Embed Size (px)
Citation preview
Application Security ServicesProvided by Pactera Cybersecurity Consulting
2016
© P
actera. SEC C
OE C
on
fiden
tial. All R
ights R
eserved.
2
Why Pactera Cybersecurity Consulting Services?
WhyPactera
Cybersecurity Services?
Industry’s Top Security Professionals
Security Software Partner
Elite U.S & Asia Based
Teams
BFSI, Govt., & Healthcare
Regulatory Experience
Extensive Privacy
Experience
Application Security Training Provider
Cybersecurity Services Capabilities©
Pactera. SEC
CO
E Co
nfid
ential. A
ll Righ
ts Reserved
. 3
• Improving Threat Prevention, Detection, & Response Capability
• Establishing Governance – People, Process, and Technologies
Cybersecurity Program Consulting
• Reducing Risk by Finding and Remediating Threats – by Top Security Consultants
• SecDevOps (Improving Security in DevOps)
Application Vulnerability / Penetration Testing
• Reducing Vulnerabilities via Secure Coding Practice (CBT & Instructor Lead)
Application Secure Coding Practice Training
• Managing Security Risks Posed by Suppliers
• Use a Proven Assessment and Management Solution Based on ISO 27001
Third-party Supplier Security Risk Management
Why Perform Application Security Assessment?©
Pactera. SEC
CO
E Co
nfid
ential. A
ll Righ
ts Reserved
. 4
Applications leads a number of vulnerabilities
Most successful malicious attacks came through applications (mobile, web)
Know how secure third-party hosted (i.e. cloud) applications
Most applications assembled with third-party code components (i.e. framework, libraries).
• Developers only develop about 10% – 20% of the code
• Third-party code vulnerabilities may exist but not been addressed
• Third-party code vulnerabilities may not yet been patched
Application Security Testing©
Pactera. SEC
CO
E Co
nfid
ential. A
ll Righ
ts Reserved
. 5
We cover:
Mobile apps
IoT apps
Web Applications
Thick-client Applications
API (REST API, SOAP)
Our capabilities on application security testing:
Blackbox and Whitebox security testing
Front-end (mobile app, IoT, web app client, client apps)
REST API supporting Micro Services
Back-end Web Services (i.e. REST API, Soap)
Reverse Engineering on binaries (.exe, .java, DLL, traditional applications)
Application Secure Code Review Services©
Pactera. SEC
CO
E Co
nfid
ential. A
ll Righ
ts Reserved
. 6
Utilize industry leading automated
code review software – HP Fortify
Supplement with manual reviews to
reduce false positives
Provide “make sense” recommendation for
remediation
Application Vulnerability / Penetration Testing©
Pactera. SEC
CO
E Co
nfid
ential. A
ll Righ
ts Reserved
. 7
Blackbox or Whitebox testing (Mobile, IoT, Web Applications)
Combines automated tools and manual testing
• Industry leading automated open-source and commercial tools
• World class penetration testers – have performed hundreds of penetration tests
• Industry recognized penetration testing methodology
• Covers OWASP Top 10 Mobile and Web Application vulnerabilities and beyond
Reverse engineer applications (if in-scope) to uncover hidden security flaws
Identify business logic flaws that cannot be easily identified through automated testing
Vulnerability / Penetration Testing Methodology©
Pactera. C
on
fiden
tial. All R
ights R
eserved.
8
Information Gathering
• Review Application
• Review REST API
• Get Configuration Info
• Gather Architecture Info
Threat Modeling
• Identify attack surface
• Identify methods of attacks
Security Test Planning
• Design an attack plan
• Select tools to utilize for the assessment
Vulnerability Assessment
• Automated assessment
• Manual assessment
• Custom test scripts
Exploitation
• Manual exploit the identified vulnerabilities
Reporting
• Summary
• Findings
• Recommendations
Re-testing
• Validate remediation of vulnerabilities
• Re-test after new changes
Mobile / IoT Vulnerability / Penetration Testing Overview©
Pactera. C
on
fiden
tial. All R
ights R
eserved.
9
Mobile App (Android, iOS) Back-end Server
REST API
CommunicationData Access
Mobile App:• Automated Testing• Manual Testing• Secure Code Review via Fortify SCA• Test against OWASP Mobile Top 10:
1. Improper Platform Usage2. Insecure Data Storage3. Insecure Communication4. Insecure Authentication5. Insufficient Cryptography6. Insecure Authorization7. Client Code Quality8. Code Tampering9. Reverse Engineering10. Extraneous Functionality
REST API, Web Application:• Automated Testing• Manual Testing• Test against OWASP Web App Top 10
1. Injection2. Broken Authentication and Session
Management3. Cross-Site Scripting (XSS)4. Insecure Direct Object References5. Security Misconfiguration6. Sensitive Data Exposure7. Missing Function Level Access Control8. Cross-Site Request Forgery (CSRF)9. Using Components with Known
Vulnerabilities10. Unvalidated Redirects and Forwards
Mobile & Web Tools:• Commercial and Open
Source Tools• HP Fortify Secure Code
Analyzer (SCA)• Acunetix• Kali Linux• Rapid 7 - NeXpose &
Metasploit• Burp Suite Pro• SoapUI• ApkAnalyser • BEEF• Mobile Emulator• Geo-Location Emulation• Custom Developed Tools
and Scripts
Mobile Application Security Tools (Android)©
Pactera. C
on
fiden
tial. All R
ights R
eserved.
10
Source: OWASP
Mobile Application Security Tools (iOS)©
Pactera. C
on
fiden
tial. All R
ights R
eserved.
11
Source: OWASP
Mobile Application Security – Code Components Analysis
Analyze Mobile Application to ensure any security vulnerabilities or malicious contents in the code components is detected through the following security testing:
© P
actera. Co
nfid
ential. A
ll Righ
ts Reserved
. 12
Inspect the APK installation Process
• Detect suspicious activities during the installation process
Inspect the APK communication behavior
• Detect suspicious communication behaviors between mobile app and back-end server
Inspect the code through Secure Code Review Process
• Detect any code components with known malware
• Remove vulnerabilities
Mobile / IoT Secure Code Analysis
We utilize HP Fortify Secure Code Analyzer (SCA) tool to scan for mobile code vulnerabilities – Including but not limited to the following:
© P
actera. Co
nfid
ential. A
ll Righ
ts Reserved
. 13
Access Control: Android Provider Access Control: Database Android Bad Practices: Missing Broadcaster Permission Android Bad Practices: Missing Receiver Permission Android Bad Practices: Sticky Broadcast Cross Site Scripting: Persistent Cross Site Scripting: Poor Validation Cross Site Scripting: Reflected Header Manipulation: Cookies Insecure Storage: Android External Storage Log Forging Path Manipulation Privacy Violation
Password Management Password Management: Empty Password Password Management: Hardcoded Password Password Management: Null Password Password Management: Weak Cryptography Privilege Management: Android Location Privilege Management: Android Messaging Privilege Management: Android Telephony Privilege Management: Missing API Permission Privilege Management: Missing Intent Permission Query String Injection: Android Provider Resource InjectionSQL InjectionSystem Information Leak
Web Application Vulnerability / Penetration Testing Overview©
Pactera. C
on
fiden
tial. All R
ights R
eserved.
14
Internet User (Web Client) Back-end Server
REST API
CommunicationData Access
Client Side (Web Browser):• Automated Testing• Manual Testing• Review client side scripts / code• Client Side Script Testing• DOM based Cross Site Scripting • Authentication• Authorization• Local Storage• Client Side URL Redirect• Web Messaging• Clickjacking• HTML Injection
REST API, Web Application:• Automated Testing• Manual Testing• Network & Architecture Config Review• Test against OWASP Web App Top 10
1. Injection2. Broken Authentication and Session
Management3. Cross-Site Scripting (XSS)4. Insecure Direct Object References5. Security Misconfiguration6. Sensitive Data Exposure7. Missing Function Level Access Control8. Cross-Site Request Forgery (CSRF)9. Using Components with Known
Vulnerabilities10. Unvalidated Redirects and Forwards
Security Testing Tools:• Commercial and Open
Source Tools• HP Fortify Secure Code
Analyzer (SCA)• Acunetix• Kali Linux• Rapid 7 – Nexpose• Rapid 7 – Metasploit• Burp Suite Pro• SoapUI• BEEF• Geo-Location Emulation• Custom Developed Tools
and Scripts
Web Application Secure Code Analysis
We utilize HP Fortify Secure Code Analyzer (SCA) tool to scan for mobile code vulnerabilities – Including but not limited to the following:
© P
actera. Co
nfid
ential. A
ll Righ
ts Reserved
. 15
Map the Application’s ContentAnalyze the ApplicationTest Client-side ControlsTest Application LogicTest the Authentication MechanismTest the Session Management Mechanism
Test Access ControlsTest for Input-based VulnerabilitiesTest for Function-specific VulnerabilitiesTest for Logic FlawsTest for Shared Hosting VulnerabilitiesTest for Web Server VulnerabilitiesMiscellaneous Checks
Our Experience©
Pactera. SEC
CO
E Co
nfid
ential. A
ll Righ
ts Reserved
. 16
• For major financial institutions -– Performed third-party security assessments, helped suppliers to enhance security and reduce client third-party risk exposure– Performed application security assessments, provided recommendations for remediation to enhance protection– Conducted security vulnerability assessments– Participated in Cybersecurity Incident Response and root cause analysis
• For a Fortune 50 software firm -– Perform information security consulting– Application vulnerability assessment and management, regulatory compliance – Ensuring Security Compliance for over 2000 applications
• For a major international airline -– Perform application vulnerability assessments– Conduct mobile application penetration testing
• Ensure security weaknesses are identified and remediated• Prevent leak of sensitive information
• For a major member loyalty program management firm –– Perform Data Privacy Governance and ISO 27001 Certification program development– Conduct security assessment, penetration testing / vulnerability assessment– Help the client to attain ISO 27001 certification
Cybersecurity Team Member Profiles©
Pactera. SEC
CO
E Co
nfid
ential. A
ll Righ
ts Reserved
. 17
Kyle has more than 21 years experience in providing a combination of security and privacy services to Fortune 500 and other large organizations. Prior to joining Pactera, Kyle served as senior cybersecurity consultant for such esteemed organizations as Microsoft, ExxonMobil, Boeing, Akamai, Fidelity Investments, PriceWaterhouseCoopers and HP. He also served as security operations manager for the U.S. Defense Information Systems Agency (DISA) and as interim Chief Information Security Officer (CISO) for Brandeis University’s Heller School. In addition, Kyle is the author of the well-known network security and privacy tool known as ‘SMAC’ with over 2.5 million users worldwide.
Kyle’s expertise includes vulnerability assessment and program management, data privacy, security tools development, third-party supplier risk assessment and management, penetration testing, web application, thick client application, API, SOAP, security architecture design and implementation, eGRC, and security advisory.
Kyle possesses security and privacy certifications including Certified Information Systems Security Professional (CISSP), Certified Information Privacy Professional for U.S. and Government (CIPP/US, CIPP/G), Certified Secure Software Lifecycle Professional (CSSLP), Certified Information Systems Auditor (CISA), and is certified as a ISO 27001 Lead Auditor.
Kyle is based in U.S.
Kyle LaiHead of Security Services
CISSP, CSSLP, CIPP/US, CIPP/G, CISA, ISO 27001 Lead Auditor
William is one of the world’s top penetration testers and vulnerability assessors with over 20 years of professional experience. He has conducted numerous penetration tests against large organizations including U.S. Government Agencies, Department of Defense (DoD), Fortune 500 firms in financial, healthcare, oil and energy, high tech industries. William’s expertise includes cybersecurity offense and defense strategy and tactics in networking, web application, thick client application, API, SOAP, threat analysis, exploit development, penetration testing, security tools development, phishing testing, security architecture design and implementation, security lab building, cybersecurity attack simulation and securityadvisory. He also conducts social engineering and physical security assessment which includes identifying physical security weaknesses.
William is the author of Filibuster Network Exfiltration Security Testing tool – try to test the firewall rule effectiveness. Hedebuted this tool at the Blackhat Security Conference in 2014. He has also trained hundreds of security engineers for DoD and large firms on attacking and protecting network and applications. He possessed security certifications including Offensive Security Certified Engineer (OSCE), Offensive Security Certified Professional (OSCP), Offensive Security Wireless Professional (OSWP), SANS GIAC Certified Penetration tester (GPEN), and a licensed private investigator.
William is based in U.S.
William CoppolaSenior Security Consultant
OSCE, OSCP, OSWP, GIAC GPENPrivate Investigator
Cybersecurity Team Member Profiles©
Pactera. SEC
CO
E Co
nfid
ential. A
ll Righ
ts Reserved
. 18
Tom has more than 20 years of experience technical and cybersecurity experience in providing a combination of security, regulatory compliance (HIPAA, PCI) and privacy services to Fortune 500 and other large organizations. Prior to Pactera, Tom held senior management and principal security architect roles within several consulting and corporate institutions, across financial, government, retail and technology verticals. He has designed and overseen the implementation of many large scale security initiatives such as incident response, network security, security architecture design and implementation, regulatory compliance, vulnerability assessment, PII data privacy eDiscovery and assessments (Mass CMR 201 17, FTC consumer data oversight and PCI e-discovery), Secure SDL and security assessments.
Tom is a published author contributing to a popular security architecture book published by RSA press and the complete guide to firewalls published by Osborne McGraw-Hill. Tom possessed security certifications including Certified Information Systems Security Professional (CISSP).
Tom based in U.S.
Tom DeFelicePrincipal Security Consultant
CISSP
Henry is an information security and technology executive with over 10 years’ experience, and possesses a robust history of professional service delivery. Prior to joining Pactera, Henry held the position of Security Team Lead for offensive securityand Senior Managing Consultant roles with Japanese owned consulting firms. He has delivered various projects across financial, government, telecommunications, retail, logistics and transportation industries, including security risk assessment, penetration testing, privacy impact assessment, compliance audit, IT governance, managed security services, system hardening and security solution implementation. Henry is also an experienced trainer in delivering security trainings (including in-house tailor-made security awareness trainings) for general staff, IT professionals, and for CISA focused classroom instruction. He holds a Bachelor’s degree in Information Technology and is certified as CISSP, CISA, CEH, CCSK, PCIQSA (PCI SSC), PCIP (PCI SSC), CPM, ISO 31000 Lead Trainer, ISO 20000 Auditor, ISO 27001 Lead Auditor, ITIL, MCSA and CCNA.
Henry is based in Hong Kong.
Henry HonPrincipal Security Consultant
CISSP, CISA, CEH, CCSK, PCIP, ISO 20000 Auditor, ISO 27001 Lead Auditor
Cybersecurity Team Member Profiles©
Pactera. SEC
CO
E Co
nfid
ential. A
ll Righ
ts Reserved
. 19
Johnson has more than 5 years of experience in information security consultancy. Prior to joining Pactera, Johnson served as a security consultant within several consulting institutions, delivering professional services for clients across Asia-Pac, in various industrial sectors including banking, insurance, telecom, retail, e-commerce, hospitality, charity, etc.
Johnson’s expertise includes application, network, and system vulnerability assessment, security and regulatory compliance audit, penetration testing, IT governance and security advisory. He holds a Master’s degree in Telecommunications, a Bachelor’s degree in Electronic & Communications Engineering, as well as industry certifications including CISM, CEH, ECSA, MCP, SCSA and CCNA.
Johnson is based in Hong Kong
Johnson ZhangSenior Security Consultant
CISM, CEH, ESCA
Josh is one of the world’s recognized cybersecurity expert with over 17+ years hands-on experience, covering all vertical markets from financial, federal government, state government, aerospace, defense, and public sectors performing red-team penetration testing, network and application vulnerability assessment, ethical hacking, threat/Intel, and covert entry, RFID, wireless security assessment, phishing assessment, cloud security review. For a Fortune 10 financial institution, Bank of America, Josh has create an insider threat program, external penetration testing exercise, lead security incident response and analysis, and coordination with law enforcement.
Josh has served major BFSI and technology clients in the U.S., ASEAN region, and Australia, including Bank of America, Commonwealth Bank of Australia, and Bank of Japan. He is also an author of a distributed phishing framework that is frequently utilized in global enterprises. Josh is also a frequent speaker at the international cybersecurity conferences such as BlackHat, Defcon, BSides, DerbyCon, RuxCon, NOLACon, and InfraGard. He is certified as CEH, OPST, OPSA, OSSTMM Trainer.
Josh is based in U.S.
Joshua PerrymonSenior Security ConsultantCEH, OPST, OPSA, OSSTMM Trainer
Thank You
Contact:Kyle Lai, CISSP, CSSLP, CISA, CIPP/US/GCISO, Head of Cybersecurity [email protected]@KyleOnCyber
www.pactera.com
Pactera Cybersecurity Services
