 16 of 30
Security Validation
bull Acts as first customer
bull Is not a replacement for security testing during development
bull Security Validationbull Check for ldquoflawsrdquo in the implementation of the S2DLbull Ideally security validation findsbull No issues that can be fixeddetected earlierbull Only issues that cannot be detect earlier
(eg insecure default configurations missing security documentation)
Penetration tests in productive environments are different
bull They test the actual configuration
bull They test the productive environment (eg cloudhosting)
copy 2015 SAP SE All Rights Reserved Page 16 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
NewlyCovered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 18 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important
but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Listen to Your Developers
We are often talking about a lack of security awareness and by thatforget the problem of lacking development awareness
bull Building a secure system more difficult than finding a successful attack
bull Do not expect your developers to become penetration testers (or security experts)
copy 2015 SAP SE All Rights Reserved Page 20 of 30
Security Testing for Developers
Security testing tools for developers need to
bull Be applicable from the start ofdevelopment
bull Automate the security knowledge
bull Be deeply integrated into the dev enveg
bull IDE (instant feedback)bull Continuous integration
bull Provide easy to understand fixrecommendations
bull Declare their ldquosweet spotsrdquo
copy 2015 SAP SE All Rights Reserved Page 21 of 30
Collaborate
Security experts need to collaborate with development experts to
bull Create easy to use security APIs (ever tried to use an SSL API securely)
bull Create languages and frameworks that make it hard to implement insecure systems
bull Explain how to program securely
copy 2015 SAP SE All Rights Reserved Page 22 of 30
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 23 of 30
Mobile App Development at SAP
Key take aways
bull Hybrid applications are becoming thepre-dominant development model (at SAP)
bull the challenges of hybrid apps aretransferable to
bull web frameworks(EJB Rails PHP)
bull enterprise applications(XSJS SQLScript ABAP JS)
bull even mobile apps contain gt 500kLOC
bull there are a lot of open and interestingsecurity research questions in the area ofhybrid development models
copy 2015 SAP SE All Rights Reserved Page 24 of 30
Why Are Mobile Apps SpecialOrganisational Aspects
bull Partly not developed by thedevelopment organisations(eg marketing)
bull Fast update cycles(to app store not necessarily ldquoon devicerdquo)
bull Mobile apps are not patched(instead new release)
bull Processes partly defined by App Store operators(eg Google Apple )
copy 2015 SAP SE All Rights Reserved Page 25 of 30
Why Are Mobile Apps SpecialTechnical Aspects
bull Limiteddifferent user interface
bull High volume of apps released
bull Development tools are not fully under own control
bull Programming languages might not be usedelsewhere
bull Lot of frameworks thatbull rather newbull not as maturebull might track users (data privacy)
bull They are not independent
copy 2015 SAP SE All Rights Reserved Page 26 of 30
The Hidden Beast mdash ServerAs a mobile app you never be alone
A final remark
bull usually there is at least one server ldquoin the backgroundrdquo
bull many security and data privacy issues are caused bybull the communication of the app and its ldquoownrdquo serverbull the implementation of its ldquoownrdquo serverbull external servers andor services
copy 2015 SAP SE All Rights Reserved Page 27 of 30
Conclusion
bull Secure software development is abull Prerequisite for the secure and compliant operation
We need SecDevOpsbull Risk of operating and maintaining IT systems
bull Security requires an end-to-end approachbull Training of developers architects product ownersbull Security testing during developmentbull Validation of your security testing effortsbull Maintenance and security patch management
bull Developers are your most important allybull Make life easy for them
copy 2015 SAP SE All Rights Reserved Page 28 of 30
Thank you
httpxkcdcom327
Dr Achim D Bruckerachimbruckersapcomhttpswwwbruckerchhttpslogicalhackingcom
Related Publications
Ruediger Bachmann and Achim D Brucker
Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014
Achim D Brucker Lukas Bruumlgger and Burkhart Wolff
Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
Achim D Brucker and Uwe Sodan
Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014
Achim D Brucker and Burkhart Wolff
On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
copy 2015 SAP SE All Rights Reserved Page 30 of 30
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 31 of 30
- Background
- Motivation
- Risk-based Security Testing as Part of SAPs Smath text inlined[fg]math text inlinedfgmath text inlined[fg]math text inlinedfg2DL
- Lessons Learned
- How Does This Apply to Mobile Development
- Conclusion
-
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 7 of 30
Vulnerability Distribution
1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 20140
500
1000
1500
2000
2500
3000
Code Execution DoS Overflow Memory Corruption Sql InjectionXSS Directory Traversal Bypass something Gain Privileges CSRF
copy 2015 SAP SE All Rights Reserved Page 8 of 30
When Do We Fix Bugs
copy 2015 SAP SE All Rights Reserved Page 9 of 30
Microsoftrsquos SDL
copy 2015 SAP SE All Rights Reserved Page 10 of 30
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 11 of 30
Our Start SAST as a Baseline
ABAP
Java
C
JavaScript
Others
SAST tools used at SAP
Language Tool Vendor
ABAP CVA (SLIN_SEC) SAPJavaScript Checkmarx CxSAST Checkmarx
CC++ Coverity CoverityOthers Fortify HP
bull Since 2010 mandatory for all SAP products
bull Multiple billions lines analyzed
bull Constant improvement of tool configuration
bull Further detailsDeploying Static Application Security Testing on a LargeScale In GI Sicherheit 2014 Lecture Notes in Informatics228 pages 91-101 GI 2014
copy 2015 SAP SE All Rights Reserved Page 12 of 30
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 13 of 30
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx (JavaScript)
Fortify (Java) Coverity (CC++)
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 13 of 30
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx (JavaScript)
Fortify (Java)
DO
Min
ato
r
Coverity (CC++)
HP
We
bIn
sp
ect
IB
M A
pp
Sca
n
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 13 of 30
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx
Fortify (Java)
DO
Min
ato
r
HP
We
bIn
sp
ect
IB
M A
pp
Sca
n
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 13 of 30
A Risk-based Test Plan
Select from a list of
predefined application
types
Implementation detaos eg programming languages frameworks
Priority of SAP Security
Requirements
Security Test Plan
RISK ASSESMENT
(eg SECURIM Threat Modelling OWASP ASVS) bull Combines multiple security testing methods eg
code scans dynamic analysis manual penetrationtesting or fuzzing
bull Selects the most efficient test tools and test casesbased on the risks and the technologies used in theproject
bull Re-adjusts priorities of test cases based on identifiedrisks for the project
bull Monitors false negative findings in the results of riskassessment
copy 2015 SAP SE All Rights Reserved Page 14 of 30
SAPrsquo Secure Software Development Lifecycle (S2DL)
copy 2015 SAP SE All Rights Reserved Page 15 of 30
Security Validation
bull Acts as first customer
bull Is not a replacement for security testing during development
bull Security Validationbull Check for ldquoflawsrdquo in the implementation of the S2DLbull Ideally security validation findsbull No issues that can be fixeddetected earlierbull Only issues that cannot be detect earlier
(eg insecure default configurations missing security documentation)
Penetration tests in productive environments are different
bull They test the actual configuration
bull They test the productive environment (eg cloudhosting)
copy 2015 SAP SE All Rights Reserved Page 16 of 30
Security Validation
bull Acts as first customer
bull Is not a replacement for security testing during development
bull Security Validationbull Check for ldquoflawsrdquo in the implementation of the S2DLbull Ideally security validation findsbull No issues that can be fixeddetected earlierbull Only issues that cannot be detect earlier
(eg insecure default configurations missing security documentation)
Penetration tests in productive environments are different
bull They test the actual configuration
bull They test the productive environment (eg cloudhosting)
copy 2015 SAP SE All Rights Reserved Page 16 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
NewlyCovered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 18 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important
but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Listen to Your Developers
We are often talking about a lack of security awareness and by thatforget the problem of lacking development awareness
bull Building a secure system more difficult than finding a successful attack
bull Do not expect your developers to become penetration testers (or security experts)
copy 2015 SAP SE All Rights Reserved Page 20 of 30
Security Testing for Developers
Security testing tools for developers need to
bull Be applicable from the start ofdevelopment
bull Automate the security knowledge
bull Be deeply integrated into the dev enveg
bull IDE (instant feedback)bull Continuous integration
bull Provide easy to understand fixrecommendations
bull Declare their ldquosweet spotsrdquo
copy 2015 SAP SE All Rights Reserved Page 21 of 30
Collaborate
Security experts need to collaborate with development experts to
bull Create easy to use security APIs (ever tried to use an SSL API securely)
bull Create languages and frameworks that make it hard to implement insecure systems
bull Explain how to program securely
copy 2015 SAP SE All Rights Reserved Page 22 of 30
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 23 of 30
Mobile App Development at SAP
Key take aways
bull Hybrid applications are becoming thepre-dominant development model (at SAP)
bull the challenges of hybrid apps aretransferable to
bull web frameworks(EJB Rails PHP)
bull enterprise applications(XSJS SQLScript ABAP JS)
bull even mobile apps contain gt 500kLOC
bull there are a lot of open and interestingsecurity research questions in the area ofhybrid development models
copy 2015 SAP SE All Rights Reserved Page 24 of 30
Why Are Mobile Apps SpecialOrganisational Aspects
bull Partly not developed by thedevelopment organisations(eg marketing)
bull Fast update cycles(to app store not necessarily ldquoon devicerdquo)
bull Mobile apps are not patched(instead new release)
bull Processes partly defined by App Store operators(eg Google Apple )
copy 2015 SAP SE All Rights Reserved Page 25 of 30
Why Are Mobile Apps SpecialTechnical Aspects
bull Limiteddifferent user interface
bull High volume of apps released
bull Development tools are not fully under own control
bull Programming languages might not be usedelsewhere
bull Lot of frameworks thatbull rather newbull not as maturebull might track users (data privacy)
bull They are not independent
copy 2015 SAP SE All Rights Reserved Page 26 of 30
The Hidden Beast mdash ServerAs a mobile app you never be alone
A final remark
bull usually there is at least one server ldquoin the backgroundrdquo
bull many security and data privacy issues are caused bybull the communication of the app and its ldquoownrdquo serverbull the implementation of its ldquoownrdquo serverbull external servers andor services
copy 2015 SAP SE All Rights Reserved Page 27 of 30
Conclusion
bull Secure software development is abull Prerequisite for the secure and compliant operation
We need SecDevOpsbull Risk of operating and maintaining IT systems
bull Security requires an end-to-end approachbull Training of developers architects product ownersbull Security testing during developmentbull Validation of your security testing effortsbull Maintenance and security patch management
bull Developers are your most important allybull Make life easy for them
copy 2015 SAP SE All Rights Reserved Page 28 of 30
Thank you
httpxkcdcom327
Dr Achim D Bruckerachimbruckersapcomhttpswwwbruckerchhttpslogicalhackingcom
Related Publications
Ruediger Bachmann and Achim D Brucker
Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014
Achim D Brucker Lukas Bruumlgger and Burkhart Wolff
Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
Achim D Brucker and Uwe Sodan
Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014
Achim D Brucker and Burkhart Wolff
On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
copy 2015 SAP SE All Rights Reserved Page 30 of 30
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 31 of 30
- Background
- Motivation
- Risk-based Security Testing as Part of SAPs Smath text inlined[fg]math text inlinedfgmath text inlined[fg]math text inlinedfg2DL
- Lessons Learned
- How Does This Apply to Mobile Development
- Conclusion
-
Vulnerability Distribution
1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 20140
500
1000
1500
2000
2500
3000
Code Execution DoS Overflow Memory Corruption Sql InjectionXSS Directory Traversal Bypass something Gain Privileges CSRF
copy 2015 SAP SE All Rights Reserved Page 8 of 30
When Do We Fix Bugs
copy 2015 SAP SE All Rights Reserved Page 9 of 30
Microsoftrsquos SDL
copy 2015 SAP SE All Rights Reserved Page 10 of 30
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 11 of 30
Our Start SAST as a Baseline
ABAP
Java
C
JavaScript
Others
SAST tools used at SAP
Language Tool Vendor
ABAP CVA (SLIN_SEC) SAPJavaScript Checkmarx CxSAST Checkmarx
CC++ Coverity CoverityOthers Fortify HP
bull Since 2010 mandatory for all SAP products
bull Multiple billions lines analyzed
bull Constant improvement of tool configuration
bull Further detailsDeploying Static Application Security Testing on a LargeScale In GI Sicherheit 2014 Lecture Notes in Informatics228 pages 91-101 GI 2014
copy 2015 SAP SE All Rights Reserved Page 12 of 30
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 13 of 30
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx (JavaScript)
Fortify (Java) Coverity (CC++)
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 13 of 30
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx (JavaScript)
Fortify (Java)
DO
Min
ato
r
Coverity (CC++)
HP
We
bIn
sp
ect
IB
M A
pp
Sca
n
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 13 of 30
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx
Fortify (Java)
DO
Min
ato
r
HP
We
bIn
sp
ect
IB
M A
pp
Sca
n
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 13 of 30
A Risk-based Test Plan
Select from a list of
predefined application
types
Implementation detaos eg programming languages frameworks
Priority of SAP Security
Requirements
Security Test Plan
RISK ASSESMENT
(eg SECURIM Threat Modelling OWASP ASVS) bull Combines multiple security testing methods eg
code scans dynamic analysis manual penetrationtesting or fuzzing
bull Selects the most efficient test tools and test casesbased on the risks and the technologies used in theproject
bull Re-adjusts priorities of test cases based on identifiedrisks for the project
bull Monitors false negative findings in the results of riskassessment
copy 2015 SAP SE All Rights Reserved Page 14 of 30
SAPrsquo Secure Software Development Lifecycle (S2DL)
copy 2015 SAP SE All Rights Reserved Page 15 of 30
Security Validation
bull Acts as first customer
bull Is not a replacement for security testing during development
bull Security Validationbull Check for ldquoflawsrdquo in the implementation of the S2DLbull Ideally security validation findsbull No issues that can be fixeddetected earlierbull Only issues that cannot be detect earlier
(eg insecure default configurations missing security documentation)
Penetration tests in productive environments are different
bull They test the actual configuration
bull They test the productive environment (eg cloudhosting)
copy 2015 SAP SE All Rights Reserved Page 16 of 30
Security Validation
bull Acts as first customer
bull Is not a replacement for security testing during development
bull Security Validationbull Check for ldquoflawsrdquo in the implementation of the S2DLbull Ideally security validation findsbull No issues that can be fixeddetected earlierbull Only issues that cannot be detect earlier
(eg insecure default configurations missing security documentation)
Penetration tests in productive environments are different
bull They test the actual configuration
bull They test the productive environment (eg cloudhosting)
copy 2015 SAP SE All Rights Reserved Page 16 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
NewlyCovered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 18 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important
but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Listen to Your Developers
We are often talking about a lack of security awareness and by thatforget the problem of lacking development awareness
bull Building a secure system more difficult than finding a successful attack
bull Do not expect your developers to become penetration testers (or security experts)
copy 2015 SAP SE All Rights Reserved Page 20 of 30
Security Testing for Developers
Security testing tools for developers need to
bull Be applicable from the start ofdevelopment
bull Automate the security knowledge
bull Be deeply integrated into the dev enveg
bull IDE (instant feedback)bull Continuous integration
bull Provide easy to understand fixrecommendations
bull Declare their ldquosweet spotsrdquo
copy 2015 SAP SE All Rights Reserved Page 21 of 30
Collaborate
Security experts need to collaborate with development experts to
bull Create easy to use security APIs (ever tried to use an SSL API securely)
bull Create languages and frameworks that make it hard to implement insecure systems
bull Explain how to program securely
copy 2015 SAP SE All Rights Reserved Page 22 of 30
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 23 of 30
Mobile App Development at SAP
Key take aways
bull Hybrid applications are becoming thepre-dominant development model (at SAP)
bull the challenges of hybrid apps aretransferable to
bull web frameworks(EJB Rails PHP)
bull enterprise applications(XSJS SQLScript ABAP JS)
bull even mobile apps contain gt 500kLOC
bull there are a lot of open and interestingsecurity research questions in the area ofhybrid development models
copy 2015 SAP SE All Rights Reserved Page 24 of 30
Why Are Mobile Apps SpecialOrganisational Aspects
bull Partly not developed by thedevelopment organisations(eg marketing)
bull Fast update cycles(to app store not necessarily ldquoon devicerdquo)
bull Mobile apps are not patched(instead new release)
bull Processes partly defined by App Store operators(eg Google Apple )
copy 2015 SAP SE All Rights Reserved Page 25 of 30
Why Are Mobile Apps SpecialTechnical Aspects
bull Limiteddifferent user interface
bull High volume of apps released
bull Development tools are not fully under own control
bull Programming languages might not be usedelsewhere
bull Lot of frameworks thatbull rather newbull not as maturebull might track users (data privacy)
bull They are not independent
copy 2015 SAP SE All Rights Reserved Page 26 of 30
The Hidden Beast mdash ServerAs a mobile app you never be alone
A final remark
bull usually there is at least one server ldquoin the backgroundrdquo
bull many security and data privacy issues are caused bybull the communication of the app and its ldquoownrdquo serverbull the implementation of its ldquoownrdquo serverbull external servers andor services
copy 2015 SAP SE All Rights Reserved Page 27 of 30
Conclusion
bull Secure software development is abull Prerequisite for the secure and compliant operation
We need SecDevOpsbull Risk of operating and maintaining IT systems
bull Security requires an end-to-end approachbull Training of developers architects product ownersbull Security testing during developmentbull Validation of your security testing effortsbull Maintenance and security patch management
bull Developers are your most important allybull Make life easy for them
copy 2015 SAP SE All Rights Reserved Page 28 of 30
Thank you
httpxkcdcom327
Dr Achim D Bruckerachimbruckersapcomhttpswwwbruckerchhttpslogicalhackingcom
Related Publications
Ruediger Bachmann and Achim D Brucker
Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014
Achim D Brucker Lukas Bruumlgger and Burkhart Wolff
Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
Achim D Brucker and Uwe Sodan
Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014
Achim D Brucker and Burkhart Wolff
On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
copy 2015 SAP SE All Rights Reserved Page 30 of 30
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 31 of 30
- Background
- Motivation
- Risk-based Security Testing as Part of SAPs Smath text inlined[fg]math text inlinedfgmath text inlined[fg]math text inlinedfg2DL
- Lessons Learned
- How Does This Apply to Mobile Development
- Conclusion
-
When Do We Fix Bugs
copy 2015 SAP SE All Rights Reserved Page 9 of 30
Microsoftrsquos SDL
copy 2015 SAP SE All Rights Reserved Page 10 of 30
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 11 of 30
Our Start SAST as a Baseline
ABAP
Java
C
JavaScript
Others
SAST tools used at SAP
Language Tool Vendor
ABAP CVA (SLIN_SEC) SAPJavaScript Checkmarx CxSAST Checkmarx
CC++ Coverity CoverityOthers Fortify HP
bull Since 2010 mandatory for all SAP products
bull Multiple billions lines analyzed
bull Constant improvement of tool configuration
bull Further detailsDeploying Static Application Security Testing on a LargeScale In GI Sicherheit 2014 Lecture Notes in Informatics228 pages 91-101 GI 2014
copy 2015 SAP SE All Rights Reserved Page 12 of 30
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 13 of 30
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx (JavaScript)
Fortify (Java) Coverity (CC++)
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 13 of 30
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx (JavaScript)
Fortify (Java)
DO
Min
ato
r
Coverity (CC++)
HP
We
bIn
sp
ect
IB
M A
pp
Sca
n
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 13 of 30
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx
Fortify (Java)
DO
Min
ato
r
HP
We
bIn
sp
ect
IB
M A
pp
Sca
n
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 13 of 30
A Risk-based Test Plan
Select from a list of
predefined application
types
Implementation detaos eg programming languages frameworks
Priority of SAP Security
Requirements
Security Test Plan
RISK ASSESMENT
(eg SECURIM Threat Modelling OWASP ASVS) bull Combines multiple security testing methods eg
code scans dynamic analysis manual penetrationtesting or fuzzing
bull Selects the most efficient test tools and test casesbased on the risks and the technologies used in theproject
bull Re-adjusts priorities of test cases based on identifiedrisks for the project
bull Monitors false negative findings in the results of riskassessment
copy 2015 SAP SE All Rights Reserved Page 14 of 30
SAPrsquo Secure Software Development Lifecycle (S2DL)
copy 2015 SAP SE All Rights Reserved Page 15 of 30
Security Validation
bull Acts as first customer
bull Is not a replacement for security testing during development
bull Security Validationbull Check for ldquoflawsrdquo in the implementation of the S2DLbull Ideally security validation findsbull No issues that can be fixeddetected earlierbull Only issues that cannot be detect earlier
(eg insecure default configurations missing security documentation)
Penetration tests in productive environments are different
bull They test the actual configuration
bull They test the productive environment (eg cloudhosting)
copy 2015 SAP SE All Rights Reserved Page 16 of 30
Security Validation
bull Acts as first customer
bull Is not a replacement for security testing during development
bull Security Validationbull Check for ldquoflawsrdquo in the implementation of the S2DLbull Ideally security validation findsbull No issues that can be fixeddetected earlierbull Only issues that cannot be detect earlier
(eg insecure default configurations missing security documentation)
Penetration tests in productive environments are different
bull They test the actual configuration
bull They test the productive environment (eg cloudhosting)
copy 2015 SAP SE All Rights Reserved Page 16 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
NewlyCovered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 18 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important
but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Listen to Your Developers
We are often talking about a lack of security awareness and by thatforget the problem of lacking development awareness
bull Building a secure system more difficult than finding a successful attack
bull Do not expect your developers to become penetration testers (or security experts)
copy 2015 SAP SE All Rights Reserved Page 20 of 30
Security Testing for Developers
Security testing tools for developers need to
bull Be applicable from the start ofdevelopment
bull Automate the security knowledge
bull Be deeply integrated into the dev enveg
bull IDE (instant feedback)bull Continuous integration
bull Provide easy to understand fixrecommendations
bull Declare their ldquosweet spotsrdquo
copy 2015 SAP SE All Rights Reserved Page 21 of 30
Collaborate
Security experts need to collaborate with development experts to
bull Create easy to use security APIs (ever tried to use an SSL API securely)
bull Create languages and frameworks that make it hard to implement insecure systems
bull Explain how to program securely
copy 2015 SAP SE All Rights Reserved Page 22 of 30
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 23 of 30
Mobile App Development at SAP
Key take aways
bull Hybrid applications are becoming thepre-dominant development model (at SAP)
bull the challenges of hybrid apps aretransferable to
bull web frameworks(EJB Rails PHP)
bull enterprise applications(XSJS SQLScript ABAP JS)
bull even mobile apps contain gt 500kLOC
bull there are a lot of open and interestingsecurity research questions in the area ofhybrid development models
copy 2015 SAP SE All Rights Reserved Page 24 of 30
Why Are Mobile Apps SpecialOrganisational Aspects
bull Partly not developed by thedevelopment organisations(eg marketing)
bull Fast update cycles(to app store not necessarily ldquoon devicerdquo)
bull Mobile apps are not patched(instead new release)
bull Processes partly defined by App Store operators(eg Google Apple )
copy 2015 SAP SE All Rights Reserved Page 25 of 30
Why Are Mobile Apps SpecialTechnical Aspects
bull Limiteddifferent user interface
bull High volume of apps released
bull Development tools are not fully under own control
bull Programming languages might not be usedelsewhere
bull Lot of frameworks thatbull rather newbull not as maturebull might track users (data privacy)
bull They are not independent
copy 2015 SAP SE All Rights Reserved Page 26 of 30
The Hidden Beast mdash ServerAs a mobile app you never be alone
A final remark
bull usually there is at least one server ldquoin the backgroundrdquo
bull many security and data privacy issues are caused bybull the communication of the app and its ldquoownrdquo serverbull the implementation of its ldquoownrdquo serverbull external servers andor services
copy 2015 SAP SE All Rights Reserved Page 27 of 30
Conclusion
bull Secure software development is abull Prerequisite for the secure and compliant operation
We need SecDevOpsbull Risk of operating and maintaining IT systems
bull Security requires an end-to-end approachbull Training of developers architects product ownersbull Security testing during developmentbull Validation of your security testing effortsbull Maintenance and security patch management
bull Developers are your most important allybull Make life easy for them
copy 2015 SAP SE All Rights Reserved Page 28 of 30
Thank you
httpxkcdcom327
Dr Achim D Bruckerachimbruckersapcomhttpswwwbruckerchhttpslogicalhackingcom
Related Publications
Ruediger Bachmann and Achim D Brucker
Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014
Achim D Brucker Lukas Bruumlgger and Burkhart Wolff
Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
Achim D Brucker and Uwe Sodan
Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014
Achim D Brucker and Burkhart Wolff
On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
copy 2015 SAP SE All Rights Reserved Page 30 of 30
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 31 of 30
- Background
- Motivation
- Risk-based Security Testing as Part of SAPs Smath text inlined[fg]math text inlinedfgmath text inlined[fg]math text inlinedfg2DL
- Lessons Learned
- How Does This Apply to Mobile Development
- Conclusion
-
Microsoftrsquos SDL
copy 2015 SAP SE All Rights Reserved Page 10 of 30
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 11 of 30
Our Start SAST as a Baseline
ABAP
Java
C
JavaScript
Others
SAST tools used at SAP
Language Tool Vendor
ABAP CVA (SLIN_SEC) SAPJavaScript Checkmarx CxSAST Checkmarx
CC++ Coverity CoverityOthers Fortify HP
bull Since 2010 mandatory for all SAP products
bull Multiple billions lines analyzed
bull Constant improvement of tool configuration
bull Further detailsDeploying Static Application Security Testing on a LargeScale In GI Sicherheit 2014 Lecture Notes in Informatics228 pages 91-101 GI 2014
copy 2015 SAP SE All Rights Reserved Page 12 of 30
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 13 of 30
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx (JavaScript)
Fortify (Java) Coverity (CC++)
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 13 of 30
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx (JavaScript)
Fortify (Java)
DO
Min
ato
r
Coverity (CC++)
HP
We
bIn
sp
ect
IB
M A
pp
Sca
n
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 13 of 30
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx
Fortify (Java)
DO
Min
ato
r
HP
We
bIn
sp
ect
IB
M A
pp
Sca
n
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 13 of 30
A Risk-based Test Plan
Select from a list of
predefined application
types
Implementation detaos eg programming languages frameworks
Priority of SAP Security
Requirements
Security Test Plan
RISK ASSESMENT
(eg SECURIM Threat Modelling OWASP ASVS) bull Combines multiple security testing methods eg
code scans dynamic analysis manual penetrationtesting or fuzzing
bull Selects the most efficient test tools and test casesbased on the risks and the technologies used in theproject
bull Re-adjusts priorities of test cases based on identifiedrisks for the project
bull Monitors false negative findings in the results of riskassessment
copy 2015 SAP SE All Rights Reserved Page 14 of 30
SAPrsquo Secure Software Development Lifecycle (S2DL)
copy 2015 SAP SE All Rights Reserved Page 15 of 30
Security Validation
bull Acts as first customer
bull Is not a replacement for security testing during development
bull Security Validationbull Check for ldquoflawsrdquo in the implementation of the S2DLbull Ideally security validation findsbull No issues that can be fixeddetected earlierbull Only issues that cannot be detect earlier
(eg insecure default configurations missing security documentation)
Penetration tests in productive environments are different
bull They test the actual configuration
bull They test the productive environment (eg cloudhosting)
copy 2015 SAP SE All Rights Reserved Page 16 of 30
Security Validation
bull Acts as first customer
bull Is not a replacement for security testing during development
bull Security Validationbull Check for ldquoflawsrdquo in the implementation of the S2DLbull Ideally security validation findsbull No issues that can be fixeddetected earlierbull Only issues that cannot be detect earlier
(eg insecure default configurations missing security documentation)
Penetration tests in productive environments are different
bull They test the actual configuration
bull They test the productive environment (eg cloudhosting)
copy 2015 SAP SE All Rights Reserved Page 16 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
NewlyCovered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 18 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important
but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Listen to Your Developers
We are often talking about a lack of security awareness and by thatforget the problem of lacking development awareness
bull Building a secure system more difficult than finding a successful attack
bull Do not expect your developers to become penetration testers (or security experts)
copy 2015 SAP SE All Rights Reserved Page 20 of 30
Security Testing for Developers
Security testing tools for developers need to
bull Be applicable from the start ofdevelopment
bull Automate the security knowledge
bull Be deeply integrated into the dev enveg
bull IDE (instant feedback)bull Continuous integration
bull Provide easy to understand fixrecommendations
bull Declare their ldquosweet spotsrdquo
copy 2015 SAP SE All Rights Reserved Page 21 of 30
Collaborate
Security experts need to collaborate with development experts to
bull Create easy to use security APIs (ever tried to use an SSL API securely)
bull Create languages and frameworks that make it hard to implement insecure systems
bull Explain how to program securely
copy 2015 SAP SE All Rights Reserved Page 22 of 30
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 23 of 30
Mobile App Development at SAP
Key take aways
bull Hybrid applications are becoming thepre-dominant development model (at SAP)
bull the challenges of hybrid apps aretransferable to
bull web frameworks(EJB Rails PHP)
bull enterprise applications(XSJS SQLScript ABAP JS)
bull even mobile apps contain gt 500kLOC
bull there are a lot of open and interestingsecurity research questions in the area ofhybrid development models
copy 2015 SAP SE All Rights Reserved Page 24 of 30
Why Are Mobile Apps SpecialOrganisational Aspects
bull Partly not developed by thedevelopment organisations(eg marketing)
bull Fast update cycles(to app store not necessarily ldquoon devicerdquo)
bull Mobile apps are not patched(instead new release)
bull Processes partly defined by App Store operators(eg Google Apple )
copy 2015 SAP SE All Rights Reserved Page 25 of 30
Why Are Mobile Apps SpecialTechnical Aspects
bull Limiteddifferent user interface
bull High volume of apps released
bull Development tools are not fully under own control
bull Programming languages might not be usedelsewhere
bull Lot of frameworks thatbull rather newbull not as maturebull might track users (data privacy)
bull They are not independent
copy 2015 SAP SE All Rights Reserved Page 26 of 30
The Hidden Beast mdash ServerAs a mobile app you never be alone
A final remark
bull usually there is at least one server ldquoin the backgroundrdquo
bull many security and data privacy issues are caused bybull the communication of the app and its ldquoownrdquo serverbull the implementation of its ldquoownrdquo serverbull external servers andor services
copy 2015 SAP SE All Rights Reserved Page 27 of 30
Conclusion
bull Secure software development is abull Prerequisite for the secure and compliant operation
We need SecDevOpsbull Risk of operating and maintaining IT systems
bull Security requires an end-to-end approachbull Training of developers architects product ownersbull Security testing during developmentbull Validation of your security testing effortsbull Maintenance and security patch management
bull Developers are your most important allybull Make life easy for them
copy 2015 SAP SE All Rights Reserved Page 28 of 30
Thank you
httpxkcdcom327
Dr Achim D Bruckerachimbruckersapcomhttpswwwbruckerchhttpslogicalhackingcom
Related Publications
Ruediger Bachmann and Achim D Brucker
Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014
Achim D Brucker Lukas Bruumlgger and Burkhart Wolff
Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
Achim D Brucker and Uwe Sodan
Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014
Achim D Brucker and Burkhart Wolff
On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
copy 2015 SAP SE All Rights Reserved Page 30 of 30
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 31 of 30
- Background
- Motivation
- Risk-based Security Testing as Part of SAPs Smath text inlined[fg]math text inlinedfgmath text inlined[fg]math text inlinedfg2DL
- Lessons Learned
- How Does This Apply to Mobile Development
- Conclusion
-
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 11 of 30
Our Start SAST as a Baseline
ABAP
Java
C
JavaScript
Others
SAST tools used at SAP
Language Tool Vendor
ABAP CVA (SLIN_SEC) SAPJavaScript Checkmarx CxSAST Checkmarx
CC++ Coverity CoverityOthers Fortify HP
bull Since 2010 mandatory for all SAP products
bull Multiple billions lines analyzed
bull Constant improvement of tool configuration
bull Further detailsDeploying Static Application Security Testing on a LargeScale In GI Sicherheit 2014 Lecture Notes in Informatics228 pages 91-101 GI 2014
copy 2015 SAP SE All Rights Reserved Page 12 of 30
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 13 of 30
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx (JavaScript)
Fortify (Java) Coverity (CC++)
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 13 of 30
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx (JavaScript)
Fortify (Java)
DO
Min
ato
r
Coverity (CC++)
HP
We
bIn
sp
ect
IB
M A
pp
Sca
n
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 13 of 30
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx
Fortify (Java)
DO
Min
ato
r
HP
We
bIn
sp
ect
IB
M A
pp
Sca
n
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 13 of 30
A Risk-based Test Plan
Select from a list of
predefined application
types
Implementation detaos eg programming languages frameworks
Priority of SAP Security
Requirements
Security Test Plan
RISK ASSESMENT
(eg SECURIM Threat Modelling OWASP ASVS) bull Combines multiple security testing methods eg
code scans dynamic analysis manual penetrationtesting or fuzzing
bull Selects the most efficient test tools and test casesbased on the risks and the technologies used in theproject
bull Re-adjusts priorities of test cases based on identifiedrisks for the project
bull Monitors false negative findings in the results of riskassessment
copy 2015 SAP SE All Rights Reserved Page 14 of 30
SAPrsquo Secure Software Development Lifecycle (S2DL)
copy 2015 SAP SE All Rights Reserved Page 15 of 30
Security Validation
bull Acts as first customer
bull Is not a replacement for security testing during development
bull Security Validationbull Check for ldquoflawsrdquo in the implementation of the S2DLbull Ideally security validation findsbull No issues that can be fixeddetected earlierbull Only issues that cannot be detect earlier
(eg insecure default configurations missing security documentation)
Penetration tests in productive environments are different
bull They test the actual configuration
bull They test the productive environment (eg cloudhosting)
copy 2015 SAP SE All Rights Reserved Page 16 of 30
Security Validation
bull Acts as first customer
bull Is not a replacement for security testing during development
bull Security Validationbull Check for ldquoflawsrdquo in the implementation of the S2DLbull Ideally security validation findsbull No issues that can be fixeddetected earlierbull Only issues that cannot be detect earlier
(eg insecure default configurations missing security documentation)
Penetration tests in productive environments are different
bull They test the actual configuration
bull They test the productive environment (eg cloudhosting)
copy 2015 SAP SE All Rights Reserved Page 16 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
NewlyCovered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 18 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important
but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Listen to Your Developers
We are often talking about a lack of security awareness and by thatforget the problem of lacking development awareness
bull Building a secure system more difficult than finding a successful attack
bull Do not expect your developers to become penetration testers (or security experts)
copy 2015 SAP SE All Rights Reserved Page 20 of 30
Security Testing for Developers
Security testing tools for developers need to
bull Be applicable from the start ofdevelopment
bull Automate the security knowledge
bull Be deeply integrated into the dev enveg
bull IDE (instant feedback)bull Continuous integration
bull Provide easy to understand fixrecommendations
bull Declare their ldquosweet spotsrdquo
copy 2015 SAP SE All Rights Reserved Page 21 of 30
Collaborate
Security experts need to collaborate with development experts to
bull Create easy to use security APIs (ever tried to use an SSL API securely)
bull Create languages and frameworks that make it hard to implement insecure systems
bull Explain how to program securely
copy 2015 SAP SE All Rights Reserved Page 22 of 30
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 23 of 30
Mobile App Development at SAP
Key take aways
bull Hybrid applications are becoming thepre-dominant development model (at SAP)
bull the challenges of hybrid apps aretransferable to
bull web frameworks(EJB Rails PHP)
bull enterprise applications(XSJS SQLScript ABAP JS)
bull even mobile apps contain gt 500kLOC
bull there are a lot of open and interestingsecurity research questions in the area ofhybrid development models
copy 2015 SAP SE All Rights Reserved Page 24 of 30
Why Are Mobile Apps SpecialOrganisational Aspects
bull Partly not developed by thedevelopment organisations(eg marketing)
bull Fast update cycles(to app store not necessarily ldquoon devicerdquo)
bull Mobile apps are not patched(instead new release)
bull Processes partly defined by App Store operators(eg Google Apple )
copy 2015 SAP SE All Rights Reserved Page 25 of 30
Why Are Mobile Apps SpecialTechnical Aspects
bull Limiteddifferent user interface
bull High volume of apps released
bull Development tools are not fully under own control
bull Programming languages might not be usedelsewhere
bull Lot of frameworks thatbull rather newbull not as maturebull might track users (data privacy)
bull They are not independent
copy 2015 SAP SE All Rights Reserved Page 26 of 30
The Hidden Beast mdash ServerAs a mobile app you never be alone
A final remark
bull usually there is at least one server ldquoin the backgroundrdquo
bull many security and data privacy issues are caused bybull the communication of the app and its ldquoownrdquo serverbull the implementation of its ldquoownrdquo serverbull external servers andor services
copy 2015 SAP SE All Rights Reserved Page 27 of 30
Conclusion
bull Secure software development is abull Prerequisite for the secure and compliant operation
We need SecDevOpsbull Risk of operating and maintaining IT systems
bull Security requires an end-to-end approachbull Training of developers architects product ownersbull Security testing during developmentbull Validation of your security testing effortsbull Maintenance and security patch management
bull Developers are your most important allybull Make life easy for them
copy 2015 SAP SE All Rights Reserved Page 28 of 30
Thank you
httpxkcdcom327
Dr Achim D Bruckerachimbruckersapcomhttpswwwbruckerchhttpslogicalhackingcom
Related Publications
Ruediger Bachmann and Achim D Brucker
Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014
Achim D Brucker Lukas Bruumlgger and Burkhart Wolff
Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
Achim D Brucker and Uwe Sodan
Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014
Achim D Brucker and Burkhart Wolff
On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
copy 2015 SAP SE All Rights Reserved Page 30 of 30
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 31 of 30
- Background
- Motivation
- Risk-based Security Testing as Part of SAPs Smath text inlined[fg]math text inlinedfgmath text inlined[fg]math text inlinedfg2DL
- Lessons Learned
- How Does This Apply to Mobile Development
- Conclusion
-
Our Start SAST as a Baseline
ABAP
Java
C
JavaScript
Others
SAST tools used at SAP
Language Tool Vendor
ABAP CVA (SLIN_SEC) SAPJavaScript Checkmarx CxSAST Checkmarx
CC++ Coverity CoverityOthers Fortify HP
bull Since 2010 mandatory for all SAP products
bull Multiple billions lines analyzed
bull Constant improvement of tool configuration
bull Further detailsDeploying Static Application Security Testing on a LargeScale In GI Sicherheit 2014 Lecture Notes in Informatics228 pages 91-101 GI 2014
copy 2015 SAP SE All Rights Reserved Page 12 of 30
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 13 of 30
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx (JavaScript)
Fortify (Java) Coverity (CC++)
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 13 of 30
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx (JavaScript)
Fortify (Java)
DO
Min
ato
r
Coverity (CC++)
HP
We
bIn
sp
ect
IB
M A
pp
Sca
n
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 13 of 30
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx
Fortify (Java)
DO
Min
ato
r
HP
We
bIn
sp
ect
IB
M A
pp
Sca
n
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 13 of 30
A Risk-based Test Plan
Select from a list of
predefined application
types
Implementation detaos eg programming languages frameworks
Priority of SAP Security
Requirements
Security Test Plan
RISK ASSESMENT
(eg SECURIM Threat Modelling OWASP ASVS) bull Combines multiple security testing methods eg
code scans dynamic analysis manual penetrationtesting or fuzzing
bull Selects the most efficient test tools and test casesbased on the risks and the technologies used in theproject
bull Re-adjusts priorities of test cases based on identifiedrisks for the project
bull Monitors false negative findings in the results of riskassessment
copy 2015 SAP SE All Rights Reserved Page 14 of 30
SAPrsquo Secure Software Development Lifecycle (S2DL)
copy 2015 SAP SE All Rights Reserved Page 15 of 30
Security Validation
bull Acts as first customer
bull Is not a replacement for security testing during development
bull Security Validationbull Check for ldquoflawsrdquo in the implementation of the S2DLbull Ideally security validation findsbull No issues that can be fixeddetected earlierbull Only issues that cannot be detect earlier
(eg insecure default configurations missing security documentation)
Penetration tests in productive environments are different
bull They test the actual configuration
bull They test the productive environment (eg cloudhosting)
copy 2015 SAP SE All Rights Reserved Page 16 of 30
Security Validation
bull Acts as first customer
bull Is not a replacement for security testing during development
bull Security Validationbull Check for ldquoflawsrdquo in the implementation of the S2DLbull Ideally security validation findsbull No issues that can be fixeddetected earlierbull Only issues that cannot be detect earlier
(eg insecure default configurations missing security documentation)
Penetration tests in productive environments are different
bull They test the actual configuration
bull They test the productive environment (eg cloudhosting)
copy 2015 SAP SE All Rights Reserved Page 16 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
NewlyCovered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 18 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important
but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Listen to Your Developers
We are often talking about a lack of security awareness and by thatforget the problem of lacking development awareness
bull Building a secure system more difficult than finding a successful attack
bull Do not expect your developers to become penetration testers (or security experts)
copy 2015 SAP SE All Rights Reserved Page 20 of 30
Security Testing for Developers
Security testing tools for developers need to
bull Be applicable from the start ofdevelopment
bull Automate the security knowledge
bull Be deeply integrated into the dev enveg
bull IDE (instant feedback)bull Continuous integration
bull Provide easy to understand fixrecommendations
bull Declare their ldquosweet spotsrdquo
copy 2015 SAP SE All Rights Reserved Page 21 of 30
Collaborate
Security experts need to collaborate with development experts to
bull Create easy to use security APIs (ever tried to use an SSL API securely)
bull Create languages and frameworks that make it hard to implement insecure systems
bull Explain how to program securely
copy 2015 SAP SE All Rights Reserved Page 22 of 30
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 23 of 30
Mobile App Development at SAP
Key take aways
bull Hybrid applications are becoming thepre-dominant development model (at SAP)
bull the challenges of hybrid apps aretransferable to
bull web frameworks(EJB Rails PHP)
bull enterprise applications(XSJS SQLScript ABAP JS)
bull even mobile apps contain gt 500kLOC
bull there are a lot of open and interestingsecurity research questions in the area ofhybrid development models
copy 2015 SAP SE All Rights Reserved Page 24 of 30
Why Are Mobile Apps SpecialOrganisational Aspects
bull Partly not developed by thedevelopment organisations(eg marketing)
bull Fast update cycles(to app store not necessarily ldquoon devicerdquo)
bull Mobile apps are not patched(instead new release)
bull Processes partly defined by App Store operators(eg Google Apple )
copy 2015 SAP SE All Rights Reserved Page 25 of 30
Why Are Mobile Apps SpecialTechnical Aspects
bull Limiteddifferent user interface
bull High volume of apps released
bull Development tools are not fully under own control
bull Programming languages might not be usedelsewhere
bull Lot of frameworks thatbull rather newbull not as maturebull might track users (data privacy)
bull They are not independent
copy 2015 SAP SE All Rights Reserved Page 26 of 30
The Hidden Beast mdash ServerAs a mobile app you never be alone
A final remark
bull usually there is at least one server ldquoin the backgroundrdquo
bull many security and data privacy issues are caused bybull the communication of the app and its ldquoownrdquo serverbull the implementation of its ldquoownrdquo serverbull external servers andor services
copy 2015 SAP SE All Rights Reserved Page 27 of 30
Conclusion
bull Secure software development is abull Prerequisite for the secure and compliant operation
We need SecDevOpsbull Risk of operating and maintaining IT systems
bull Security requires an end-to-end approachbull Training of developers architects product ownersbull Security testing during developmentbull Validation of your security testing effortsbull Maintenance and security patch management
bull Developers are your most important allybull Make life easy for them
copy 2015 SAP SE All Rights Reserved Page 28 of 30
Thank you
httpxkcdcom327
Dr Achim D Bruckerachimbruckersapcomhttpswwwbruckerchhttpslogicalhackingcom
Related Publications
Ruediger Bachmann and Achim D Brucker
Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014
Achim D Brucker Lukas Bruumlgger and Burkhart Wolff
Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
Achim D Brucker and Uwe Sodan
Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014
Achim D Brucker and Burkhart Wolff
On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
copy 2015 SAP SE All Rights Reserved Page 30 of 30
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 31 of 30
- Background
- Motivation
- Risk-based Security Testing as Part of SAPs Smath text inlined[fg]math text inlinedfgmath text inlined[fg]math text inlinedfg2DL
- Lessons Learned
- How Does This Apply to Mobile Development
- Conclusion
-
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 13 of 30
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx (JavaScript)
Fortify (Java) Coverity (CC++)
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 13 of 30
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx (JavaScript)
Fortify (Java)
DO
Min
ato
r
Coverity (CC++)
HP
We
bIn
sp
ect
IB
M A
pp
Sca
n
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 13 of 30
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx
Fortify (Java)
DO
Min
ato
r
HP
We
bIn
sp
ect
IB
M A
pp
Sca
n
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 13 of 30
A Risk-based Test Plan
Select from a list of
predefined application
types
Implementation detaos eg programming languages frameworks
Priority of SAP Security
Requirements
Security Test Plan
RISK ASSESMENT
(eg SECURIM Threat Modelling OWASP ASVS) bull Combines multiple security testing methods eg
code scans dynamic analysis manual penetrationtesting or fuzzing
bull Selects the most efficient test tools and test casesbased on the risks and the technologies used in theproject
bull Re-adjusts priorities of test cases based on identifiedrisks for the project
bull Monitors false negative findings in the results of riskassessment
copy 2015 SAP SE All Rights Reserved Page 14 of 30
SAPrsquo Secure Software Development Lifecycle (S2DL)
copy 2015 SAP SE All Rights Reserved Page 15 of 30
Security Validation
bull Acts as first customer
bull Is not a replacement for security testing during development
bull Security Validationbull Check for ldquoflawsrdquo in the implementation of the S2DLbull Ideally security validation findsbull No issues that can be fixeddetected earlierbull Only issues that cannot be detect earlier
(eg insecure default configurations missing security documentation)
Penetration tests in productive environments are different
bull They test the actual configuration
bull They test the productive environment (eg cloudhosting)
copy 2015 SAP SE All Rights Reserved Page 16 of 30
Security Validation
bull Acts as first customer
bull Is not a replacement for security testing during development
bull Security Validationbull Check for ldquoflawsrdquo in the implementation of the S2DLbull Ideally security validation findsbull No issues that can be fixeddetected earlierbull Only issues that cannot be detect earlier
(eg insecure default configurations missing security documentation)
Penetration tests in productive environments are different
bull They test the actual configuration
bull They test the productive environment (eg cloudhosting)
copy 2015 SAP SE All Rights Reserved Page 16 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
NewlyCovered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 18 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important
but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Listen to Your Developers
We are often talking about a lack of security awareness and by thatforget the problem of lacking development awareness
bull Building a secure system more difficult than finding a successful attack
bull Do not expect your developers to become penetration testers (or security experts)
copy 2015 SAP SE All Rights Reserved Page 20 of 30
Security Testing for Developers
Security testing tools for developers need to
bull Be applicable from the start ofdevelopment
bull Automate the security knowledge
bull Be deeply integrated into the dev enveg
bull IDE (instant feedback)bull Continuous integration
bull Provide easy to understand fixrecommendations
bull Declare their ldquosweet spotsrdquo
copy 2015 SAP SE All Rights Reserved Page 21 of 30
Collaborate
Security experts need to collaborate with development experts to
bull Create easy to use security APIs (ever tried to use an SSL API securely)
bull Create languages and frameworks that make it hard to implement insecure systems
bull Explain how to program securely
copy 2015 SAP SE All Rights Reserved Page 22 of 30
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 23 of 30
Mobile App Development at SAP
Key take aways
bull Hybrid applications are becoming thepre-dominant development model (at SAP)
bull the challenges of hybrid apps aretransferable to
bull web frameworks(EJB Rails PHP)
bull enterprise applications(XSJS SQLScript ABAP JS)
bull even mobile apps contain gt 500kLOC
bull there are a lot of open and interestingsecurity research questions in the area ofhybrid development models
copy 2015 SAP SE All Rights Reserved Page 24 of 30
Why Are Mobile Apps SpecialOrganisational Aspects
bull Partly not developed by thedevelopment organisations(eg marketing)
bull Fast update cycles(to app store not necessarily ldquoon devicerdquo)
bull Mobile apps are not patched(instead new release)
bull Processes partly defined by App Store operators(eg Google Apple )
copy 2015 SAP SE All Rights Reserved Page 25 of 30
Why Are Mobile Apps SpecialTechnical Aspects
bull Limiteddifferent user interface
bull High volume of apps released
bull Development tools are not fully under own control
bull Programming languages might not be usedelsewhere
bull Lot of frameworks thatbull rather newbull not as maturebull might track users (data privacy)
bull They are not independent
copy 2015 SAP SE All Rights Reserved Page 26 of 30
The Hidden Beast mdash ServerAs a mobile app you never be alone
A final remark
bull usually there is at least one server ldquoin the backgroundrdquo
bull many security and data privacy issues are caused bybull the communication of the app and its ldquoownrdquo serverbull the implementation of its ldquoownrdquo serverbull external servers andor services
copy 2015 SAP SE All Rights Reserved Page 27 of 30
Conclusion
bull Secure software development is abull Prerequisite for the secure and compliant operation
We need SecDevOpsbull Risk of operating and maintaining IT systems
bull Security requires an end-to-end approachbull Training of developers architects product ownersbull Security testing during developmentbull Validation of your security testing effortsbull Maintenance and security patch management
bull Developers are your most important allybull Make life easy for them
copy 2015 SAP SE All Rights Reserved Page 28 of 30
Thank you
httpxkcdcom327
Dr Achim D Bruckerachimbruckersapcomhttpswwwbruckerchhttpslogicalhackingcom
Related Publications
Ruediger Bachmann and Achim D Brucker
Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014
Achim D Brucker Lukas Bruumlgger and Burkhart Wolff
Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
Achim D Brucker and Uwe Sodan
Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014
Achim D Brucker and Burkhart Wolff
On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
copy 2015 SAP SE All Rights Reserved Page 30 of 30
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 31 of 30
- Background
- Motivation
- Risk-based Security Testing as Part of SAPs Smath text inlined[fg]math text inlinedfgmath text inlined[fg]math text inlinedfg2DL
- Lessons Learned
- How Does This Apply to Mobile Development
- Conclusion
-
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx (JavaScript)
Fortify (Java) Coverity (CC++)
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 13 of 30
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx (JavaScript)
Fortify (Java)
DO
Min
ato
r
Coverity (CC++)
HP
We
bIn
sp
ect
IB
M A
pp
Sca
n
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 13 of 30
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx
Fortify (Java)
DO
Min
ato
r
HP
We
bIn
sp
ect
IB
M A
pp
Sca
n
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 13 of 30
A Risk-based Test Plan
Select from a list of
predefined application
types
Implementation detaos eg programming languages frameworks
Priority of SAP Security
Requirements
Security Test Plan
RISK ASSESMENT
(eg SECURIM Threat Modelling OWASP ASVS) bull Combines multiple security testing methods eg
code scans dynamic analysis manual penetrationtesting or fuzzing
bull Selects the most efficient test tools and test casesbased on the risks and the technologies used in theproject
bull Re-adjusts priorities of test cases based on identifiedrisks for the project
bull Monitors false negative findings in the results of riskassessment
copy 2015 SAP SE All Rights Reserved Page 14 of 30
SAPrsquo Secure Software Development Lifecycle (S2DL)
copy 2015 SAP SE All Rights Reserved Page 15 of 30
Security Validation
bull Acts as first customer
bull Is not a replacement for security testing during development
bull Security Validationbull Check for ldquoflawsrdquo in the implementation of the S2DLbull Ideally security validation findsbull No issues that can be fixeddetected earlierbull Only issues that cannot be detect earlier
(eg insecure default configurations missing security documentation)
Penetration tests in productive environments are different
bull They test the actual configuration
bull They test the productive environment (eg cloudhosting)
copy 2015 SAP SE All Rights Reserved Page 16 of 30
Security Validation
bull Acts as first customer
bull Is not a replacement for security testing during development
bull Security Validationbull Check for ldquoflawsrdquo in the implementation of the S2DLbull Ideally security validation findsbull No issues that can be fixeddetected earlierbull Only issues that cannot be detect earlier
(eg insecure default configurations missing security documentation)
Penetration tests in productive environments are different
bull They test the actual configuration
bull They test the productive environment (eg cloudhosting)
copy 2015 SAP SE All Rights Reserved Page 16 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
NewlyCovered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 18 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important
but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Listen to Your Developers
We are often talking about a lack of security awareness and by thatforget the problem of lacking development awareness
bull Building a secure system more difficult than finding a successful attack
bull Do not expect your developers to become penetration testers (or security experts)
copy 2015 SAP SE All Rights Reserved Page 20 of 30
Security Testing for Developers
Security testing tools for developers need to
bull Be applicable from the start ofdevelopment
bull Automate the security knowledge
bull Be deeply integrated into the dev enveg
bull IDE (instant feedback)bull Continuous integration
bull Provide easy to understand fixrecommendations
bull Declare their ldquosweet spotsrdquo
copy 2015 SAP SE All Rights Reserved Page 21 of 30
Collaborate
Security experts need to collaborate with development experts to
bull Create easy to use security APIs (ever tried to use an SSL API securely)
bull Create languages and frameworks that make it hard to implement insecure systems
bull Explain how to program securely
copy 2015 SAP SE All Rights Reserved Page 22 of 30
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 23 of 30
Mobile App Development at SAP
Key take aways
bull Hybrid applications are becoming thepre-dominant development model (at SAP)
bull the challenges of hybrid apps aretransferable to
bull web frameworks(EJB Rails PHP)
bull enterprise applications(XSJS SQLScript ABAP JS)
bull even mobile apps contain gt 500kLOC
bull there are a lot of open and interestingsecurity research questions in the area ofhybrid development models
copy 2015 SAP SE All Rights Reserved Page 24 of 30
Why Are Mobile Apps SpecialOrganisational Aspects
bull Partly not developed by thedevelopment organisations(eg marketing)
bull Fast update cycles(to app store not necessarily ldquoon devicerdquo)
bull Mobile apps are not patched(instead new release)
bull Processes partly defined by App Store operators(eg Google Apple )
copy 2015 SAP SE All Rights Reserved Page 25 of 30
Why Are Mobile Apps SpecialTechnical Aspects
bull Limiteddifferent user interface
bull High volume of apps released
bull Development tools are not fully under own control
bull Programming languages might not be usedelsewhere
bull Lot of frameworks thatbull rather newbull not as maturebull might track users (data privacy)
bull They are not independent
copy 2015 SAP SE All Rights Reserved Page 26 of 30
The Hidden Beast mdash ServerAs a mobile app you never be alone
A final remark
bull usually there is at least one server ldquoin the backgroundrdquo
bull many security and data privacy issues are caused bybull the communication of the app and its ldquoownrdquo serverbull the implementation of its ldquoownrdquo serverbull external servers andor services
copy 2015 SAP SE All Rights Reserved Page 27 of 30
Conclusion
bull Secure software development is abull Prerequisite for the secure and compliant operation
We need SecDevOpsbull Risk of operating and maintaining IT systems
bull Security requires an end-to-end approachbull Training of developers architects product ownersbull Security testing during developmentbull Validation of your security testing effortsbull Maintenance and security patch management
bull Developers are your most important allybull Make life easy for them
copy 2015 SAP SE All Rights Reserved Page 28 of 30
Thank you
httpxkcdcom327
Dr Achim D Bruckerachimbruckersapcomhttpswwwbruckerchhttpslogicalhackingcom
Related Publications
Ruediger Bachmann and Achim D Brucker
Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014
Achim D Brucker Lukas Bruumlgger and Burkhart Wolff
Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
Achim D Brucker and Uwe Sodan
Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014
Achim D Brucker and Burkhart Wolff
On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
copy 2015 SAP SE All Rights Reserved Page 30 of 30
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 31 of 30
- Background
- Motivation
- Risk-based Security Testing as Part of SAPs Smath text inlined[fg]math text inlinedfgmath text inlined[fg]math text inlinedfg2DL
- Lessons Learned
- How Does This Apply to Mobile Development
- Conclusion
-
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx (JavaScript)
Fortify (Java)
DO
Min
ato
r
Coverity (CC++)
HP
We
bIn
sp
ect
IB
M A
pp
Sca
n
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 13 of 30
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx
Fortify (Java)
DO
Min
ato
r
HP
We
bIn
sp
ect
IB
M A
pp
Sca
n
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 13 of 30
A Risk-based Test Plan
Select from a list of
predefined application
types
Implementation detaos eg programming languages frameworks
Priority of SAP Security
Requirements
Security Test Plan
RISK ASSESMENT
(eg SECURIM Threat Modelling OWASP ASVS) bull Combines multiple security testing methods eg
code scans dynamic analysis manual penetrationtesting or fuzzing
bull Selects the most efficient test tools and test casesbased on the risks and the technologies used in theproject
bull Re-adjusts priorities of test cases based on identifiedrisks for the project
bull Monitors false negative findings in the results of riskassessment
copy 2015 SAP SE All Rights Reserved Page 14 of 30
SAPrsquo Secure Software Development Lifecycle (S2DL)
copy 2015 SAP SE All Rights Reserved Page 15 of 30
Security Validation
bull Acts as first customer
bull Is not a replacement for security testing during development
bull Security Validationbull Check for ldquoflawsrdquo in the implementation of the S2DLbull Ideally security validation findsbull No issues that can be fixeddetected earlierbull Only issues that cannot be detect earlier
(eg insecure default configurations missing security documentation)
Penetration tests in productive environments are different
bull They test the actual configuration
bull They test the productive environment (eg cloudhosting)
copy 2015 SAP SE All Rights Reserved Page 16 of 30
Security Validation
bull Acts as first customer
bull Is not a replacement for security testing during development
bull Security Validationbull Check for ldquoflawsrdquo in the implementation of the S2DLbull Ideally security validation findsbull No issues that can be fixeddetected earlierbull Only issues that cannot be detect earlier
(eg insecure default configurations missing security documentation)
Penetration tests in productive environments are different
bull They test the actual configuration
bull They test the productive environment (eg cloudhosting)
copy 2015 SAP SE All Rights Reserved Page 16 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
NewlyCovered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 18 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important
but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Listen to Your Developers
We are often talking about a lack of security awareness and by thatforget the problem of lacking development awareness
bull Building a secure system more difficult than finding a successful attack
bull Do not expect your developers to become penetration testers (or security experts)
copy 2015 SAP SE All Rights Reserved Page 20 of 30
Security Testing for Developers
Security testing tools for developers need to
bull Be applicable from the start ofdevelopment
bull Automate the security knowledge
bull Be deeply integrated into the dev enveg
bull IDE (instant feedback)bull Continuous integration
bull Provide easy to understand fixrecommendations
bull Declare their ldquosweet spotsrdquo
copy 2015 SAP SE All Rights Reserved Page 21 of 30
Collaborate
Security experts need to collaborate with development experts to
bull Create easy to use security APIs (ever tried to use an SSL API securely)
bull Create languages and frameworks that make it hard to implement insecure systems
bull Explain how to program securely
copy 2015 SAP SE All Rights Reserved Page 22 of 30
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 23 of 30
Mobile App Development at SAP
Key take aways
bull Hybrid applications are becoming thepre-dominant development model (at SAP)
bull the challenges of hybrid apps aretransferable to
bull web frameworks(EJB Rails PHP)
bull enterprise applications(XSJS SQLScript ABAP JS)
bull even mobile apps contain gt 500kLOC
bull there are a lot of open and interestingsecurity research questions in the area ofhybrid development models
copy 2015 SAP SE All Rights Reserved Page 24 of 30
Why Are Mobile Apps SpecialOrganisational Aspects
bull Partly not developed by thedevelopment organisations(eg marketing)
bull Fast update cycles(to app store not necessarily ldquoon devicerdquo)
bull Mobile apps are not patched(instead new release)
bull Processes partly defined by App Store operators(eg Google Apple )
copy 2015 SAP SE All Rights Reserved Page 25 of 30
Why Are Mobile Apps SpecialTechnical Aspects
bull Limiteddifferent user interface
bull High volume of apps released
bull Development tools are not fully under own control
bull Programming languages might not be usedelsewhere
bull Lot of frameworks thatbull rather newbull not as maturebull might track users (data privacy)
bull They are not independent
copy 2015 SAP SE All Rights Reserved Page 26 of 30
The Hidden Beast mdash ServerAs a mobile app you never be alone
A final remark
bull usually there is at least one server ldquoin the backgroundrdquo
bull many security and data privacy issues are caused bybull the communication of the app and its ldquoownrdquo serverbull the implementation of its ldquoownrdquo serverbull external servers andor services
copy 2015 SAP SE All Rights Reserved Page 27 of 30
Conclusion
bull Secure software development is abull Prerequisite for the secure and compliant operation
We need SecDevOpsbull Risk of operating and maintaining IT systems
bull Security requires an end-to-end approachbull Training of developers architects product ownersbull Security testing during developmentbull Validation of your security testing effortsbull Maintenance and security patch management
bull Developers are your most important allybull Make life easy for them
copy 2015 SAP SE All Rights Reserved Page 28 of 30
Thank you
httpxkcdcom327
Dr Achim D Bruckerachimbruckersapcomhttpswwwbruckerchhttpslogicalhackingcom
Related Publications
Ruediger Bachmann and Achim D Brucker
Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014
Achim D Brucker Lukas Bruumlgger and Burkhart Wolff
Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
Achim D Brucker and Uwe Sodan
Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014
Achim D Brucker and Burkhart Wolff
On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
copy 2015 SAP SE All Rights Reserved Page 30 of 30
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 31 of 30
- Background
- Motivation
- Risk-based Security Testing as Part of SAPs Smath text inlined[fg]math text inlinedfgmath text inlined[fg]math text inlinedfg2DL
- Lessons Learned
- How Does This Apply to Mobile Development
- Conclusion
-
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx
Fortify (Java)
DO
Min
ato
r
HP
We
bIn
sp
ect
IB
M A
pp
Sca
n
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 13 of 30
A Risk-based Test Plan
Select from a list of
predefined application
types
Implementation detaos eg programming languages frameworks
Priority of SAP Security
Requirements
Security Test Plan
RISK ASSESMENT
(eg SECURIM Threat Modelling OWASP ASVS) bull Combines multiple security testing methods eg
code scans dynamic analysis manual penetrationtesting or fuzzing
bull Selects the most efficient test tools and test casesbased on the risks and the technologies used in theproject
bull Re-adjusts priorities of test cases based on identifiedrisks for the project
bull Monitors false negative findings in the results of riskassessment
copy 2015 SAP SE All Rights Reserved Page 14 of 30
SAPrsquo Secure Software Development Lifecycle (S2DL)
copy 2015 SAP SE All Rights Reserved Page 15 of 30
Security Validation
bull Acts as first customer
bull Is not a replacement for security testing during development
bull Security Validationbull Check for ldquoflawsrdquo in the implementation of the S2DLbull Ideally security validation findsbull No issues that can be fixeddetected earlierbull Only issues that cannot be detect earlier
(eg insecure default configurations missing security documentation)
Penetration tests in productive environments are different
bull They test the actual configuration
bull They test the productive environment (eg cloudhosting)
copy 2015 SAP SE All Rights Reserved Page 16 of 30
Security Validation
bull Acts as first customer
bull Is not a replacement for security testing during development
bull Security Validationbull Check for ldquoflawsrdquo in the implementation of the S2DLbull Ideally security validation findsbull No issues that can be fixeddetected earlierbull Only issues that cannot be detect earlier
(eg insecure default configurations missing security documentation)
Penetration tests in productive environments are different
bull They test the actual configuration
bull They test the productive environment (eg cloudhosting)
copy 2015 SAP SE All Rights Reserved Page 16 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
NewlyCovered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 18 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important
but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Listen to Your Developers
We are often talking about a lack of security awareness and by thatforget the problem of lacking development awareness
bull Building a secure system more difficult than finding a successful attack
bull Do not expect your developers to become penetration testers (or security experts)
copy 2015 SAP SE All Rights Reserved Page 20 of 30
Security Testing for Developers
Security testing tools for developers need to
bull Be applicable from the start ofdevelopment
bull Automate the security knowledge
bull Be deeply integrated into the dev enveg
bull IDE (instant feedback)bull Continuous integration
bull Provide easy to understand fixrecommendations
bull Declare their ldquosweet spotsrdquo
copy 2015 SAP SE All Rights Reserved Page 21 of 30
Collaborate
Security experts need to collaborate with development experts to
bull Create easy to use security APIs (ever tried to use an SSL API securely)
bull Create languages and frameworks that make it hard to implement insecure systems
bull Explain how to program securely
copy 2015 SAP SE All Rights Reserved Page 22 of 30
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 23 of 30
Mobile App Development at SAP
Key take aways
bull Hybrid applications are becoming thepre-dominant development model (at SAP)
bull the challenges of hybrid apps aretransferable to
bull web frameworks(EJB Rails PHP)
bull enterprise applications(XSJS SQLScript ABAP JS)
bull even mobile apps contain gt 500kLOC
bull there are a lot of open and interestingsecurity research questions in the area ofhybrid development models
copy 2015 SAP SE All Rights Reserved Page 24 of 30
Why Are Mobile Apps SpecialOrganisational Aspects
bull Partly not developed by thedevelopment organisations(eg marketing)
bull Fast update cycles(to app store not necessarily ldquoon devicerdquo)
bull Mobile apps are not patched(instead new release)
bull Processes partly defined by App Store operators(eg Google Apple )
copy 2015 SAP SE All Rights Reserved Page 25 of 30
Why Are Mobile Apps SpecialTechnical Aspects
bull Limiteddifferent user interface
bull High volume of apps released
bull Development tools are not fully under own control
bull Programming languages might not be usedelsewhere
bull Lot of frameworks thatbull rather newbull not as maturebull might track users (data privacy)
bull They are not independent
copy 2015 SAP SE All Rights Reserved Page 26 of 30
The Hidden Beast mdash ServerAs a mobile app you never be alone
A final remark
bull usually there is at least one server ldquoin the backgroundrdquo
bull many security and data privacy issues are caused bybull the communication of the app and its ldquoownrdquo serverbull the implementation of its ldquoownrdquo serverbull external servers andor services
copy 2015 SAP SE All Rights Reserved Page 27 of 30
Conclusion
bull Secure software development is abull Prerequisite for the secure and compliant operation
We need SecDevOpsbull Risk of operating and maintaining IT systems
bull Security requires an end-to-end approachbull Training of developers architects product ownersbull Security testing during developmentbull Validation of your security testing effortsbull Maintenance and security patch management
bull Developers are your most important allybull Make life easy for them
copy 2015 SAP SE All Rights Reserved Page 28 of 30
Thank you
httpxkcdcom327
Dr Achim D Bruckerachimbruckersapcomhttpswwwbruckerchhttpslogicalhackingcom
Related Publications
Ruediger Bachmann and Achim D Brucker
Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014
Achim D Brucker Lukas Bruumlgger and Burkhart Wolff
Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
Achim D Brucker and Uwe Sodan
Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014
Achim D Brucker and Burkhart Wolff
On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
copy 2015 SAP SE All Rights Reserved Page 30 of 30
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 31 of 30
- Background
- Motivation
- Risk-based Security Testing as Part of SAPs Smath text inlined[fg]math text inlinedfgmath text inlined[fg]math text inlinedfg2DL
- Lessons Learned
- How Does This Apply to Mobile Development
- Conclusion
-
A Risk-based Test Plan
Select from a list of
predefined application
types
Implementation detaos eg programming languages frameworks
Priority of SAP Security
Requirements
Security Test Plan
RISK ASSESMENT
(eg SECURIM Threat Modelling OWASP ASVS) bull Combines multiple security testing methods eg
code scans dynamic analysis manual penetrationtesting or fuzzing
bull Selects the most efficient test tools and test casesbased on the risks and the technologies used in theproject
bull Re-adjusts priorities of test cases based on identifiedrisks for the project
bull Monitors false negative findings in the results of riskassessment
copy 2015 SAP SE All Rights Reserved Page 14 of 30
SAPrsquo Secure Software Development Lifecycle (S2DL)
copy 2015 SAP SE All Rights Reserved Page 15 of 30
Security Validation
bull Acts as first customer
bull Is not a replacement for security testing during development
bull Security Validationbull Check for ldquoflawsrdquo in the implementation of the S2DLbull Ideally security validation findsbull No issues that can be fixeddetected earlierbull Only issues that cannot be detect earlier
(eg insecure default configurations missing security documentation)
Penetration tests in productive environments are different
bull They test the actual configuration
bull They test the productive environment (eg cloudhosting)
copy 2015 SAP SE All Rights Reserved Page 16 of 30
Security Validation
bull Acts as first customer
bull Is not a replacement for security testing during development
bull Security Validationbull Check for ldquoflawsrdquo in the implementation of the S2DLbull Ideally security validation findsbull No issues that can be fixeddetected earlierbull Only issues that cannot be detect earlier
(eg insecure default configurations missing security documentation)
Penetration tests in productive environments are different
bull They test the actual configuration
bull They test the productive environment (eg cloudhosting)
copy 2015 SAP SE All Rights Reserved Page 16 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
NewlyCovered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 18 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important
but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Listen to Your Developers
We are often talking about a lack of security awareness and by thatforget the problem of lacking development awareness
bull Building a secure system more difficult than finding a successful attack
bull Do not expect your developers to become penetration testers (or security experts)
copy 2015 SAP SE All Rights Reserved Page 20 of 30
Security Testing for Developers
Security testing tools for developers need to
bull Be applicable from the start ofdevelopment
bull Automate the security knowledge
bull Be deeply integrated into the dev enveg
bull IDE (instant feedback)bull Continuous integration
bull Provide easy to understand fixrecommendations
bull Declare their ldquosweet spotsrdquo
copy 2015 SAP SE All Rights Reserved Page 21 of 30
Collaborate
Security experts need to collaborate with development experts to
bull Create easy to use security APIs (ever tried to use an SSL API securely)
bull Create languages and frameworks that make it hard to implement insecure systems
bull Explain how to program securely
copy 2015 SAP SE All Rights Reserved Page 22 of 30
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 23 of 30
Mobile App Development at SAP
Key take aways
bull Hybrid applications are becoming thepre-dominant development model (at SAP)
bull the challenges of hybrid apps aretransferable to
bull web frameworks(EJB Rails PHP)
bull enterprise applications(XSJS SQLScript ABAP JS)
bull even mobile apps contain gt 500kLOC
bull there are a lot of open and interestingsecurity research questions in the area ofhybrid development models
copy 2015 SAP SE All Rights Reserved Page 24 of 30
Why Are Mobile Apps SpecialOrganisational Aspects
bull Partly not developed by thedevelopment organisations(eg marketing)
bull Fast update cycles(to app store not necessarily ldquoon devicerdquo)
bull Mobile apps are not patched(instead new release)
bull Processes partly defined by App Store operators(eg Google Apple )
copy 2015 SAP SE All Rights Reserved Page 25 of 30
Why Are Mobile Apps SpecialTechnical Aspects
bull Limiteddifferent user interface
bull High volume of apps released
bull Development tools are not fully under own control
bull Programming languages might not be usedelsewhere
bull Lot of frameworks thatbull rather newbull not as maturebull might track users (data privacy)
bull They are not independent
copy 2015 SAP SE All Rights Reserved Page 26 of 30
The Hidden Beast mdash ServerAs a mobile app you never be alone
A final remark
bull usually there is at least one server ldquoin the backgroundrdquo
bull many security and data privacy issues are caused bybull the communication of the app and its ldquoownrdquo serverbull the implementation of its ldquoownrdquo serverbull external servers andor services
copy 2015 SAP SE All Rights Reserved Page 27 of 30
Conclusion
bull Secure software development is abull Prerequisite for the secure and compliant operation
We need SecDevOpsbull Risk of operating and maintaining IT systems
bull Security requires an end-to-end approachbull Training of developers architects product ownersbull Security testing during developmentbull Validation of your security testing effortsbull Maintenance and security patch management
bull Developers are your most important allybull Make life easy for them
copy 2015 SAP SE All Rights Reserved Page 28 of 30
Thank you
httpxkcdcom327
Dr Achim D Bruckerachimbruckersapcomhttpswwwbruckerchhttpslogicalhackingcom
Related Publications
Ruediger Bachmann and Achim D Brucker
Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014
Achim D Brucker Lukas Bruumlgger and Burkhart Wolff
Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
Achim D Brucker and Uwe Sodan
Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014
Achim D Brucker and Burkhart Wolff
On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
copy 2015 SAP SE All Rights Reserved Page 30 of 30
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 31 of 30
- Background
- Motivation
- Risk-based Security Testing as Part of SAPs Smath text inlined[fg]math text inlinedfgmath text inlined[fg]math text inlinedfg2DL
- Lessons Learned
- How Does This Apply to Mobile Development
- Conclusion
-
SAPrsquo Secure Software Development Lifecycle (S2DL)
copy 2015 SAP SE All Rights Reserved Page 15 of 30
Security Validation
bull Acts as first customer
bull Is not a replacement for security testing during development
bull Security Validationbull Check for ldquoflawsrdquo in the implementation of the S2DLbull Ideally security validation findsbull No issues that can be fixeddetected earlierbull Only issues that cannot be detect earlier
(eg insecure default configurations missing security documentation)
Penetration tests in productive environments are different
bull They test the actual configuration
bull They test the productive environment (eg cloudhosting)
copy 2015 SAP SE All Rights Reserved Page 16 of 30
Security Validation
bull Acts as first customer
bull Is not a replacement for security testing during development
bull Security Validationbull Check for ldquoflawsrdquo in the implementation of the S2DLbull Ideally security validation findsbull No issues that can be fixeddetected earlierbull Only issues that cannot be detect earlier
(eg insecure default configurations missing security documentation)
Penetration tests in productive environments are different
bull They test the actual configuration
bull They test the productive environment (eg cloudhosting)
copy 2015 SAP SE All Rights Reserved Page 16 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
NewlyCovered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 18 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important
but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Listen to Your Developers
We are often talking about a lack of security awareness and by thatforget the problem of lacking development awareness
bull Building a secure system more difficult than finding a successful attack
bull Do not expect your developers to become penetration testers (or security experts)
copy 2015 SAP SE All Rights Reserved Page 20 of 30
Security Testing for Developers
Security testing tools for developers need to
bull Be applicable from the start ofdevelopment
bull Automate the security knowledge
bull Be deeply integrated into the dev enveg
bull IDE (instant feedback)bull Continuous integration
bull Provide easy to understand fixrecommendations
bull Declare their ldquosweet spotsrdquo
copy 2015 SAP SE All Rights Reserved Page 21 of 30
Collaborate
Security experts need to collaborate with development experts to
bull Create easy to use security APIs (ever tried to use an SSL API securely)
bull Create languages and frameworks that make it hard to implement insecure systems
bull Explain how to program securely
copy 2015 SAP SE All Rights Reserved Page 22 of 30
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 23 of 30
Mobile App Development at SAP
Key take aways
bull Hybrid applications are becoming thepre-dominant development model (at SAP)
bull the challenges of hybrid apps aretransferable to
bull web frameworks(EJB Rails PHP)
bull enterprise applications(XSJS SQLScript ABAP JS)
bull even mobile apps contain gt 500kLOC
bull there are a lot of open and interestingsecurity research questions in the area ofhybrid development models
copy 2015 SAP SE All Rights Reserved Page 24 of 30
Why Are Mobile Apps SpecialOrganisational Aspects
bull Partly not developed by thedevelopment organisations(eg marketing)
bull Fast update cycles(to app store not necessarily ldquoon devicerdquo)
bull Mobile apps are not patched(instead new release)
bull Processes partly defined by App Store operators(eg Google Apple )
copy 2015 SAP SE All Rights Reserved Page 25 of 30
Why Are Mobile Apps SpecialTechnical Aspects
bull Limiteddifferent user interface
bull High volume of apps released
bull Development tools are not fully under own control
bull Programming languages might not be usedelsewhere
bull Lot of frameworks thatbull rather newbull not as maturebull might track users (data privacy)
bull They are not independent
copy 2015 SAP SE All Rights Reserved Page 26 of 30
The Hidden Beast mdash ServerAs a mobile app you never be alone
A final remark
bull usually there is at least one server ldquoin the backgroundrdquo
bull many security and data privacy issues are caused bybull the communication of the app and its ldquoownrdquo serverbull the implementation of its ldquoownrdquo serverbull external servers andor services
copy 2015 SAP SE All Rights Reserved Page 27 of 30
Conclusion
bull Secure software development is abull Prerequisite for the secure and compliant operation
We need SecDevOpsbull Risk of operating and maintaining IT systems
bull Security requires an end-to-end approachbull Training of developers architects product ownersbull Security testing during developmentbull Validation of your security testing effortsbull Maintenance and security patch management
bull Developers are your most important allybull Make life easy for them
copy 2015 SAP SE All Rights Reserved Page 28 of 30
Thank you
httpxkcdcom327
Dr Achim D Bruckerachimbruckersapcomhttpswwwbruckerchhttpslogicalhackingcom
Related Publications
Ruediger Bachmann and Achim D Brucker
Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014
Achim D Brucker Lukas Bruumlgger and Burkhart Wolff
Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
Achim D Brucker and Uwe Sodan
Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014
Achim D Brucker and Burkhart Wolff
On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
copy 2015 SAP SE All Rights Reserved Page 30 of 30
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 31 of 30
- Background
- Motivation
- Risk-based Security Testing as Part of SAPs Smath text inlined[fg]math text inlinedfgmath text inlined[fg]math text inlinedfg2DL
- Lessons Learned
- How Does This Apply to Mobile Development
- Conclusion
-
Security Validation
bull Acts as first customer
bull Is not a replacement for security testing during development
bull Security Validationbull Check for ldquoflawsrdquo in the implementation of the S2DLbull Ideally security validation findsbull No issues that can be fixeddetected earlierbull Only issues that cannot be detect earlier
(eg insecure default configurations missing security documentation)
Penetration tests in productive environments are different
bull They test the actual configuration
bull They test the productive environment (eg cloudhosting)
copy 2015 SAP SE All Rights Reserved Page 16 of 30
Security Validation
bull Acts as first customer
bull Is not a replacement for security testing during development
bull Security Validationbull Check for ldquoflawsrdquo in the implementation of the S2DLbull Ideally security validation findsbull No issues that can be fixeddetected earlierbull Only issues that cannot be detect earlier
(eg insecure default configurations missing security documentation)
Penetration tests in productive environments are different
bull They test the actual configuration
bull They test the productive environment (eg cloudhosting)
copy 2015 SAP SE All Rights Reserved Page 16 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
NewlyCovered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 18 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important
but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Listen to Your Developers
We are often talking about a lack of security awareness and by thatforget the problem of lacking development awareness
bull Building a secure system more difficult than finding a successful attack
bull Do not expect your developers to become penetration testers (or security experts)
copy 2015 SAP SE All Rights Reserved Page 20 of 30
Security Testing for Developers
Security testing tools for developers need to
bull Be applicable from the start ofdevelopment
bull Automate the security knowledge
bull Be deeply integrated into the dev enveg
bull IDE (instant feedback)bull Continuous integration
bull Provide easy to understand fixrecommendations
bull Declare their ldquosweet spotsrdquo
copy 2015 SAP SE All Rights Reserved Page 21 of 30
Collaborate
Security experts need to collaborate with development experts to
bull Create easy to use security APIs (ever tried to use an SSL API securely)
bull Create languages and frameworks that make it hard to implement insecure systems
bull Explain how to program securely
copy 2015 SAP SE All Rights Reserved Page 22 of 30
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 23 of 30
Mobile App Development at SAP
Key take aways
bull Hybrid applications are becoming thepre-dominant development model (at SAP)
bull the challenges of hybrid apps aretransferable to
bull web frameworks(EJB Rails PHP)
bull enterprise applications(XSJS SQLScript ABAP JS)
bull even mobile apps contain gt 500kLOC
bull there are a lot of open and interestingsecurity research questions in the area ofhybrid development models
copy 2015 SAP SE All Rights Reserved Page 24 of 30
Why Are Mobile Apps SpecialOrganisational Aspects
bull Partly not developed by thedevelopment organisations(eg marketing)
bull Fast update cycles(to app store not necessarily ldquoon devicerdquo)
bull Mobile apps are not patched(instead new release)
bull Processes partly defined by App Store operators(eg Google Apple )
copy 2015 SAP SE All Rights Reserved Page 25 of 30
Why Are Mobile Apps SpecialTechnical Aspects
bull Limiteddifferent user interface
bull High volume of apps released
bull Development tools are not fully under own control
bull Programming languages might not be usedelsewhere
bull Lot of frameworks thatbull rather newbull not as maturebull might track users (data privacy)
bull They are not independent
copy 2015 SAP SE All Rights Reserved Page 26 of 30
The Hidden Beast mdash ServerAs a mobile app you never be alone
A final remark
bull usually there is at least one server ldquoin the backgroundrdquo
bull many security and data privacy issues are caused bybull the communication of the app and its ldquoownrdquo serverbull the implementation of its ldquoownrdquo serverbull external servers andor services
copy 2015 SAP SE All Rights Reserved Page 27 of 30
Conclusion
bull Secure software development is abull Prerequisite for the secure and compliant operation
We need SecDevOpsbull Risk of operating and maintaining IT systems
bull Security requires an end-to-end approachbull Training of developers architects product ownersbull Security testing during developmentbull Validation of your security testing effortsbull Maintenance and security patch management
bull Developers are your most important allybull Make life easy for them
copy 2015 SAP SE All Rights Reserved Page 28 of 30
Thank you
httpxkcdcom327
Dr Achim D Bruckerachimbruckersapcomhttpswwwbruckerchhttpslogicalhackingcom
Related Publications
Ruediger Bachmann and Achim D Brucker
Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014
Achim D Brucker Lukas Bruumlgger and Burkhart Wolff
Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
Achim D Brucker and Uwe Sodan
Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014
Achim D Brucker and Burkhart Wolff
On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
copy 2015 SAP SE All Rights Reserved Page 30 of 30
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 31 of 30
- Background
- Motivation
- Risk-based Security Testing as Part of SAPs Smath text inlined[fg]math text inlinedfgmath text inlined[fg]math text inlinedfg2DL
- Lessons Learned
- How Does This Apply to Mobile Development
- Conclusion
-
Security Validation
bull Acts as first customer
bull Is not a replacement for security testing during development
bull Security Validationbull Check for ldquoflawsrdquo in the implementation of the S2DLbull Ideally security validation findsbull No issues that can be fixeddetected earlierbull Only issues that cannot be detect earlier
(eg insecure default configurations missing security documentation)
Penetration tests in productive environments are different
bull They test the actual configuration
bull They test the productive environment (eg cloudhosting)
copy 2015 SAP SE All Rights Reserved Page 16 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
NewlyCovered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 18 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important
but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Listen to Your Developers
We are often talking about a lack of security awareness and by thatforget the problem of lacking development awareness
bull Building a secure system more difficult than finding a successful attack
bull Do not expect your developers to become penetration testers (or security experts)
copy 2015 SAP SE All Rights Reserved Page 20 of 30
Security Testing for Developers
Security testing tools for developers need to
bull Be applicable from the start ofdevelopment
bull Automate the security knowledge
bull Be deeply integrated into the dev enveg
bull IDE (instant feedback)bull Continuous integration
bull Provide easy to understand fixrecommendations
bull Declare their ldquosweet spotsrdquo
copy 2015 SAP SE All Rights Reserved Page 21 of 30
Collaborate
Security experts need to collaborate with development experts to
bull Create easy to use security APIs (ever tried to use an SSL API securely)
bull Create languages and frameworks that make it hard to implement insecure systems
bull Explain how to program securely
copy 2015 SAP SE All Rights Reserved Page 22 of 30
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 23 of 30
Mobile App Development at SAP
Key take aways
bull Hybrid applications are becoming thepre-dominant development model (at SAP)
bull the challenges of hybrid apps aretransferable to
bull web frameworks(EJB Rails PHP)
bull enterprise applications(XSJS SQLScript ABAP JS)
bull even mobile apps contain gt 500kLOC
bull there are a lot of open and interestingsecurity research questions in the area ofhybrid development models
copy 2015 SAP SE All Rights Reserved Page 24 of 30
Why Are Mobile Apps SpecialOrganisational Aspects
bull Partly not developed by thedevelopment organisations(eg marketing)
bull Fast update cycles(to app store not necessarily ldquoon devicerdquo)
bull Mobile apps are not patched(instead new release)
bull Processes partly defined by App Store operators(eg Google Apple )
copy 2015 SAP SE All Rights Reserved Page 25 of 30
Why Are Mobile Apps SpecialTechnical Aspects
bull Limiteddifferent user interface
bull High volume of apps released
bull Development tools are not fully under own control
bull Programming languages might not be usedelsewhere
bull Lot of frameworks thatbull rather newbull not as maturebull might track users (data privacy)
bull They are not independent
copy 2015 SAP SE All Rights Reserved Page 26 of 30
The Hidden Beast mdash ServerAs a mobile app you never be alone
A final remark
bull usually there is at least one server ldquoin the backgroundrdquo
bull many security and data privacy issues are caused bybull the communication of the app and its ldquoownrdquo serverbull the implementation of its ldquoownrdquo serverbull external servers andor services
copy 2015 SAP SE All Rights Reserved Page 27 of 30
Conclusion
bull Secure software development is abull Prerequisite for the secure and compliant operation
We need SecDevOpsbull Risk of operating and maintaining IT systems
bull Security requires an end-to-end approachbull Training of developers architects product ownersbull Security testing during developmentbull Validation of your security testing effortsbull Maintenance and security patch management
bull Developers are your most important allybull Make life easy for them
copy 2015 SAP SE All Rights Reserved Page 28 of 30
Thank you
httpxkcdcom327
Dr Achim D Bruckerachimbruckersapcomhttpswwwbruckerchhttpslogicalhackingcom
Related Publications
Ruediger Bachmann and Achim D Brucker
Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014
Achim D Brucker Lukas Bruumlgger and Burkhart Wolff
Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
Achim D Brucker and Uwe Sodan
Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014
Achim D Brucker and Burkhart Wolff
On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
copy 2015 SAP SE All Rights Reserved Page 30 of 30
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 31 of 30
- Background
- Motivation
- Risk-based Security Testing as Part of SAPs Smath text inlined[fg]math text inlinedfgmath text inlined[fg]math text inlinedfg2DL
- Lessons Learned
- How Does This Apply to Mobile Development
- Conclusion
-
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
NewlyCovered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 18 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important
but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Listen to Your Developers
We are often talking about a lack of security awareness and by thatforget the problem of lacking development awareness
bull Building a secure system more difficult than finding a successful attack
bull Do not expect your developers to become penetration testers (or security experts)
copy 2015 SAP SE All Rights Reserved Page 20 of 30
Security Testing for Developers
Security testing tools for developers need to
bull Be applicable from the start ofdevelopment
bull Automate the security knowledge
bull Be deeply integrated into the dev enveg
bull IDE (instant feedback)bull Continuous integration
bull Provide easy to understand fixrecommendations
bull Declare their ldquosweet spotsrdquo
copy 2015 SAP SE All Rights Reserved Page 21 of 30
Collaborate
Security experts need to collaborate with development experts to
bull Create easy to use security APIs (ever tried to use an SSL API securely)
bull Create languages and frameworks that make it hard to implement insecure systems
bull Explain how to program securely
copy 2015 SAP SE All Rights Reserved Page 22 of 30
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 23 of 30
Mobile App Development at SAP
Key take aways
bull Hybrid applications are becoming thepre-dominant development model (at SAP)
bull the challenges of hybrid apps aretransferable to
bull web frameworks(EJB Rails PHP)
bull enterprise applications(XSJS SQLScript ABAP JS)
bull even mobile apps contain gt 500kLOC
bull there are a lot of open and interestingsecurity research questions in the area ofhybrid development models
copy 2015 SAP SE All Rights Reserved Page 24 of 30
Why Are Mobile Apps SpecialOrganisational Aspects
bull Partly not developed by thedevelopment organisations(eg marketing)
bull Fast update cycles(to app store not necessarily ldquoon devicerdquo)
bull Mobile apps are not patched(instead new release)
bull Processes partly defined by App Store operators(eg Google Apple )
copy 2015 SAP SE All Rights Reserved Page 25 of 30
Why Are Mobile Apps SpecialTechnical Aspects
bull Limiteddifferent user interface
bull High volume of apps released
bull Development tools are not fully under own control
bull Programming languages might not be usedelsewhere
bull Lot of frameworks thatbull rather newbull not as maturebull might track users (data privacy)
bull They are not independent
copy 2015 SAP SE All Rights Reserved Page 26 of 30
The Hidden Beast mdash ServerAs a mobile app you never be alone
A final remark
bull usually there is at least one server ldquoin the backgroundrdquo
bull many security and data privacy issues are caused bybull the communication of the app and its ldquoownrdquo serverbull the implementation of its ldquoownrdquo serverbull external servers andor services
copy 2015 SAP SE All Rights Reserved Page 27 of 30
Conclusion
bull Secure software development is abull Prerequisite for the secure and compliant operation
We need SecDevOpsbull Risk of operating and maintaining IT systems
bull Security requires an end-to-end approachbull Training of developers architects product ownersbull Security testing during developmentbull Validation of your security testing effortsbull Maintenance and security patch management
bull Developers are your most important allybull Make life easy for them
copy 2015 SAP SE All Rights Reserved Page 28 of 30
Thank you
httpxkcdcom327
Dr Achim D Bruckerachimbruckersapcomhttpswwwbruckerchhttpslogicalhackingcom
Related Publications
Ruediger Bachmann and Achim D Brucker
Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014
Achim D Brucker Lukas Bruumlgger and Burkhart Wolff
Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
Achim D Brucker and Uwe Sodan
Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014
Achim D Brucker and Burkhart Wolff
On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
copy 2015 SAP SE All Rights Reserved Page 30 of 30
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 31 of 30
- Background
- Motivation
- Risk-based Security Testing as Part of SAPs Smath text inlined[fg]math text inlinedfgmath text inlined[fg]math text inlinedfg2DL
- Lessons Learned
- How Does This Apply to Mobile Development
- Conclusion
-
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
NewlyCovered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 18 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important
but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Listen to Your Developers
We are often talking about a lack of security awareness and by thatforget the problem of lacking development awareness
bull Building a secure system more difficult than finding a successful attack
bull Do not expect your developers to become penetration testers (or security experts)
copy 2015 SAP SE All Rights Reserved Page 20 of 30
Security Testing for Developers
Security testing tools for developers need to
bull Be applicable from the start ofdevelopment
bull Automate the security knowledge
bull Be deeply integrated into the dev enveg
bull IDE (instant feedback)bull Continuous integration
bull Provide easy to understand fixrecommendations
bull Declare their ldquosweet spotsrdquo
copy 2015 SAP SE All Rights Reserved Page 21 of 30
Collaborate
Security experts need to collaborate with development experts to
bull Create easy to use security APIs (ever tried to use an SSL API securely)
bull Create languages and frameworks that make it hard to implement insecure systems
bull Explain how to program securely
copy 2015 SAP SE All Rights Reserved Page 22 of 30
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 23 of 30
Mobile App Development at SAP
Key take aways
bull Hybrid applications are becoming thepre-dominant development model (at SAP)
bull the challenges of hybrid apps aretransferable to
bull web frameworks(EJB Rails PHP)
bull enterprise applications(XSJS SQLScript ABAP JS)
bull even mobile apps contain gt 500kLOC
bull there are a lot of open and interestingsecurity research questions in the area ofhybrid development models
copy 2015 SAP SE All Rights Reserved Page 24 of 30
Why Are Mobile Apps SpecialOrganisational Aspects
bull Partly not developed by thedevelopment organisations(eg marketing)
bull Fast update cycles(to app store not necessarily ldquoon devicerdquo)
bull Mobile apps are not patched(instead new release)
bull Processes partly defined by App Store operators(eg Google Apple )
copy 2015 SAP SE All Rights Reserved Page 25 of 30
Why Are Mobile Apps SpecialTechnical Aspects
bull Limiteddifferent user interface
bull High volume of apps released
bull Development tools are not fully under own control
bull Programming languages might not be usedelsewhere
bull Lot of frameworks thatbull rather newbull not as maturebull might track users (data privacy)
bull They are not independent
copy 2015 SAP SE All Rights Reserved Page 26 of 30
The Hidden Beast mdash ServerAs a mobile app you never be alone
A final remark
bull usually there is at least one server ldquoin the backgroundrdquo
bull many security and data privacy issues are caused bybull the communication of the app and its ldquoownrdquo serverbull the implementation of its ldquoownrdquo serverbull external servers andor services
copy 2015 SAP SE All Rights Reserved Page 27 of 30
Conclusion
bull Secure software development is abull Prerequisite for the secure and compliant operation
We need SecDevOpsbull Risk of operating and maintaining IT systems
bull Security requires an end-to-end approachbull Training of developers architects product ownersbull Security testing during developmentbull Validation of your security testing effortsbull Maintenance and security patch management
bull Developers are your most important allybull Make life easy for them
copy 2015 SAP SE All Rights Reserved Page 28 of 30
Thank you
httpxkcdcom327
Dr Achim D Bruckerachimbruckersapcomhttpswwwbruckerchhttpslogicalhackingcom
Related Publications
Ruediger Bachmann and Achim D Brucker
Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014
Achim D Brucker Lukas Bruumlgger and Burkhart Wolff
Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
Achim D Brucker and Uwe Sodan
Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014
Achim D Brucker and Burkhart Wolff
On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
copy 2015 SAP SE All Rights Reserved Page 30 of 30
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 31 of 30
- Background
- Motivation
- Risk-based Security Testing as Part of SAPs Smath text inlined[fg]math text inlinedfgmath text inlined[fg]math text inlinedfg2DL
- Lessons Learned
- How Does This Apply to Mobile Development
- Conclusion
-
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
NewlyCovered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 18 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important
but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Listen to Your Developers
We are often talking about a lack of security awareness and by thatforget the problem of lacking development awareness
bull Building a secure system more difficult than finding a successful attack
bull Do not expect your developers to become penetration testers (or security experts)
copy 2015 SAP SE All Rights Reserved Page 20 of 30
Security Testing for Developers
Security testing tools for developers need to
bull Be applicable from the start ofdevelopment
bull Automate the security knowledge
bull Be deeply integrated into the dev enveg
bull IDE (instant feedback)bull Continuous integration
bull Provide easy to understand fixrecommendations
bull Declare their ldquosweet spotsrdquo
copy 2015 SAP SE All Rights Reserved Page 21 of 30
Collaborate
Security experts need to collaborate with development experts to
bull Create easy to use security APIs (ever tried to use an SSL API securely)
bull Create languages and frameworks that make it hard to implement insecure systems
bull Explain how to program securely
copy 2015 SAP SE All Rights Reserved Page 22 of 30
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 23 of 30
Mobile App Development at SAP
Key take aways
bull Hybrid applications are becoming thepre-dominant development model (at SAP)
bull the challenges of hybrid apps aretransferable to
bull web frameworks(EJB Rails PHP)
bull enterprise applications(XSJS SQLScript ABAP JS)
bull even mobile apps contain gt 500kLOC
bull there are a lot of open and interestingsecurity research questions in the area ofhybrid development models
copy 2015 SAP SE All Rights Reserved Page 24 of 30
Why Are Mobile Apps SpecialOrganisational Aspects
bull Partly not developed by thedevelopment organisations(eg marketing)
bull Fast update cycles(to app store not necessarily ldquoon devicerdquo)
bull Mobile apps are not patched(instead new release)
bull Processes partly defined by App Store operators(eg Google Apple )
copy 2015 SAP SE All Rights Reserved Page 25 of 30
Why Are Mobile Apps SpecialTechnical Aspects
bull Limiteddifferent user interface
bull High volume of apps released
bull Development tools are not fully under own control
bull Programming languages might not be usedelsewhere
bull Lot of frameworks thatbull rather newbull not as maturebull might track users (data privacy)
bull They are not independent
copy 2015 SAP SE All Rights Reserved Page 26 of 30
The Hidden Beast mdash ServerAs a mobile app you never be alone
A final remark
bull usually there is at least one server ldquoin the backgroundrdquo
bull many security and data privacy issues are caused bybull the communication of the app and its ldquoownrdquo serverbull the implementation of its ldquoownrdquo serverbull external servers andor services
copy 2015 SAP SE All Rights Reserved Page 27 of 30
Conclusion
bull Secure software development is abull Prerequisite for the secure and compliant operation
We need SecDevOpsbull Risk of operating and maintaining IT systems
bull Security requires an end-to-end approachbull Training of developers architects product ownersbull Security testing during developmentbull Validation of your security testing effortsbull Maintenance and security patch management
bull Developers are your most important allybull Make life easy for them
copy 2015 SAP SE All Rights Reserved Page 28 of 30
Thank you
httpxkcdcom327
Dr Achim D Bruckerachimbruckersapcomhttpswwwbruckerchhttpslogicalhackingcom
Related Publications
Ruediger Bachmann and Achim D Brucker
Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014
Achim D Brucker Lukas Bruumlgger and Burkhart Wolff
Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
Achim D Brucker and Uwe Sodan
Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014
Achim D Brucker and Burkhart Wolff
On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
copy 2015 SAP SE All Rights Reserved Page 30 of 30
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 31 of 30
- Background
- Motivation
- Risk-based Security Testing as Part of SAPs Smath text inlined[fg]math text inlinedfgmath text inlined[fg]math text inlinedfg2DL
- Lessons Learned
- How Does This Apply to Mobile Development
- Conclusion
-
How to Measure Success
bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers
bull Vulnerability not detected by our security testingtools
bull Improve tool configurationbull Introduce new tools
bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability
Covered
Not Covered
NewlyCovered
Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases
copy 2015 SAP SE All Rights Reserved Page 17 of 30
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 18 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important
but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Listen to Your Developers
We are often talking about a lack of security awareness and by thatforget the problem of lacking development awareness
bull Building a secure system more difficult than finding a successful attack
bull Do not expect your developers to become penetration testers (or security experts)
copy 2015 SAP SE All Rights Reserved Page 20 of 30
Security Testing for Developers
Security testing tools for developers need to
bull Be applicable from the start ofdevelopment
bull Automate the security knowledge
bull Be deeply integrated into the dev enveg
bull IDE (instant feedback)bull Continuous integration
bull Provide easy to understand fixrecommendations
bull Declare their ldquosweet spotsrdquo
copy 2015 SAP SE All Rights Reserved Page 21 of 30
Collaborate
Security experts need to collaborate with development experts to
bull Create easy to use security APIs (ever tried to use an SSL API securely)
bull Create languages and frameworks that make it hard to implement insecure systems
bull Explain how to program securely
copy 2015 SAP SE All Rights Reserved Page 22 of 30
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 23 of 30
Mobile App Development at SAP
Key take aways
bull Hybrid applications are becoming thepre-dominant development model (at SAP)
bull the challenges of hybrid apps aretransferable to
bull web frameworks(EJB Rails PHP)
bull enterprise applications(XSJS SQLScript ABAP JS)
bull even mobile apps contain gt 500kLOC
bull there are a lot of open and interestingsecurity research questions in the area ofhybrid development models
copy 2015 SAP SE All Rights Reserved Page 24 of 30
Why Are Mobile Apps SpecialOrganisational Aspects
bull Partly not developed by thedevelopment organisations(eg marketing)
bull Fast update cycles(to app store not necessarily ldquoon devicerdquo)
bull Mobile apps are not patched(instead new release)
bull Processes partly defined by App Store operators(eg Google Apple )
copy 2015 SAP SE All Rights Reserved Page 25 of 30
Why Are Mobile Apps SpecialTechnical Aspects
bull Limiteddifferent user interface
bull High volume of apps released
bull Development tools are not fully under own control
bull Programming languages might not be usedelsewhere
bull Lot of frameworks thatbull rather newbull not as maturebull might track users (data privacy)
bull They are not independent
copy 2015 SAP SE All Rights Reserved Page 26 of 30
The Hidden Beast mdash ServerAs a mobile app you never be alone
A final remark
bull usually there is at least one server ldquoin the backgroundrdquo
bull many security and data privacy issues are caused bybull the communication of the app and its ldquoownrdquo serverbull the implementation of its ldquoownrdquo serverbull external servers andor services
copy 2015 SAP SE All Rights Reserved Page 27 of 30
Conclusion
bull Secure software development is abull Prerequisite for the secure and compliant operation
We need SecDevOpsbull Risk of operating and maintaining IT systems
bull Security requires an end-to-end approachbull Training of developers architects product ownersbull Security testing during developmentbull Validation of your security testing effortsbull Maintenance and security patch management
bull Developers are your most important allybull Make life easy for them
copy 2015 SAP SE All Rights Reserved Page 28 of 30
Thank you
httpxkcdcom327
Dr Achim D Bruckerachimbruckersapcomhttpswwwbruckerchhttpslogicalhackingcom
Related Publications
Ruediger Bachmann and Achim D Brucker
Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014
Achim D Brucker Lukas Bruumlgger and Burkhart Wolff
Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
Achim D Brucker and Uwe Sodan
Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014
Achim D Brucker and Burkhart Wolff
On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
copy 2015 SAP SE All Rights Reserved Page 30 of 30
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 31 of 30
- Background
- Motivation
- Risk-based Security Testing as Part of SAPs Smath text inlined[fg]math text inlinedfgmath text inlined[fg]math text inlinedfg2DL
- Lessons Learned
- How Does This Apply to Mobile Development
- Conclusion
-
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 18 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important
but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Listen to Your Developers
We are often talking about a lack of security awareness and by thatforget the problem of lacking development awareness
bull Building a secure system more difficult than finding a successful attack
bull Do not expect your developers to become penetration testers (or security experts)
copy 2015 SAP SE All Rights Reserved Page 20 of 30
Security Testing for Developers
Security testing tools for developers need to
bull Be applicable from the start ofdevelopment
bull Automate the security knowledge
bull Be deeply integrated into the dev enveg
bull IDE (instant feedback)bull Continuous integration
bull Provide easy to understand fixrecommendations
bull Declare their ldquosweet spotsrdquo
copy 2015 SAP SE All Rights Reserved Page 21 of 30
Collaborate
Security experts need to collaborate with development experts to
bull Create easy to use security APIs (ever tried to use an SSL API securely)
bull Create languages and frameworks that make it hard to implement insecure systems
bull Explain how to program securely
copy 2015 SAP SE All Rights Reserved Page 22 of 30
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 23 of 30
Mobile App Development at SAP
Key take aways
bull Hybrid applications are becoming thepre-dominant development model (at SAP)
bull the challenges of hybrid apps aretransferable to
bull web frameworks(EJB Rails PHP)
bull enterprise applications(XSJS SQLScript ABAP JS)
bull even mobile apps contain gt 500kLOC
bull there are a lot of open and interestingsecurity research questions in the area ofhybrid development models
copy 2015 SAP SE All Rights Reserved Page 24 of 30
Why Are Mobile Apps SpecialOrganisational Aspects
bull Partly not developed by thedevelopment organisations(eg marketing)
bull Fast update cycles(to app store not necessarily ldquoon devicerdquo)
bull Mobile apps are not patched(instead new release)
bull Processes partly defined by App Store operators(eg Google Apple )
copy 2015 SAP SE All Rights Reserved Page 25 of 30
Why Are Mobile Apps SpecialTechnical Aspects
bull Limiteddifferent user interface
bull High volume of apps released
bull Development tools are not fully under own control
bull Programming languages might not be usedelsewhere
bull Lot of frameworks thatbull rather newbull not as maturebull might track users (data privacy)
bull They are not independent
copy 2015 SAP SE All Rights Reserved Page 26 of 30
The Hidden Beast mdash ServerAs a mobile app you never be alone
A final remark
bull usually there is at least one server ldquoin the backgroundrdquo
bull many security and data privacy issues are caused bybull the communication of the app and its ldquoownrdquo serverbull the implementation of its ldquoownrdquo serverbull external servers andor services
copy 2015 SAP SE All Rights Reserved Page 27 of 30
Conclusion
bull Secure software development is abull Prerequisite for the secure and compliant operation
We need SecDevOpsbull Risk of operating and maintaining IT systems
bull Security requires an end-to-end approachbull Training of developers architects product ownersbull Security testing during developmentbull Validation of your security testing effortsbull Maintenance and security patch management
bull Developers are your most important allybull Make life easy for them
copy 2015 SAP SE All Rights Reserved Page 28 of 30
Thank you
httpxkcdcom327
Dr Achim D Bruckerachimbruckersapcomhttpswwwbruckerchhttpslogicalhackingcom
Related Publications
Ruediger Bachmann and Achim D Brucker
Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014
Achim D Brucker Lukas Bruumlgger and Burkhart Wolff
Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
Achim D Brucker and Uwe Sodan
Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014
Achim D Brucker and Burkhart Wolff
On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
copy 2015 SAP SE All Rights Reserved Page 30 of 30
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 31 of 30
- Background
- Motivation
- Risk-based Security Testing as Part of SAPs Smath text inlined[fg]math text inlinedfgmath text inlined[fg]math text inlinedfg2DL
- Lessons Learned
- How Does This Apply to Mobile Development
- Conclusion
-
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important
but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Listen to Your Developers
We are often talking about a lack of security awareness and by thatforget the problem of lacking development awareness
bull Building a secure system more difficult than finding a successful attack
bull Do not expect your developers to become penetration testers (or security experts)
copy 2015 SAP SE All Rights Reserved Page 20 of 30
Security Testing for Developers
Security testing tools for developers need to
bull Be applicable from the start ofdevelopment
bull Automate the security knowledge
bull Be deeply integrated into the dev enveg
bull IDE (instant feedback)bull Continuous integration
bull Provide easy to understand fixrecommendations
bull Declare their ldquosweet spotsrdquo
copy 2015 SAP SE All Rights Reserved Page 21 of 30
Collaborate
Security experts need to collaborate with development experts to
bull Create easy to use security APIs (ever tried to use an SSL API securely)
bull Create languages and frameworks that make it hard to implement insecure systems
bull Explain how to program securely
copy 2015 SAP SE All Rights Reserved Page 22 of 30
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 23 of 30
Mobile App Development at SAP
Key take aways
bull Hybrid applications are becoming thepre-dominant development model (at SAP)
bull the challenges of hybrid apps aretransferable to
bull web frameworks(EJB Rails PHP)
bull enterprise applications(XSJS SQLScript ABAP JS)
bull even mobile apps contain gt 500kLOC
bull there are a lot of open and interestingsecurity research questions in the area ofhybrid development models
copy 2015 SAP SE All Rights Reserved Page 24 of 30
Why Are Mobile Apps SpecialOrganisational Aspects
bull Partly not developed by thedevelopment organisations(eg marketing)
bull Fast update cycles(to app store not necessarily ldquoon devicerdquo)
bull Mobile apps are not patched(instead new release)
bull Processes partly defined by App Store operators(eg Google Apple )
copy 2015 SAP SE All Rights Reserved Page 25 of 30
Why Are Mobile Apps SpecialTechnical Aspects
bull Limiteddifferent user interface
bull High volume of apps released
bull Development tools are not fully under own control
bull Programming languages might not be usedelsewhere
bull Lot of frameworks thatbull rather newbull not as maturebull might track users (data privacy)
bull They are not independent
copy 2015 SAP SE All Rights Reserved Page 26 of 30
The Hidden Beast mdash ServerAs a mobile app you never be alone
A final remark
bull usually there is at least one server ldquoin the backgroundrdquo
bull many security and data privacy issues are caused bybull the communication of the app and its ldquoownrdquo serverbull the implementation of its ldquoownrdquo serverbull external servers andor services
copy 2015 SAP SE All Rights Reserved Page 27 of 30
Conclusion
bull Secure software development is abull Prerequisite for the secure and compliant operation
We need SecDevOpsbull Risk of operating and maintaining IT systems
bull Security requires an end-to-end approachbull Training of developers architects product ownersbull Security testing during developmentbull Validation of your security testing effortsbull Maintenance and security patch management
bull Developers are your most important allybull Make life easy for them
copy 2015 SAP SE All Rights Reserved Page 28 of 30
Thank you
httpxkcdcom327
Dr Achim D Bruckerachimbruckersapcomhttpswwwbruckerchhttpslogicalhackingcom
Related Publications
Ruediger Bachmann and Achim D Brucker
Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014
Achim D Brucker Lukas Bruumlgger and Burkhart Wolff
Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
Achim D Brucker and Uwe Sodan
Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014
Achim D Brucker and Burkhart Wolff
On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
copy 2015 SAP SE All Rights Reserved Page 30 of 30
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 31 of 30
- Background
- Motivation
- Risk-based Security Testing as Part of SAPs Smath text inlined[fg]math text inlinedfgmath text inlined[fg]math text inlinedfg2DL
- Lessons Learned
- How Does This Apply to Mobile Development
- Conclusion
-
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important
but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Listen to Your Developers
We are often talking about a lack of security awareness and by thatforget the problem of lacking development awareness
bull Building a secure system more difficult than finding a successful attack
bull Do not expect your developers to become penetration testers (or security experts)
copy 2015 SAP SE All Rights Reserved Page 20 of 30
Security Testing for Developers
Security testing tools for developers need to
bull Be applicable from the start ofdevelopment
bull Automate the security knowledge
bull Be deeply integrated into the dev enveg
bull IDE (instant feedback)bull Continuous integration
bull Provide easy to understand fixrecommendations
bull Declare their ldquosweet spotsrdquo
copy 2015 SAP SE All Rights Reserved Page 21 of 30
Collaborate
Security experts need to collaborate with development experts to
bull Create easy to use security APIs (ever tried to use an SSL API securely)
bull Create languages and frameworks that make it hard to implement insecure systems
bull Explain how to program securely
copy 2015 SAP SE All Rights Reserved Page 22 of 30
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 23 of 30
Mobile App Development at SAP
Key take aways
bull Hybrid applications are becoming thepre-dominant development model (at SAP)
bull the challenges of hybrid apps aretransferable to
bull web frameworks(EJB Rails PHP)
bull enterprise applications(XSJS SQLScript ABAP JS)
bull even mobile apps contain gt 500kLOC
bull there are a lot of open and interestingsecurity research questions in the area ofhybrid development models
copy 2015 SAP SE All Rights Reserved Page 24 of 30
Why Are Mobile Apps SpecialOrganisational Aspects
bull Partly not developed by thedevelopment organisations(eg marketing)
bull Fast update cycles(to app store not necessarily ldquoon devicerdquo)
bull Mobile apps are not patched(instead new release)
bull Processes partly defined by App Store operators(eg Google Apple )
copy 2015 SAP SE All Rights Reserved Page 25 of 30
Why Are Mobile Apps SpecialTechnical Aspects
bull Limiteddifferent user interface
bull High volume of apps released
bull Development tools are not fully under own control
bull Programming languages might not be usedelsewhere
bull Lot of frameworks thatbull rather newbull not as maturebull might track users (data privacy)
bull They are not independent
copy 2015 SAP SE All Rights Reserved Page 26 of 30
The Hidden Beast mdash ServerAs a mobile app you never be alone
A final remark
bull usually there is at least one server ldquoin the backgroundrdquo
bull many security and data privacy issues are caused bybull the communication of the app and its ldquoownrdquo serverbull the implementation of its ldquoownrdquo serverbull external servers andor services
copy 2015 SAP SE All Rights Reserved Page 27 of 30
Conclusion
bull Secure software development is abull Prerequisite for the secure and compliant operation
We need SecDevOpsbull Risk of operating and maintaining IT systems
bull Security requires an end-to-end approachbull Training of developers architects product ownersbull Security testing during developmentbull Validation of your security testing effortsbull Maintenance and security patch management
bull Developers are your most important allybull Make life easy for them
copy 2015 SAP SE All Rights Reserved Page 28 of 30
Thank you
httpxkcdcom327
Dr Achim D Bruckerachimbruckersapcomhttpswwwbruckerchhttpslogicalhackingcom
Related Publications
Ruediger Bachmann and Achim D Brucker
Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014
Achim D Brucker Lukas Bruumlgger and Burkhart Wolff
Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
Achim D Brucker and Uwe Sodan
Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014
Achim D Brucker and Burkhart Wolff
On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
copy 2015 SAP SE All Rights Reserved Page 30 of 30
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 31 of 30
- Background
- Motivation
- Risk-based Security Testing as Part of SAPs Smath text inlined[fg]math text inlinedfgmath text inlined[fg]math text inlinedfg2DL
- Lessons Learned
- How Does This Apply to Mobile Development
- Conclusion
-
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Listen to Your Developers
We are often talking about a lack of security awareness and by thatforget the problem of lacking development awareness
bull Building a secure system more difficult than finding a successful attack
bull Do not expect your developers to become penetration testers (or security experts)
copy 2015 SAP SE All Rights Reserved Page 20 of 30
Security Testing for Developers
Security testing tools for developers need to
bull Be applicable from the start ofdevelopment
bull Automate the security knowledge
bull Be deeply integrated into the dev enveg
bull IDE (instant feedback)bull Continuous integration
bull Provide easy to understand fixrecommendations
bull Declare their ldquosweet spotsrdquo
copy 2015 SAP SE All Rights Reserved Page 21 of 30
Collaborate
Security experts need to collaborate with development experts to
bull Create easy to use security APIs (ever tried to use an SSL API securely)
bull Create languages and frameworks that make it hard to implement insecure systems
bull Explain how to program securely
copy 2015 SAP SE All Rights Reserved Page 22 of 30
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 23 of 30
Mobile App Development at SAP
Key take aways
bull Hybrid applications are becoming thepre-dominant development model (at SAP)
bull the challenges of hybrid apps aretransferable to
bull web frameworks(EJB Rails PHP)
bull enterprise applications(XSJS SQLScript ABAP JS)
bull even mobile apps contain gt 500kLOC
bull there are a lot of open and interestingsecurity research questions in the area ofhybrid development models
copy 2015 SAP SE All Rights Reserved Page 24 of 30
Why Are Mobile Apps SpecialOrganisational Aspects
bull Partly not developed by thedevelopment organisations(eg marketing)
bull Fast update cycles(to app store not necessarily ldquoon devicerdquo)
bull Mobile apps are not patched(instead new release)
bull Processes partly defined by App Store operators(eg Google Apple )
copy 2015 SAP SE All Rights Reserved Page 25 of 30
Why Are Mobile Apps SpecialTechnical Aspects
bull Limiteddifferent user interface
bull High volume of apps released
bull Development tools are not fully under own control
bull Programming languages might not be usedelsewhere
bull Lot of frameworks thatbull rather newbull not as maturebull might track users (data privacy)
bull They are not independent
copy 2015 SAP SE All Rights Reserved Page 26 of 30
The Hidden Beast mdash ServerAs a mobile app you never be alone
A final remark
bull usually there is at least one server ldquoin the backgroundrdquo
bull many security and data privacy issues are caused bybull the communication of the app and its ldquoownrdquo serverbull the implementation of its ldquoownrdquo serverbull external servers andor services
copy 2015 SAP SE All Rights Reserved Page 27 of 30
Conclusion
bull Secure software development is abull Prerequisite for the secure and compliant operation
We need SecDevOpsbull Risk of operating and maintaining IT systems
bull Security requires an end-to-end approachbull Training of developers architects product ownersbull Security testing during developmentbull Validation of your security testing effortsbull Maintenance and security patch management
bull Developers are your most important allybull Make life easy for them
copy 2015 SAP SE All Rights Reserved Page 28 of 30
Thank you
httpxkcdcom327
Dr Achim D Bruckerachimbruckersapcomhttpswwwbruckerchhttpslogicalhackingcom
Related Publications
Ruediger Bachmann and Achim D Brucker
Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014
Achim D Brucker Lukas Bruumlgger and Burkhart Wolff
Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
Achim D Brucker and Uwe Sodan
Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014
Achim D Brucker and Burkhart Wolff
On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
copy 2015 SAP SE All Rights Reserved Page 30 of 30
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 31 of 30
- Background
- Motivation
- Risk-based Security Testing as Part of SAPs Smath text inlined[fg]math text inlinedfgmath text inlined[fg]math text inlinedfg2DL
- Lessons Learned
- How Does This Apply to Mobile Development
- Conclusion
-
Key Success Factors
bull A holistic security awareness program forbull Developersbull Managers
bull Yes security awareness is important but
Developer awareness is even more important
copy 2015 SAP SE All Rights Reserved Page 19 of 30
Listen to Your Developers
We are often talking about a lack of security awareness and by thatforget the problem of lacking development awareness
bull Building a secure system more difficult than finding a successful attack
bull Do not expect your developers to become penetration testers (or security experts)
copy 2015 SAP SE All Rights Reserved Page 20 of 30
Security Testing for Developers
Security testing tools for developers need to
bull Be applicable from the start ofdevelopment
bull Automate the security knowledge
bull Be deeply integrated into the dev enveg
bull IDE (instant feedback)bull Continuous integration
bull Provide easy to understand fixrecommendations
bull Declare their ldquosweet spotsrdquo
copy 2015 SAP SE All Rights Reserved Page 21 of 30
Collaborate
Security experts need to collaborate with development experts to
bull Create easy to use security APIs (ever tried to use an SSL API securely)
bull Create languages and frameworks that make it hard to implement insecure systems
bull Explain how to program securely
copy 2015 SAP SE All Rights Reserved Page 22 of 30
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 23 of 30
Mobile App Development at SAP
Key take aways
bull Hybrid applications are becoming thepre-dominant development model (at SAP)
bull the challenges of hybrid apps aretransferable to
bull web frameworks(EJB Rails PHP)
bull enterprise applications(XSJS SQLScript ABAP JS)
bull even mobile apps contain gt 500kLOC
bull there are a lot of open and interestingsecurity research questions in the area ofhybrid development models
copy 2015 SAP SE All Rights Reserved Page 24 of 30
Why Are Mobile Apps SpecialOrganisational Aspects
bull Partly not developed by thedevelopment organisations(eg marketing)
bull Fast update cycles(to app store not necessarily ldquoon devicerdquo)
bull Mobile apps are not patched(instead new release)
bull Processes partly defined by App Store operators(eg Google Apple )
copy 2015 SAP SE All Rights Reserved Page 25 of 30
Why Are Mobile Apps SpecialTechnical Aspects
bull Limiteddifferent user interface
bull High volume of apps released
bull Development tools are not fully under own control
bull Programming languages might not be usedelsewhere
bull Lot of frameworks thatbull rather newbull not as maturebull might track users (data privacy)
bull They are not independent
copy 2015 SAP SE All Rights Reserved Page 26 of 30
The Hidden Beast mdash ServerAs a mobile app you never be alone
A final remark
bull usually there is at least one server ldquoin the backgroundrdquo
bull many security and data privacy issues are caused bybull the communication of the app and its ldquoownrdquo serverbull the implementation of its ldquoownrdquo serverbull external servers andor services
copy 2015 SAP SE All Rights Reserved Page 27 of 30
Conclusion
bull Secure software development is abull Prerequisite for the secure and compliant operation
We need SecDevOpsbull Risk of operating and maintaining IT systems
bull Security requires an end-to-end approachbull Training of developers architects product ownersbull Security testing during developmentbull Validation of your security testing effortsbull Maintenance and security patch management
bull Developers are your most important allybull Make life easy for them
copy 2015 SAP SE All Rights Reserved Page 28 of 30
Thank you
httpxkcdcom327
Dr Achim D Bruckerachimbruckersapcomhttpswwwbruckerchhttpslogicalhackingcom
Related Publications
Ruediger Bachmann and Achim D Brucker
Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014
Achim D Brucker Lukas Bruumlgger and Burkhart Wolff
Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
Achim D Brucker and Uwe Sodan
Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014
Achim D Brucker and Burkhart Wolff
On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
copy 2015 SAP SE All Rights Reserved Page 30 of 30
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 31 of 30
- Background
- Motivation
- Risk-based Security Testing as Part of SAPs Smath text inlined[fg]math text inlinedfgmath text inlined[fg]math text inlinedfg2DL
- Lessons Learned
- How Does This Apply to Mobile Development
- Conclusion
-
Listen to Your Developers
We are often talking about a lack of security awareness and by thatforget the problem of lacking development awareness
bull Building a secure system more difficult than finding a successful attack
bull Do not expect your developers to become penetration testers (or security experts)
copy 2015 SAP SE All Rights Reserved Page 20 of 30
Security Testing for Developers
Security testing tools for developers need to
bull Be applicable from the start ofdevelopment
bull Automate the security knowledge
bull Be deeply integrated into the dev enveg
bull IDE (instant feedback)bull Continuous integration
bull Provide easy to understand fixrecommendations
bull Declare their ldquosweet spotsrdquo
copy 2015 SAP SE All Rights Reserved Page 21 of 30
Collaborate
Security experts need to collaborate with development experts to
bull Create easy to use security APIs (ever tried to use an SSL API securely)
bull Create languages and frameworks that make it hard to implement insecure systems
bull Explain how to program securely
copy 2015 SAP SE All Rights Reserved Page 22 of 30
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 23 of 30
Mobile App Development at SAP
Key take aways
bull Hybrid applications are becoming thepre-dominant development model (at SAP)
bull the challenges of hybrid apps aretransferable to
bull web frameworks(EJB Rails PHP)
bull enterprise applications(XSJS SQLScript ABAP JS)
bull even mobile apps contain gt 500kLOC
bull there are a lot of open and interestingsecurity research questions in the area ofhybrid development models
copy 2015 SAP SE All Rights Reserved Page 24 of 30
Why Are Mobile Apps SpecialOrganisational Aspects
bull Partly not developed by thedevelopment organisations(eg marketing)
bull Fast update cycles(to app store not necessarily ldquoon devicerdquo)
bull Mobile apps are not patched(instead new release)
bull Processes partly defined by App Store operators(eg Google Apple )
copy 2015 SAP SE All Rights Reserved Page 25 of 30
Why Are Mobile Apps SpecialTechnical Aspects
bull Limiteddifferent user interface
bull High volume of apps released
bull Development tools are not fully under own control
bull Programming languages might not be usedelsewhere
bull Lot of frameworks thatbull rather newbull not as maturebull might track users (data privacy)
bull They are not independent
copy 2015 SAP SE All Rights Reserved Page 26 of 30
The Hidden Beast mdash ServerAs a mobile app you never be alone
A final remark
bull usually there is at least one server ldquoin the backgroundrdquo
bull many security and data privacy issues are caused bybull the communication of the app and its ldquoownrdquo serverbull the implementation of its ldquoownrdquo serverbull external servers andor services
copy 2015 SAP SE All Rights Reserved Page 27 of 30
Conclusion
bull Secure software development is abull Prerequisite for the secure and compliant operation
We need SecDevOpsbull Risk of operating and maintaining IT systems
bull Security requires an end-to-end approachbull Training of developers architects product ownersbull Security testing during developmentbull Validation of your security testing effortsbull Maintenance and security patch management
bull Developers are your most important allybull Make life easy for them
copy 2015 SAP SE All Rights Reserved Page 28 of 30
Thank you
httpxkcdcom327
Dr Achim D Bruckerachimbruckersapcomhttpswwwbruckerchhttpslogicalhackingcom
Related Publications
Ruediger Bachmann and Achim D Brucker
Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014
Achim D Brucker Lukas Bruumlgger and Burkhart Wolff
Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
Achim D Brucker and Uwe Sodan
Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014
Achim D Brucker and Burkhart Wolff
On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
copy 2015 SAP SE All Rights Reserved Page 30 of 30
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 31 of 30
- Background
- Motivation
- Risk-based Security Testing as Part of SAPs Smath text inlined[fg]math text inlinedfgmath text inlined[fg]math text inlinedfg2DL
- Lessons Learned
- How Does This Apply to Mobile Development
- Conclusion
-
Security Testing for Developers
Security testing tools for developers need to
bull Be applicable from the start ofdevelopment
bull Automate the security knowledge
bull Be deeply integrated into the dev enveg
bull IDE (instant feedback)bull Continuous integration
bull Provide easy to understand fixrecommendations
bull Declare their ldquosweet spotsrdquo
copy 2015 SAP SE All Rights Reserved Page 21 of 30
Collaborate
Security experts need to collaborate with development experts to
bull Create easy to use security APIs (ever tried to use an SSL API securely)
bull Create languages and frameworks that make it hard to implement insecure systems
bull Explain how to program securely
copy 2015 SAP SE All Rights Reserved Page 22 of 30
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 23 of 30
Mobile App Development at SAP
Key take aways
bull Hybrid applications are becoming thepre-dominant development model (at SAP)
bull the challenges of hybrid apps aretransferable to
bull web frameworks(EJB Rails PHP)
bull enterprise applications(XSJS SQLScript ABAP JS)
bull even mobile apps contain gt 500kLOC
bull there are a lot of open and interestingsecurity research questions in the area ofhybrid development models
copy 2015 SAP SE All Rights Reserved Page 24 of 30
Why Are Mobile Apps SpecialOrganisational Aspects
bull Partly not developed by thedevelopment organisations(eg marketing)
bull Fast update cycles(to app store not necessarily ldquoon devicerdquo)
bull Mobile apps are not patched(instead new release)
bull Processes partly defined by App Store operators(eg Google Apple )
copy 2015 SAP SE All Rights Reserved Page 25 of 30
Why Are Mobile Apps SpecialTechnical Aspects
bull Limiteddifferent user interface
bull High volume of apps released
bull Development tools are not fully under own control
bull Programming languages might not be usedelsewhere
bull Lot of frameworks thatbull rather newbull not as maturebull might track users (data privacy)
bull They are not independent
copy 2015 SAP SE All Rights Reserved Page 26 of 30
The Hidden Beast mdash ServerAs a mobile app you never be alone
A final remark
bull usually there is at least one server ldquoin the backgroundrdquo
bull many security and data privacy issues are caused bybull the communication of the app and its ldquoownrdquo serverbull the implementation of its ldquoownrdquo serverbull external servers andor services
copy 2015 SAP SE All Rights Reserved Page 27 of 30
Conclusion
bull Secure software development is abull Prerequisite for the secure and compliant operation
We need SecDevOpsbull Risk of operating and maintaining IT systems
bull Security requires an end-to-end approachbull Training of developers architects product ownersbull Security testing during developmentbull Validation of your security testing effortsbull Maintenance and security patch management
bull Developers are your most important allybull Make life easy for them
copy 2015 SAP SE All Rights Reserved Page 28 of 30
Thank you
httpxkcdcom327
Dr Achim D Bruckerachimbruckersapcomhttpswwwbruckerchhttpslogicalhackingcom
Related Publications
Ruediger Bachmann and Achim D Brucker
Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014
Achim D Brucker Lukas Bruumlgger and Burkhart Wolff
Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
Achim D Brucker and Uwe Sodan
Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014
Achim D Brucker and Burkhart Wolff
On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
copy 2015 SAP SE All Rights Reserved Page 30 of 30
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 31 of 30
- Background
- Motivation
- Risk-based Security Testing as Part of SAPs Smath text inlined[fg]math text inlinedfgmath text inlined[fg]math text inlinedfg2DL
- Lessons Learned
- How Does This Apply to Mobile Development
- Conclusion
-
Collaborate
Security experts need to collaborate with development experts to
bull Create easy to use security APIs (ever tried to use an SSL API securely)
bull Create languages and frameworks that make it hard to implement insecure systems
bull Explain how to program securely
copy 2015 SAP SE All Rights Reserved Page 22 of 30
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 23 of 30
Mobile App Development at SAP
Key take aways
bull Hybrid applications are becoming thepre-dominant development model (at SAP)
bull the challenges of hybrid apps aretransferable to
bull web frameworks(EJB Rails PHP)
bull enterprise applications(XSJS SQLScript ABAP JS)
bull even mobile apps contain gt 500kLOC
bull there are a lot of open and interestingsecurity research questions in the area ofhybrid development models
copy 2015 SAP SE All Rights Reserved Page 24 of 30
Why Are Mobile Apps SpecialOrganisational Aspects
bull Partly not developed by thedevelopment organisations(eg marketing)
bull Fast update cycles(to app store not necessarily ldquoon devicerdquo)
bull Mobile apps are not patched(instead new release)
bull Processes partly defined by App Store operators(eg Google Apple )
copy 2015 SAP SE All Rights Reserved Page 25 of 30
Why Are Mobile Apps SpecialTechnical Aspects
bull Limiteddifferent user interface
bull High volume of apps released
bull Development tools are not fully under own control
bull Programming languages might not be usedelsewhere
bull Lot of frameworks thatbull rather newbull not as maturebull might track users (data privacy)
bull They are not independent
copy 2015 SAP SE All Rights Reserved Page 26 of 30
The Hidden Beast mdash ServerAs a mobile app you never be alone
A final remark
bull usually there is at least one server ldquoin the backgroundrdquo
bull many security and data privacy issues are caused bybull the communication of the app and its ldquoownrdquo serverbull the implementation of its ldquoownrdquo serverbull external servers andor services
copy 2015 SAP SE All Rights Reserved Page 27 of 30
Conclusion
bull Secure software development is abull Prerequisite for the secure and compliant operation
We need SecDevOpsbull Risk of operating and maintaining IT systems
bull Security requires an end-to-end approachbull Training of developers architects product ownersbull Security testing during developmentbull Validation of your security testing effortsbull Maintenance and security patch management
bull Developers are your most important allybull Make life easy for them
copy 2015 SAP SE All Rights Reserved Page 28 of 30
Thank you
httpxkcdcom327
Dr Achim D Bruckerachimbruckersapcomhttpswwwbruckerchhttpslogicalhackingcom
Related Publications
Ruediger Bachmann and Achim D Brucker
Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014
Achim D Brucker Lukas Bruumlgger and Burkhart Wolff
Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
Achim D Brucker and Uwe Sodan
Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014
Achim D Brucker and Burkhart Wolff
On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
copy 2015 SAP SE All Rights Reserved Page 30 of 30
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 31 of 30
- Background
- Motivation
- Risk-based Security Testing as Part of SAPs Smath text inlined[fg]math text inlinedfgmath text inlined[fg]math text inlinedfg2DL
- Lessons Learned
- How Does This Apply to Mobile Development
- Conclusion
-
Agenda
1 Background
2 Motivation
3 Risk-based Security Testing as Part of SAPrsquos S2DL
4 Lessonrsquos Learned
5 How Does This Apply to Mobile Development
6 Conclusion
copy 2015 SAP SE All Rights Reserved Page 23 of 30
Mobile App Development at SAP
Key take aways
bull Hybrid applications are becoming thepre-dominant development model (at SAP)
bull the challenges of hybrid apps aretransferable to
bull web frameworks(EJB Rails PHP)
bull enterprise applications(XSJS SQLScript ABAP JS)
bull even mobile apps contain gt 500kLOC
bull there are a lot of open and interestingsecurity research questions in the area ofhybrid development models
copy 2015 SAP SE All Rights Reserved Page 24 of 30
Why Are Mobile Apps SpecialOrganisational Aspects
bull Partly not developed by thedevelopment organisations(eg marketing)
bull Fast update cycles(to app store not necessarily ldquoon devicerdquo)
bull Mobile apps are not patched(instead new release)
bull Processes partly defined by App Store operators(eg Google Apple )
copy 2015 SAP SE All Rights Reserved Page 25 of 30
Why Are Mobile Apps SpecialTechnical Aspects
bull Limiteddifferent user interface
bull High volume of apps released
bull Development tools are not fully under own control
bull Programming languages might not be usedelsewhere
bull Lot of frameworks thatbull rather newbull not as maturebull might track users (data privacy)
bull They are not independent
copy 2015 SAP SE All Rights Reserved Page 26 of 30
The Hidden Beast mdash ServerAs a mobile app you never be alone
A final remark
bull usually there is at least one server ldquoin the backgroundrdquo
bull many security and data privacy issues are caused bybull the communication of the app and its ldquoownrdquo serverbull the implementation of its ldquoownrdquo serverbull external servers andor services
copy 2015 SAP SE All Rights Reserved Page 27 of 30
Conclusion
bull Secure software development is abull Prerequisite for the secure and compliant operation
We need SecDevOpsbull Risk of operating and maintaining IT systems
bull Security requires an end-to-end approachbull Training of developers architects product ownersbull Security testing during developmentbull Validation of your security testing effortsbull Maintenance and security patch management
bull Developers are your most important allybull Make life easy for them
copy 2015 SAP SE All Rights Reserved Page 28 of 30
Thank you
httpxkcdcom327
Dr Achim D Bruckerachimbruckersapcomhttpswwwbruckerchhttpslogicalhackingcom
Related Publications
Ruediger Bachmann and Achim D Brucker
Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014
Achim D Brucker Lukas Bruumlgger and Burkhart Wolff
Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
Achim D Brucker and Uwe Sodan
Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014
Achim D Brucker and Burkhart Wolff
On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
copy 2015 SAP SE All Rights Reserved Page 30 of 30
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 31 of 30
- Background
- Motivation
- Risk-based Security Testing as Part of SAPs Smath text inlined[fg]math text inlinedfgmath text inlined[fg]math text inlinedfg2DL
- Lessons Learned
- How Does This Apply to Mobile Development
- Conclusion
-
Mobile App Development at SAP
Key take aways
bull Hybrid applications are becoming thepre-dominant development model (at SAP)
bull the challenges of hybrid apps aretransferable to
bull web frameworks(EJB Rails PHP)
bull enterprise applications(XSJS SQLScript ABAP JS)
bull even mobile apps contain gt 500kLOC
bull there are a lot of open and interestingsecurity research questions in the area ofhybrid development models
copy 2015 SAP SE All Rights Reserved Page 24 of 30
Why Are Mobile Apps SpecialOrganisational Aspects
bull Partly not developed by thedevelopment organisations(eg marketing)
bull Fast update cycles(to app store not necessarily ldquoon devicerdquo)
bull Mobile apps are not patched(instead new release)
bull Processes partly defined by App Store operators(eg Google Apple )
copy 2015 SAP SE All Rights Reserved Page 25 of 30
Why Are Mobile Apps SpecialTechnical Aspects
bull Limiteddifferent user interface
bull High volume of apps released
bull Development tools are not fully under own control
bull Programming languages might not be usedelsewhere
bull Lot of frameworks thatbull rather newbull not as maturebull might track users (data privacy)
bull They are not independent
copy 2015 SAP SE All Rights Reserved Page 26 of 30
The Hidden Beast mdash ServerAs a mobile app you never be alone
A final remark
bull usually there is at least one server ldquoin the backgroundrdquo
bull many security and data privacy issues are caused bybull the communication of the app and its ldquoownrdquo serverbull the implementation of its ldquoownrdquo serverbull external servers andor services
copy 2015 SAP SE All Rights Reserved Page 27 of 30
Conclusion
bull Secure software development is abull Prerequisite for the secure and compliant operation
We need SecDevOpsbull Risk of operating and maintaining IT systems
bull Security requires an end-to-end approachbull Training of developers architects product ownersbull Security testing during developmentbull Validation of your security testing effortsbull Maintenance and security patch management
bull Developers are your most important allybull Make life easy for them
copy 2015 SAP SE All Rights Reserved Page 28 of 30
Thank you
httpxkcdcom327
Dr Achim D Bruckerachimbruckersapcomhttpswwwbruckerchhttpslogicalhackingcom
Related Publications
Ruediger Bachmann and Achim D Brucker
Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014
Achim D Brucker Lukas Bruumlgger and Burkhart Wolff
Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
Achim D Brucker and Uwe Sodan
Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014
Achim D Brucker and Burkhart Wolff
On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
copy 2015 SAP SE All Rights Reserved Page 30 of 30
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 31 of 30
- Background
- Motivation
- Risk-based Security Testing as Part of SAPs Smath text inlined[fg]math text inlinedfgmath text inlined[fg]math text inlinedfg2DL
- Lessons Learned
- How Does This Apply to Mobile Development
- Conclusion
-
Why Are Mobile Apps SpecialOrganisational Aspects
bull Partly not developed by thedevelopment organisations(eg marketing)
bull Fast update cycles(to app store not necessarily ldquoon devicerdquo)
bull Mobile apps are not patched(instead new release)
bull Processes partly defined by App Store operators(eg Google Apple )
copy 2015 SAP SE All Rights Reserved Page 25 of 30
Why Are Mobile Apps SpecialTechnical Aspects
bull Limiteddifferent user interface
bull High volume of apps released
bull Development tools are not fully under own control
bull Programming languages might not be usedelsewhere
bull Lot of frameworks thatbull rather newbull not as maturebull might track users (data privacy)
bull They are not independent
copy 2015 SAP SE All Rights Reserved Page 26 of 30
The Hidden Beast mdash ServerAs a mobile app you never be alone
A final remark
bull usually there is at least one server ldquoin the backgroundrdquo
bull many security and data privacy issues are caused bybull the communication of the app and its ldquoownrdquo serverbull the implementation of its ldquoownrdquo serverbull external servers andor services
copy 2015 SAP SE All Rights Reserved Page 27 of 30
Conclusion
bull Secure software development is abull Prerequisite for the secure and compliant operation
We need SecDevOpsbull Risk of operating and maintaining IT systems
bull Security requires an end-to-end approachbull Training of developers architects product ownersbull Security testing during developmentbull Validation of your security testing effortsbull Maintenance and security patch management
bull Developers are your most important allybull Make life easy for them
copy 2015 SAP SE All Rights Reserved Page 28 of 30
Thank you
httpxkcdcom327
Dr Achim D Bruckerachimbruckersapcomhttpswwwbruckerchhttpslogicalhackingcom
Related Publications
Ruediger Bachmann and Achim D Brucker
Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014
Achim D Brucker Lukas Bruumlgger and Burkhart Wolff
Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
Achim D Brucker and Uwe Sodan
Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014
Achim D Brucker and Burkhart Wolff
On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
copy 2015 SAP SE All Rights Reserved Page 30 of 30
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 31 of 30
- Background
- Motivation
- Risk-based Security Testing as Part of SAPs Smath text inlined[fg]math text inlinedfgmath text inlined[fg]math text inlinedfg2DL
- Lessons Learned
- How Does This Apply to Mobile Development
- Conclusion
-
Why Are Mobile Apps SpecialTechnical Aspects
bull Limiteddifferent user interface
bull High volume of apps released
bull Development tools are not fully under own control
bull Programming languages might not be usedelsewhere
bull Lot of frameworks thatbull rather newbull not as maturebull might track users (data privacy)
bull They are not independent
copy 2015 SAP SE All Rights Reserved Page 26 of 30
The Hidden Beast mdash ServerAs a mobile app you never be alone
A final remark
bull usually there is at least one server ldquoin the backgroundrdquo
bull many security and data privacy issues are caused bybull the communication of the app and its ldquoownrdquo serverbull the implementation of its ldquoownrdquo serverbull external servers andor services
copy 2015 SAP SE All Rights Reserved Page 27 of 30
Conclusion
bull Secure software development is abull Prerequisite for the secure and compliant operation
We need SecDevOpsbull Risk of operating and maintaining IT systems
bull Security requires an end-to-end approachbull Training of developers architects product ownersbull Security testing during developmentbull Validation of your security testing effortsbull Maintenance and security patch management
bull Developers are your most important allybull Make life easy for them
copy 2015 SAP SE All Rights Reserved Page 28 of 30
Thank you
httpxkcdcom327
Dr Achim D Bruckerachimbruckersapcomhttpswwwbruckerchhttpslogicalhackingcom
Related Publications
Ruediger Bachmann and Achim D Brucker
Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014
Achim D Brucker Lukas Bruumlgger and Burkhart Wolff
Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
Achim D Brucker and Uwe Sodan
Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014
Achim D Brucker and Burkhart Wolff
On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
copy 2015 SAP SE All Rights Reserved Page 30 of 30
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 31 of 30
- Background
- Motivation
- Risk-based Security Testing as Part of SAPs Smath text inlined[fg]math text inlinedfgmath text inlined[fg]math text inlinedfg2DL
- Lessons Learned
- How Does This Apply to Mobile Development
- Conclusion
-
The Hidden Beast mdash ServerAs a mobile app you never be alone
A final remark
bull usually there is at least one server ldquoin the backgroundrdquo
bull many security and data privacy issues are caused bybull the communication of the app and its ldquoownrdquo serverbull the implementation of its ldquoownrdquo serverbull external servers andor services
copy 2015 SAP SE All Rights Reserved Page 27 of 30
Conclusion
bull Secure software development is abull Prerequisite for the secure and compliant operation
We need SecDevOpsbull Risk of operating and maintaining IT systems
bull Security requires an end-to-end approachbull Training of developers architects product ownersbull Security testing during developmentbull Validation of your security testing effortsbull Maintenance and security patch management
bull Developers are your most important allybull Make life easy for them
copy 2015 SAP SE All Rights Reserved Page 28 of 30
Thank you
httpxkcdcom327
Dr Achim D Bruckerachimbruckersapcomhttpswwwbruckerchhttpslogicalhackingcom
Related Publications
Ruediger Bachmann and Achim D Brucker
Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014
Achim D Brucker Lukas Bruumlgger and Burkhart Wolff
Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
Achim D Brucker and Uwe Sodan
Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014
Achim D Brucker and Burkhart Wolff
On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
copy 2015 SAP SE All Rights Reserved Page 30 of 30
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 31 of 30
- Background
- Motivation
- Risk-based Security Testing as Part of SAPs Smath text inlined[fg]math text inlinedfgmath text inlined[fg]math text inlinedfg2DL
- Lessons Learned
- How Does This Apply to Mobile Development
- Conclusion
-
Conclusion
bull Secure software development is abull Prerequisite for the secure and compliant operation
We need SecDevOpsbull Risk of operating and maintaining IT systems
bull Security requires an end-to-end approachbull Training of developers architects product ownersbull Security testing during developmentbull Validation of your security testing effortsbull Maintenance and security patch management
bull Developers are your most important allybull Make life easy for them
copy 2015 SAP SE All Rights Reserved Page 28 of 30
Thank you
httpxkcdcom327
Dr Achim D Bruckerachimbruckersapcomhttpswwwbruckerchhttpslogicalhackingcom
Related Publications
Ruediger Bachmann and Achim D Brucker
Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014
Achim D Brucker Lukas Bruumlgger and Burkhart Wolff
Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
Achim D Brucker and Uwe Sodan
Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014
Achim D Brucker and Burkhart Wolff
On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
copy 2015 SAP SE All Rights Reserved Page 30 of 30
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 31 of 30
- Background
- Motivation
- Risk-based Security Testing as Part of SAPs Smath text inlined[fg]math text inlinedfgmath text inlined[fg]math text inlinedfg2DL
- Lessons Learned
- How Does This Apply to Mobile Development
- Conclusion
-
Thank you
httpxkcdcom327
Dr Achim D Bruckerachimbruckersapcomhttpswwwbruckerchhttpslogicalhackingcom
Related Publications
Ruediger Bachmann and Achim D Brucker
Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014
Achim D Brucker Lukas Bruumlgger and Burkhart Wolff
Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
Achim D Brucker and Uwe Sodan
Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014
Achim D Brucker and Burkhart Wolff
On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
copy 2015 SAP SE All Rights Reserved Page 30 of 30
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 31 of 30
- Background
- Motivation
- Risk-based Security Testing as Part of SAPs Smath text inlined[fg]math text inlinedfgmath text inlined[fg]math text inlinedfg2DL
- Lessons Learned
- How Does This Apply to Mobile Development
- Conclusion
-
Related Publications
Ruediger Bachmann and Achim D Brucker
Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014
Achim D Brucker Lukas Bruumlgger and Burkhart Wolff
Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
Achim D Brucker and Uwe Sodan
Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014
Achim D Brucker and Burkhart Wolff
On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
copy 2015 SAP SE All Rights Reserved Page 30 of 30
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 31 of 30
- Background
- Motivation
- Risk-based Security Testing as Part of SAPs Smath text inlined[fg]math text inlinedfgmath text inlined[fg]math text inlinedfg2DL
- Lessons Learned
- How Does This Apply to Mobile Development
- Conclusion
-
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 31 of 30
- Background
- Motivation
- Risk-based Security Testing as Part of SAPs Smath text inlined[fg]math text inlinedfgmath text inlined[fg]math text inlinedfg2DL
- Lessons Learned
- How Does This Apply to Mobile Development
- Conclusion
-