How to scale mobile application security testing

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.

How to ScaleMobile Application Security Testing


Connect with NowSecure

Connect with us on Twitter @NowSecureMobile / #SecureTalks

—

Learn more at https://nowsecure.com

Katie StrzempkaServices


● Author of IPhone and iOS Forensics

● Masters in Cyber Forensics and Bachelors of Science in Computer Technology from Purdue University

● @kstrzemp


Contents

● 2016 NowSecure Mobile Security Report

● The Challenges Teams Face

● How You Can Scale


2016 NowSecure Mobile Security Report

Released last week


400K APPSWe tested


25% of Android apps have at least one high risk security or privacy flaw


Percentage of Android Apps with Security Issues

Sensitive Data Leak Issues

Network Issues

File System Issues


Business apps:

High risk issues exist within each app category

3xmore likely to leak login credentials

more likely to leak login credentials or email address

4x1.5xmore likely to include a high risk vulnerability

Gaming apps: Social apps:


82% of devices tested by the Vulnerability Test Suite for Android had at least one of 25 vulnerabilities


The ChallengesTeams face a variety of challenges with security in the SDLC


Teams are overwhelmed with security testing

100+Many enterprises have more than 100

unique, internal apps


Source code analysis has too many false positives

● Testing reports more false positives instead of identifying actual issues

● Static only

● Misses key tests such as insecure data storage or authentication issues


Teams lack a process for mobile

● App testing is repetitive and takes time to manually set up testing environments

● Inconsistent methods and results across team members

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information..

Teams are finding vulnerabilities too late in the SDLC

The back-and-forth between developers and analysts wastes time and money


The longer you wait, the more it costs

Requirements / Architecture

Coding Integration /Component

Testing

System /Acceptance

Testing

Production / Post-Release

Source: National Institute of Standards and Technology

The cost for fixing vulnerabilities is

30x higher after an application has been deployed


How to ScaleYou can save time, money, and effort


What needs to be a part of the process for mobile?

● Structure a team that can integrate testing to be efficient

● Emphasize process and similar tools across teams

● Automation (both static and dynamic)

● Test early in the SDLC, with remediation recommendations built in


Lab WorkstationAnalyst-driven mobile app security testing kit


Lab AutomatedAutomated app analysis with continuous integration

● Heading to RSA Conference? Stop by our booth # 3235 for a live demo.

● Set up a demo. Contact us at www.nowsecure.com/contact.


Questions?

[email protected]+1 312.878.1100

@kstrzemp