SlideShare a Scribd company logo

Pactera - App Security Assessment - Mobile, Web App, IoT - v2

Kyle Lai, profile picture
Kyle Lai

This document provides an overview of application security services offered by Pactera Cybersecurity Consulting. It discusses why clients choose Pactera, the types of cybersecurity capabilities offered including application vulnerability testing, secure coding training, and third-party risk management. It then goes into more detail about application security testing methodologies and tools used for mobile, web, and API security assessments. Profiles of some of Pactera's cybersecurity experts are also included.

1 of 20
Downloaded 31 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
Application Security Services Provided by Pactera Cybersecurity Consulting 2016
©Pactera.SECCOEConfidential.AllRightsReserved. 2 Why Pactera Cybersecurity Consulting Services? Why Pactera Cybersecurity Services? Industry’s Top Security Professionals Security Software Partner Elite U.S & Asia Based Teams BFSI, Govt., & Healthcare Regulatory Experience Extensive Privacy Experience Application Security Training Provider
Cybersecurity Services Capabilities ©Pactera.SECCOEConfidential.AllRightsReserved. 3 • Improving Threat Prevention, Detection, & Response Capability • Establishing Governance – People, Process, and Technologies Cybersecurity Program Consulting • Reducing Risk by Finding and Remediating Threats – by Top Security Consultants • SecDevOps (Improving Security in DevOps) Application Vulnerability / Penetration Testing • Reducing Vulnerabilities via Secure Coding Practice (CBT & Instructor Lead) Application Secure Coding Practice Training • Managing Security Risks Posed by Suppliers • Use a Proven Assessment and Management Solution Based on ISO 27001 Third-party Supplier Security Risk Management
Why Perform Application Security Assessment? ©Pactera.SECCOEConfidential.AllRightsReserved. 4 Applications leads a number of vulnerabilities Most successful malicious attacks came through applications (mobile, web) Know how secure third-party hosted (i.e. cloud) applications Most applications assembled with third-party code components (i.e. framework, libraries). • Developers only develop about 10% – 20% of the code • Third-party code vulnerabilities may exist but not been addressed • Third-party code vulnerabilities may not yet been patched
Application Security Testing ©Pactera.SECCOEConfidential.AllRightsReserved. 5  We cover:  Mobile apps  IoT apps  Web Applications  Thick-client Applications  API (REST API, SOAP)  Our capabilities on application security testing:  Blackbox and Whitebox security testing  Front-end (mobile app, IoT, web app client, client apps)  REST API supporting Micro Services  Back-end Web Services (i.e. REST API, Soap)  Reverse Engineering on binaries (.exe, .java, DLL, traditional applications)
Application Secure Code Review Services ©Pactera.SECCOEConfidential.AllRightsReserved. 6 Utilize industry leading automated code review software – HP Fortify Supplement with manual reviews to reduce false positives Provide “make sense” recommendation for remediation
Application Vulnerability / Penetration Testing ©Pactera.SECCOEConfidential.AllRightsReserved. 7 Blackbox or Whitebox testing (Mobile, IoT, Web Applications) Combines automated tools and manual testing • Industry leading automated open-source and commercial tools • World class penetration testers – have performed hundreds of penetration tests • Industry recognized penetration testing methodology • Covers OWASP Top 10 Mobile and Web Application vulnerabilities and beyond Reverse engineer applications (if in-scope) to uncover hidden security flaws Identify business logic flaws that cannot be easily identified through automated testing
Vulnerability / Penetration Testing Methodology ©Pactera.Confidential.AllRightsReserved. 8 Information Gathering •Review Application •Review REST API •Get Configuration Info •Gather Architecture Info Threat Modeling •Identify attack surface •Identify methods of attacks Security Test Planning •Design an attack plan •Select tools to utilize for the assessment Vulnerability Assessment •Automated assessment •Manual assessment •Custom test scripts Exploitation •Manual exploit the identified vulnerabilities Reporting •Summary •Findings •Recommendations Re-testing •Validate remediation of vulnerabilities •Re-test after new changes
Mobile / IoT Vulnerability / Penetration Testing Overview ©Pactera.Confidential.AllRightsReserved. 9 Mobile App (Android, iOS) Back-end Server REST API Communication Data Access Mobile App: • Automated Testing • Manual Testing • Secure Code Review via Fortify SCA • Test against OWASP Mobile Top 10: 1. Improper Platform Usage 2. Insecure Data Storage 3. Insecure Communication 4. Insecure Authentication 5. Insufficient Cryptography 6. Insecure Authorization 7. Client Code Quality 8. Code Tampering 9. Reverse Engineering 10. Extraneous Functionality REST API, Web Application: • Automated Testing • Manual Testing • Test against OWASP Web App Top 10 1. Injection 2. Broken Authentication and Session Management 3. Cross-Site Scripting (XSS) 4. Insecure Direct Object References 5. Security Misconfiguration 6. Sensitive Data Exposure 7. Missing Function Level Access Control 8. Cross-Site Request Forgery (CSRF) 9. Using Components with Known Vulnerabilities 10. Unvalidated Redirects and Forwards Mobile & Web Tools: • Commercial and Open Source Tools • HP Fortify Secure Code Analyzer (SCA) • Acunetix • Kali Linux • Rapid 7 - NeXpose & Metasploit • Burp Suite Pro • SoapUI • ApkAnalyser • BEEF • Mobile Emulator • Geo-Location Emulation • Custom Developed Tools and Scripts
Mobile Application Security Tools (Android) ©Pactera.Confidential.AllRightsReserved. 10 Source: OWASP
Mobile Application Security Tools (iOS) ©Pactera.Confidential.AllRightsReserved. 11 Source: OWASP
Mobile Application Security – Code Components Analysis Analyze Mobile Application to ensure any security vulnerabilities or malicious contents in the code components is detected through the following security testing: ©Pactera.Confidential.AllRightsReserved. 12 Inspect the APK installation Process • Detect suspicious activities during the installation process Inspect the APK communication behavior • Detect suspicious communication behaviors between mobile app and back-end server Inspect the code through Secure Code Review Process • Detect any code components with known malware • Remove vulnerabilities
Mobile / IoT Secure Code Analysis We utilize HP Fortify Secure Code Analyzer (SCA) tool to scan for mobile code vulnerabilities – Including but not limited to the following: ©Pactera.Confidential.AllRightsReserved. 13 Access Control: Android Provider Access Control: Database Android Bad Practices: Missing Broadcaster Permission Android Bad Practices: Missing Receiver Permission Android Bad Practices: Sticky Broadcast Cross Site Scripting: Persistent Cross Site Scripting: Poor Validation Cross Site Scripting: Reflected Header Manipulation: Cookies Insecure Storage: Android External Storage Log Forging Path Manipulation Privacy Violation Password Management Password Management: Empty Password Password Management: Hardcoded Password Password Management: Null Password Password Management: Weak Cryptography Privilege Management: Android Location Privilege Management: Android Messaging Privilege Management: Android Telephony Privilege Management: Missing API Permission Privilege Management: Missing Intent Permission Query String Injection: Android Provider Resource Injection SQL Injection System Information Leak
Web Application Vulnerability / Penetration Testing Overview ©Pactera.Confidential.AllRightsReserved. 14 Internet User (Web Client) Back-end Server REST API Communication Data Access Client Side (Web Browser): • Automated Testing • Manual Testing • Review client side scripts / code • Client Side Script Testing • DOM based Cross Site Scripting • Authentication • Authorization • Local Storage • Client Side URL Redirect • Web Messaging • Clickjacking • HTML Injection REST API, Web Application: • Automated Testing • Manual Testing • Network & Architecture Config Review • Test against OWASP Web App Top 10 1. Injection 2. Broken Authentication and Session Management 3. Cross-Site Scripting (XSS) 4. Insecure Direct Object References 5. Security Misconfiguration 6. Sensitive Data Exposure 7. Missing Function Level Access Control 8. Cross-Site Request Forgery (CSRF) 9. Using Components with Known Vulnerabilities 10. Unvalidated Redirects and Forwards Security Testing Tools: • Commercial and Open Source Tools • HP Fortify Secure Code Analyzer (SCA) • Acunetix • Kali Linux • Rapid 7 – Nexpose • Rapid 7 – Metasploit • Burp Suite Pro • SoapUI • BEEF • Geo-Location Emulation • Custom Developed Tools and Scripts
Web Application Secure Code Analysis We utilize HP Fortify Secure Code Analyzer (SCA) tool to scan for mobile code vulnerabilities – Including but not limited to the following: ©Pactera.Confidential.AllRightsReserved. 15 Map the Application’s Content Analyze the Application Test Client-side Controls Test Application Logic Test the Authentication Mechanism Test the Session Management Mechanism Test Access Controls Test for Input-based Vulnerabilities Test for Function-specific Vulnerabilities Test for Logic Flaws Test for Shared Hosting Vulnerabilities Test for Web Server Vulnerabilities Miscellaneous Checks
Our Experience ©Pactera.SECCOEConfidential.AllRightsReserved. 16 • For major financial institutions - – Performed third-party security assessments, helped suppliers to enhance security and reduce client third-party risk exposure – Performed application security assessments, provided recommendations for remediation to enhance protection – Conducted security vulnerability assessments – Participated in Cybersecurity Incident Response and root cause analysis • For a Fortune 50 software firm - – Perform information security consulting – Application vulnerability assessment and management, regulatory compliance – Ensuring Security Compliance for over 2000 applications • For a major international airline - – Perform application vulnerability assessments – Conduct mobile application penetration testing • Ensure security weaknesses are identified and remediated • Prevent leak of sensitive information • For a major member loyalty program management firm – – Perform Data Privacy Governance and ISO 27001 Certification program development – Conduct security assessment, penetration testing / vulnerability assessment – Help the client to attain ISO 27001 certification
Cybersecurity Team Member Profiles ©Pactera.SECCOEConfidential.AllRightsReserved. 17 Kyle has more than 21 years experience in providing a combination of security and privacy services to Fortune 500 and other large organizations. Prior to joining Pactera, Kyle served as senior cybersecurity consultant for such esteemed organizations as Microsoft, ExxonMobil, Boeing, Akamai, Fidelity Investments, PriceWaterhouseCoopers and HP. He also served as security operations manager for the U.S. Defense Information Systems Agency (DISA) and as interim Chief Information Security Officer (CISO) for Brandeis University’s Heller School. In addition, Kyle is the author of the well-known network security and privacy tool known as ‘SMAC’ with over 2.5 million users worldwide. Kyle’s expertise includes vulnerability assessment and program management, data privacy, security tools development, third-party supplier risk assessment and management, penetration testing, web application, thick client application, API, SOAP, security architecture design and implementation, eGRC, and security advisory. Kyle possesses security and privacy certifications including Certified Information Systems Security Professional (CISSP), Certified Information Privacy Professional for U.S. and Government (CIPP/US, CIPP/G), Certified Secure Software Lifecycle Professional (CSSLP), Certified Information Systems Auditor (CISA), and is certified as a ISO 27001 Lead Auditor. Kyle is based in U.S. Kyle Lai Head of Security Services CISSP, CSSLP, CIPP/US, CIPP/G, CISA, ISO 27001 Lead Auditor William is one of the world’s top penetration testers and vulnerability assessors with over 20 years of professional experience. He has conducted numerous penetration tests against large organizations including U.S. Government Agencies, Department of Defense (DoD), Fortune 500 firms in financial, healthcare, oil and energy, high tech industries. William’s expertise includes cybersecurity offense and defense strategy and tactics in networking, web application, thick client application, API, SOAP, threat analysis, exploit development, penetration testing, security tools development, phishing testing, security architecture design and implementation, security lab building, cybersecurity attack simulation and security advisory. He also conducts social engineering and physical security assessment which includes identifying physical security weaknesses. William is the author of Filibuster Network Exfiltration Security Testing tool – try to test the firewall rule effectiveness. He debuted this tool at the Blackhat Security Conference in 2014. He has also trained hundreds of security engineers for DoD and large firms on attacking and protecting network and applications. He possessed security certifications including Offensive Security Certified Engineer (OSCE), Offensive Security Certified Professional (OSCP), Offensive Security Wireless Professional (OSWP), SANS GIAC Certified Penetration tester (GPEN), and a licensed private investigator. William is based in U.S. William Coppola Senior Security Consultant OSCE, OSCP, OSWP, GIAC GPEN Private Investigator
Cybersecurity Team Member Profiles ©Pactera.SECCOEConfidential.AllRightsReserved. 18 Tom has more than 20 years of experience technical and cybersecurity experience in providing a combination of security, regulatory compliance (HIPAA, PCI) and privacy services to Fortune 500 and other large organizations. Prior to Pactera, Tom held senior management and principal security architect roles within several consulting and corporate institutions, across financial, government, retail and technology verticals. He has designed and overseen the implementation of many large scale security initiatives such as incident response, network security, security architecture design and implementation, regulatory compliance, vulnerability assessment, PII data privacy eDiscovery and assessments (Mass CMR 201 17, FTC consumer data oversight and PCI e-discovery), Secure SDL and security assessments. Tom is a published author contributing to a popular security architecture book published by RSA press and the complete guide to firewalls published by Osborne McGraw-Hill. Tom possessed security certifications including Certified Information Systems Security Professional (CISSP). Tom based in U.S. Tom DeFelice Principal Security Consultant CISSP Henry is an information security and technology executive with over 10 years’ experience, and possesses a robust history of professional service delivery. Prior to joining Pactera, Henry held the position of Security Team Lead for offensive security and Senior Managing Consultant roles with Japanese owned consulting firms. He has delivered various projects across financial, government, telecommunications, retail, logistics and transportation industries, including security risk assessment, penetration testing, privacy impact assessment, compliance audit, IT governance, managed security services, system hardening and security solution implementation. Henry is also an experienced trainer in delivering security trainings (including in-house tailor-made security awareness trainings) for general staff, IT professionals, and for CISA focused classroom instruction. He holds a Bachelor’s degree in Information Technology and is certified as CISSP, CISA, CEH, CCSK, PCI QSA (PCI SSC), PCIP (PCI SSC), CPM, ISO 31000 Lead Trainer, ISO 20000 Auditor, ISO 27001 Lead Auditor, ITIL, MCSA and CCNA. Henry is based in Hong Kong. Henry Hon Principal Security Consultant CISSP, CISA, CEH, CCSK, PCIP, ISO 20000 Auditor, ISO 27001 Lead Auditor
Cybersecurity Team Member Profiles ©Pactera.SECCOEConfidential.AllRightsReserved. 19 Johnson has more than 5 years of experience in information security consultancy. Prior to joining Pactera, Johnson served as a security consultant within several consulting institutions, delivering professional services for clients across Asia-Pac, in various industrial sectors including banking, insurance, telecom, retail, e-commerce, hospitality, charity, etc. Johnson’s expertise includes application, network, and system vulnerability assessment, security and regulatory compliance audit, penetration testing, IT governance and security advisory. He holds a Master’s degree in Telecommunications, a Bachelor’s degree in Electronic & Communications Engineering, as well as industry certifications including CISM, CEH, ECSA, MCP, SCSA and CCNA. Johnson is based in Hong Kong Johnson Zhang Senior Security Consultant CISM, CEH, ESCA Josh is one of the world’s recognized cybersecurity expert with over 17+ years hands-on experience, covering all vertical markets from financial, federal government, state government, aerospace, defense, and public sectors performing red-team penetration testing, network and application vulnerability assessment, ethical hacking, threat/Intel, and covert entry, RFID, wireless security assessment, phishing assessment, cloud security review. For a Fortune 10 financial institution, Bank of America, Josh has create an insider threat program, external penetration testing exercise, lead security incident response and analysis, and coordination with law enforcement. Josh has served major BFSI and technology clients in the U.S., ASEAN region, and Australia, including Bank of America, Commonwealth Bank of Australia, and Bank of Japan. He is also an author of a distributed phishing framework that is frequently utilized in global enterprises. Josh is also a frequent speaker at the international cybersecurity conferences such as BlackHat, Defcon, BSides, DerbyCon, RuxCon, NOLACon, and InfraGard. He is certified as CEH, OPST, OPSA, OSSTMM Trainer. Josh is based in U.S. Joshua Perrymon Senior Security Consultant CEH, OPST, OPSA, OSSTMM Trainer
Thank You Contact: Kyle Lai, CISSP, CSSLP, CISA, CIPP/US/G CISO, Head of Cybersecurity Services Kyle.Lai@Pactera.com @KyleOnCyber www.pactera.com Pactera Cybersecurity Services

More Related Content

PDF
we45 - Web Application Security Testing Case Study
we45
 
PPTX
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
Kevin Fealey
 
PDF
SAST vs. DAST: What’s the Best Method For Application Security Testing?
Cigital
 
PPTX
Secure Code review - Veracode SaaS Platform - Saudi Green Method
Salil Kumar Subramony
 
PDF
AppsSec In a DevOps World
Parasoft
 
PPTX
Web Application Security: Beyond PEN Testing
Robert Grupe, CSSLP CISSP PE PMP
 
PPSX
Agile AppSec DevOps
Robert Grupe, CSSLP CISSP PE PMP
 
PPTX
Application Security Logging with Splunk using Java
Robert Grupe, CSSLP CISSP PE PMP
 
we45 - Web Application Security Testing Case Study
we45
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
Kevin Fealey
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
Cigital
 
Secure Code review - Veracode SaaS Platform - Saudi Green Method
Salil Kumar Subramony
 
AppsSec In a DevOps World
Parasoft
 
Web Application Security: Beyond PEN Testing
Robert Grupe, CSSLP CISSP PE PMP
 
Agile AppSec DevOps
Robert Grupe, CSSLP CISSP PE PMP
 
Application Security Logging with Splunk using Java
Robert Grupe, CSSLP CISSP PE PMP
 

What's hot (20)

PDF
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
Threat Stack
 
PPTX
Static Application Security Testing Strategies for Automation and Continuous ...
Kevin Fealey
 
PPTX
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Digital Defense Inc
 
PPTX
Managing Open Source in Application Security and Software Development Lifecycle
Black Duck by Synopsys
 
PDF
No Devops Without Continuous Testing
Parasoft
 
PPTX
Red7 SSDLC Introduction: Building Secure Web and Mobile Applications
Robert Grupe, CSSLP CISSP PE PMP
 
PPTX
DAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & Limitations
iAppSecure Solutions
 
PDF
FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Componen...
Black Duck by Synopsys
 
PDF
Devops security-An Insight into Secure-SDLC
Suman Sourav
 
PPTX
Unit testing : what are you missing for security
Suman Sourav
 
PDF
[OPD 2019] Governance as a missing part of IT security architecture
OWASP
 
PDF
Veracode - Overview
Stephen Durrant
 
PPTX
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Jeff Williams
 
PPTX
Mobile security recipes for xamarin
Nicolas Milcoff
 
PDF
The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...
Parasoft
 
PPTX
Continuous and Visible Security Testing with BDD-Security
Stephen de Vries
 
PPTX
Shifting the conversation from active interception to proactive neutralization
Rogue Wave Software
 
PDF
Open Source Security for Newbies - Best Practices
Black Duck by Synopsys
 
PPTX
Static Analysis Security Testing for Dummies... and You
Kevin Fealey
 
PPT
IBM Rational AppScan Product Overview
Ashish Patel
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
Threat Stack
 
Static Application Security Testing Strategies for Automation and Continuous ...
Kevin Fealey
 
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Digital Defense Inc
 
Managing Open Source in Application Security and Software Development Lifecycle
Black Duck by Synopsys
 
No Devops Without Continuous Testing
Parasoft
 
Red7 SSDLC Introduction: Building Secure Web and Mobile Applications
Robert Grupe, CSSLP CISSP PE PMP
 
DAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & Limitations
iAppSecure Solutions
 
FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Componen...
Black Duck by Synopsys
 
Devops security-An Insight into Secure-SDLC
Suman Sourav
 
Unit testing : what are you missing for security
Suman Sourav
 
[OPD 2019] Governance as a missing part of IT security architecture
OWASP
 
Veracode - Overview
Stephen Durrant
 
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Jeff Williams
 
Mobile security recipes for xamarin
Nicolas Milcoff
 
The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...
Parasoft
 
Continuous and Visible Security Testing with BDD-Security
Stephen de Vries
 
Shifting the conversation from active interception to proactive neutralization
Rogue Wave Software
 
Open Source Security for Newbies - Best Practices
Black Duck by Synopsys
 
Static Analysis Security Testing for Dummies... and You
Kevin Fealey
 
IBM Rational AppScan Product Overview
Ashish Patel
 
Ad

Viewers also liked (15)

PPTX
Tixi segundo
dragoncito2
 
PDF
IS Risk Assessment example
Ramiro Cid
 
PPTX
Risk assessment presentation
mmagario
 
PPTX
Cloud Assessment - iPad App
Coe Marlabs
 
PPTX
The curious case of mobile app security.pptx
Ankit Giri
 
PDF
Mobile Application Security
cclark_isec
 
PPTX
Iso27001 Risk Assessment Approach
tschraider
 
PDF
TOGAF 9 - Security Architecture Ver1 0
Maganathin Veeraragaloo
 
PPTX
risk assessment
Said Al Jaafari
 
PPT
Risk Assessment Process NIST 800-30
timmcguinness
 
PDF
The importance of information security risk management
Michael Francis
 
PDF
ISO 27005 Risk Assessment
Smart Assessment
 
PDF
Risk assessment principles and guidelines
Haris Tahir
 
PDF
OHSAS Hazard identification & Risk assessment
TechnoSysCon
 
PPTX
Powerpoint Risk Assessment
Steve Bishop
 
Tixi segundo
dragoncito2
 
IS Risk Assessment example
Ramiro Cid
 
Risk assessment presentation
mmagario
 
Cloud Assessment - iPad App
Coe Marlabs
 
The curious case of mobile app security.pptx
Ankit Giri
 
Mobile Application Security
cclark_isec
 
Iso27001 Risk Assessment Approach
tschraider
 
TOGAF 9 - Security Architecture Ver1 0
Maganathin Veeraragaloo
 
risk assessment
Said Al Jaafari
 
Risk Assessment Process NIST 800-30
timmcguinness
 
The importance of information security risk management
Michael Francis
 
ISO 27005 Risk Assessment
Smart Assessment
 
Risk assessment principles and guidelines
Haris Tahir
 
OHSAS Hazard identification & Risk assessment
TechnoSysCon
 
Powerpoint Risk Assessment
Steve Bishop
 
Ad

Similar to Pactera - App Security Assessment - Mobile, Web App, IoT - v2 (20)

PPT
IBM AppScan - the total software security solution
hearme limited company
 
PPTX
ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...
Agile Testing Alliance
 
PDF
Datasheet app vulnerability_assess
Birodh Rijal
 
PPTX
Appmotives - Software Testing As Service
Kalyan Paluri
 
PPTX
apidays New York 2025 - Why an SDK is Needed to Protect APIs from Mobile Apps...
apidays
 
PDF
Owasp masvs spain 17
Luis A. Solís
 
PDF
Building an API Security Strategy
SmartBear
 
PPTX
Secure SDLC in mobile software development.
Mykhailo Antonishyn
 
PDF
Deliver Flawless Mobile Apps Faster with CI/CD & CT
Perfecto by Perforce
 
PDF
Enterprise QA and Application Testing Services
Cygnet Infotech
 
PPTX
Enterprise QA and Application Testing Services
Hemang Rindani
 
PDF
Bridging the Security Testing Gap in Your CI/CD Pipeline
DevOps.com
 
PDF
Create code confidence for better application security
Rogue Wave Software
 
DOC
Rayudu_Grandhi
Rayudu Grandhi
 
PPTX
Digital Product Security
SoftServe
 
PDF
How to Achieve Agile API Security
Apigee | Google Cloud
 
PDF
apidays LIVE Australia 2020 - Evaluating the usability of security APIs by Dr...
apidays
 
PDF
Cyber security series Application Security
Jim Kaplan CIA CFE
 
PPTX
Geekit_Testing_Services-3
Sally Mohamed
 
PDF
Attacking and Defending Mobile Applications
Jerod Brennen
 
IBM AppScan - the total software security solution
hearme limited company
 
ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...
Agile Testing Alliance
 
Datasheet app vulnerability_assess
Birodh Rijal
 
Appmotives - Software Testing As Service
Kalyan Paluri
 
apidays New York 2025 - Why an SDK is Needed to Protect APIs from Mobile Apps...
apidays
 
Owasp masvs spain 17
Luis A. Solís
 
Building an API Security Strategy
SmartBear
 
Secure SDLC in mobile software development.
Mykhailo Antonishyn
 
Deliver Flawless Mobile Apps Faster with CI/CD & CT
Perfecto by Perforce
 
Enterprise QA and Application Testing Services
Cygnet Infotech
 
Enterprise QA and Application Testing Services
Hemang Rindani
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
DevOps.com
 
Create code confidence for better application security
Rogue Wave Software
 
Rayudu_Grandhi
Rayudu Grandhi
 
Digital Product Security
SoftServe
 
How to Achieve Agile API Security
Apigee | Google Cloud
 
apidays LIVE Australia 2020 - Evaluating the usability of security APIs by Dr...
apidays
 
Cyber security series Application Security
Jim Kaplan CIA CFE
 
Geekit_Testing_Services-3
Sally Mohamed
 
Attacking and Defending Mobile Applications
Jerod Brennen
 

More from Kyle Lai (7)

PDF
Isaca app sec presentation - v3
Kyle Lai
 
PDF
ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2
Kyle Lai
 
PDF
Whitepaper - Cybersecurity Threats for Treasure and Payment Mgmt Systems
Kyle Lai
 
PDF
Pactera - Cloud, Application, Cyber Security Trend 2016
Kyle Lai
 
PDF
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Kyle Lai
 
PDF
Cyber Hacking & Security - IEEE - Univ of Houston 2015-04
Kyle Lai
 
PDF
CyberSecurity - UH IEEE Presentation 2015-04
Kyle Lai
 
Isaca app sec presentation - v3
Kyle Lai
 
ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2
Kyle Lai
 
Whitepaper - Cybersecurity Threats for Treasure and Payment Mgmt Systems
Kyle Lai
 
Pactera - Cloud, Application, Cyber Security Trend 2016
Kyle Lai
 
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Kyle Lai
 
Cyber Hacking & Security - IEEE - Univ of Houston 2015-04
Kyle Lai
 
CyberSecurity - UH IEEE Presentation 2015-04
Kyle Lai
 

Pactera - App Security Assessment - Mobile, Web App, IoT - v2

  • 1. Application Security Services Provided by Pactera Cybersecurity Consulting 2016
  • 2. ©Pactera.SECCOEConfidential.AllRightsReserved. 2 Why Pactera Cybersecurity Consulting Services? Why Pactera Cybersecurity Services? Industry’s Top Security Professionals Security Software Partner Elite U.S & Asia Based Teams BFSI, Govt., & Healthcare Regulatory Experience Extensive Privacy Experience Application Security Training Provider
  • 3. Cybersecurity Services Capabilities ©Pactera.SECCOEConfidential.AllRightsReserved. 3 • Improving Threat Prevention, Detection, & Response Capability • Establishing Governance – People, Process, and Technologies Cybersecurity Program Consulting • Reducing Risk by Finding and Remediating Threats – by Top Security Consultants • SecDevOps (Improving Security in DevOps) Application Vulnerability / Penetration Testing • Reducing Vulnerabilities via Secure Coding Practice (CBT & Instructor Lead) Application Secure Coding Practice Training • Managing Security Risks Posed by Suppliers • Use a Proven Assessment and Management Solution Based on ISO 27001 Third-party Supplier Security Risk Management
  • 4. Why Perform Application Security Assessment? ©Pactera.SECCOEConfidential.AllRightsReserved. 4 Applications leads a number of vulnerabilities Most successful malicious attacks came through applications (mobile, web) Know how secure third-party hosted (i.e. cloud) applications Most applications assembled with third-party code components (i.e. framework, libraries). • Developers only develop about 10% – 20% of the code • Third-party code vulnerabilities may exist but not been addressed • Third-party code vulnerabilities may not yet been patched
  • 5. Application Security Testing ©Pactera.SECCOEConfidential.AllRightsReserved. 5  We cover:  Mobile apps  IoT apps  Web Applications  Thick-client Applications  API (REST API, SOAP)  Our capabilities on application security testing:  Blackbox and Whitebox security testing  Front-end (mobile app, IoT, web app client, client apps)  REST API supporting Micro Services  Back-end Web Services (i.e. REST API, Soap)  Reverse Engineering on binaries (.exe, .java, DLL, traditional applications)
  • 6. Application Secure Code Review Services ©Pactera.SECCOEConfidential.AllRightsReserved. 6 Utilize industry leading automated code review software – HP Fortify Supplement with manual reviews to reduce false positives Provide “make sense” recommendation for remediation
  • 7. Application Vulnerability / Penetration Testing ©Pactera.SECCOEConfidential.AllRightsReserved. 7 Blackbox or Whitebox testing (Mobile, IoT, Web Applications) Combines automated tools and manual testing • Industry leading automated open-source and commercial tools • World class penetration testers – have performed hundreds of penetration tests • Industry recognized penetration testing methodology • Covers OWASP Top 10 Mobile and Web Application vulnerabilities and beyond Reverse engineer applications (if in-scope) to uncover hidden security flaws Identify business logic flaws that cannot be easily identified through automated testing
  • 8. Vulnerability / Penetration Testing Methodology ©Pactera.Confidential.AllRightsReserved. 8 Information Gathering •Review Application •Review REST API •Get Configuration Info •Gather Architecture Info Threat Modeling •Identify attack surface •Identify methods of attacks Security Test Planning •Design an attack plan •Select tools to utilize for the assessment Vulnerability Assessment •Automated assessment •Manual assessment •Custom test scripts Exploitation •Manual exploit the identified vulnerabilities Reporting •Summary •Findings •Recommendations Re-testing •Validate remediation of vulnerabilities •Re-test after new changes
  • 9. Mobile / IoT Vulnerability / Penetration Testing Overview ©Pactera.Confidential.AllRightsReserved. 9 Mobile App (Android, iOS) Back-end Server REST API Communication Data Access Mobile App: • Automated Testing • Manual Testing • Secure Code Review via Fortify SCA • Test against OWASP Mobile Top 10: 1. Improper Platform Usage 2. Insecure Data Storage 3. Insecure Communication 4. Insecure Authentication 5. Insufficient Cryptography 6. Insecure Authorization 7. Client Code Quality 8. Code Tampering 9. Reverse Engineering 10. Extraneous Functionality REST API, Web Application: • Automated Testing • Manual Testing • Test against OWASP Web App Top 10 1. Injection 2. Broken Authentication and Session Management 3. Cross-Site Scripting (XSS) 4. Insecure Direct Object References 5. Security Misconfiguration 6. Sensitive Data Exposure 7. Missing Function Level Access Control 8. Cross-Site Request Forgery (CSRF) 9. Using Components with Known Vulnerabilities 10. Unvalidated Redirects and Forwards Mobile & Web Tools: • Commercial and Open Source Tools • HP Fortify Secure Code Analyzer (SCA) • Acunetix • Kali Linux • Rapid 7 - NeXpose & Metasploit • Burp Suite Pro • SoapUI • ApkAnalyser • BEEF • Mobile Emulator • Geo-Location Emulation • Custom Developed Tools and Scripts
  • 10. Mobile Application Security Tools (Android) ©Pactera.Confidential.AllRightsReserved. 10 Source: OWASP
  • 11. Mobile Application Security Tools (iOS) ©Pactera.Confidential.AllRightsReserved. 11 Source: OWASP
  • 12. Mobile Application Security – Code Components Analysis Analyze Mobile Application to ensure any security vulnerabilities or malicious contents in the code components is detected through the following security testing: ©Pactera.Confidential.AllRightsReserved. 12 Inspect the APK installation Process • Detect suspicious activities during the installation process Inspect the APK communication behavior • Detect suspicious communication behaviors between mobile app and back-end server Inspect the code through Secure Code Review Process • Detect any code components with known malware • Remove vulnerabilities
  • 13. Mobile / IoT Secure Code Analysis We utilize HP Fortify Secure Code Analyzer (SCA) tool to scan for mobile code vulnerabilities – Including but not limited to the following: ©Pactera.Confidential.AllRightsReserved. 13 Access Control: Android Provider Access Control: Database Android Bad Practices: Missing Broadcaster Permission Android Bad Practices: Missing Receiver Permission Android Bad Practices: Sticky Broadcast Cross Site Scripting: Persistent Cross Site Scripting: Poor Validation Cross Site Scripting: Reflected Header Manipulation: Cookies Insecure Storage: Android External Storage Log Forging Path Manipulation Privacy Violation Password Management Password Management: Empty Password Password Management: Hardcoded Password Password Management: Null Password Password Management: Weak Cryptography Privilege Management: Android Location Privilege Management: Android Messaging Privilege Management: Android Telephony Privilege Management: Missing API Permission Privilege Management: Missing Intent Permission Query String Injection: Android Provider Resource Injection SQL Injection System Information Leak
  • 14. Web Application Vulnerability / Penetration Testing Overview ©Pactera.Confidential.AllRightsReserved. 14 Internet User (Web Client) Back-end Server REST API Communication Data Access Client Side (Web Browser): • Automated Testing • Manual Testing • Review client side scripts / code • Client Side Script Testing • DOM based Cross Site Scripting • Authentication • Authorization • Local Storage • Client Side URL Redirect • Web Messaging • Clickjacking • HTML Injection REST API, Web Application: • Automated Testing • Manual Testing • Network & Architecture Config Review • Test against OWASP Web App Top 10 1. Injection 2. Broken Authentication and Session Management 3. Cross-Site Scripting (XSS) 4. Insecure Direct Object References 5. Security Misconfiguration 6. Sensitive Data Exposure 7. Missing Function Level Access Control 8. Cross-Site Request Forgery (CSRF) 9. Using Components with Known Vulnerabilities 10. Unvalidated Redirects and Forwards Security Testing Tools: • Commercial and Open Source Tools • HP Fortify Secure Code Analyzer (SCA) • Acunetix • Kali Linux • Rapid 7 – Nexpose • Rapid 7 – Metasploit • Burp Suite Pro • SoapUI • BEEF • Geo-Location Emulation • Custom Developed Tools and Scripts
  • 15. Web Application Secure Code Analysis We utilize HP Fortify Secure Code Analyzer (SCA) tool to scan for mobile code vulnerabilities – Including but not limited to the following: ©Pactera.Confidential.AllRightsReserved. 15 Map the Application’s Content Analyze the Application Test Client-side Controls Test Application Logic Test the Authentication Mechanism Test the Session Management Mechanism Test Access Controls Test for Input-based Vulnerabilities Test for Function-specific Vulnerabilities Test for Logic Flaws Test for Shared Hosting Vulnerabilities Test for Web Server Vulnerabilities Miscellaneous Checks
  • 16. Our Experience ©Pactera.SECCOEConfidential.AllRightsReserved. 16 • For major financial institutions - – Performed third-party security assessments, helped suppliers to enhance security and reduce client third-party risk exposure – Performed application security assessments, provided recommendations for remediation to enhance protection – Conducted security vulnerability assessments – Participated in Cybersecurity Incident Response and root cause analysis • For a Fortune 50 software firm - – Perform information security consulting – Application vulnerability assessment and management, regulatory compliance – Ensuring Security Compliance for over 2000 applications • For a major international airline - – Perform application vulnerability assessments – Conduct mobile application penetration testing • Ensure security weaknesses are identified and remediated • Prevent leak of sensitive information • For a major member loyalty program management firm – – Perform Data Privacy Governance and ISO 27001 Certification program development – Conduct security assessment, penetration testing / vulnerability assessment – Help the client to attain ISO 27001 certification
  • 17. Cybersecurity Team Member Profiles ©Pactera.SECCOEConfidential.AllRightsReserved. 17 Kyle has more than 21 years experience in providing a combination of security and privacy services to Fortune 500 and other large organizations. Prior to joining Pactera, Kyle served as senior cybersecurity consultant for such esteemed organizations as Microsoft, ExxonMobil, Boeing, Akamai, Fidelity Investments, PriceWaterhouseCoopers and HP. He also served as security operations manager for the U.S. Defense Information Systems Agency (DISA) and as interim Chief Information Security Officer (CISO) for Brandeis University’s Heller School. In addition, Kyle is the author of the well-known network security and privacy tool known as ‘SMAC’ with over 2.5 million users worldwide. Kyle’s expertise includes vulnerability assessment and program management, data privacy, security tools development, third-party supplier risk assessment and management, penetration testing, web application, thick client application, API, SOAP, security architecture design and implementation, eGRC, and security advisory. Kyle possesses security and privacy certifications including Certified Information Systems Security Professional (CISSP), Certified Information Privacy Professional for U.S. and Government (CIPP/US, CIPP/G), Certified Secure Software Lifecycle Professional (CSSLP), Certified Information Systems Auditor (CISA), and is certified as a ISO 27001 Lead Auditor. Kyle is based in U.S. Kyle Lai Head of Security Services CISSP, CSSLP, CIPP/US, CIPP/G, CISA, ISO 27001 Lead Auditor William is one of the world’s top penetration testers and vulnerability assessors with over 20 years of professional experience. He has conducted numerous penetration tests against large organizations including U.S. Government Agencies, Department of Defense (DoD), Fortune 500 firms in financial, healthcare, oil and energy, high tech industries. William’s expertise includes cybersecurity offense and defense strategy and tactics in networking, web application, thick client application, API, SOAP, threat analysis, exploit development, penetration testing, security tools development, phishing testing, security architecture design and implementation, security lab building, cybersecurity attack simulation and security advisory. He also conducts social engineering and physical security assessment which includes identifying physical security weaknesses. William is the author of Filibuster Network Exfiltration Security Testing tool – try to test the firewall rule effectiveness. He debuted this tool at the Blackhat Security Conference in 2014. He has also trained hundreds of security engineers for DoD and large firms on attacking and protecting network and applications. He possessed security certifications including Offensive Security Certified Engineer (OSCE), Offensive Security Certified Professional (OSCP), Offensive Security Wireless Professional (OSWP), SANS GIAC Certified Penetration tester (GPEN), and a licensed private investigator. William is based in U.S. William Coppola Senior Security Consultant OSCE, OSCP, OSWP, GIAC GPEN Private Investigator
  • 18. Cybersecurity Team Member Profiles ©Pactera.SECCOEConfidential.AllRightsReserved. 18 Tom has more than 20 years of experience technical and cybersecurity experience in providing a combination of security, regulatory compliance (HIPAA, PCI) and privacy services to Fortune 500 and other large organizations. Prior to Pactera, Tom held senior management and principal security architect roles within several consulting and corporate institutions, across financial, government, retail and technology verticals. He has designed and overseen the implementation of many large scale security initiatives such as incident response, network security, security architecture design and implementation, regulatory compliance, vulnerability assessment, PII data privacy eDiscovery and assessments (Mass CMR 201 17, FTC consumer data oversight and PCI e-discovery), Secure SDL and security assessments. Tom is a published author contributing to a popular security architecture book published by RSA press and the complete guide to firewalls published by Osborne McGraw-Hill. Tom possessed security certifications including Certified Information Systems Security Professional (CISSP). Tom based in U.S. Tom DeFelice Principal Security Consultant CISSP Henry is an information security and technology executive with over 10 years’ experience, and possesses a robust history of professional service delivery. Prior to joining Pactera, Henry held the position of Security Team Lead for offensive security and Senior Managing Consultant roles with Japanese owned consulting firms. He has delivered various projects across financial, government, telecommunications, retail, logistics and transportation industries, including security risk assessment, penetration testing, privacy impact assessment, compliance audit, IT governance, managed security services, system hardening and security solution implementation. Henry is also an experienced trainer in delivering security trainings (including in-house tailor-made security awareness trainings) for general staff, IT professionals, and for CISA focused classroom instruction. He holds a Bachelor’s degree in Information Technology and is certified as CISSP, CISA, CEH, CCSK, PCI QSA (PCI SSC), PCIP (PCI SSC), CPM, ISO 31000 Lead Trainer, ISO 20000 Auditor, ISO 27001 Lead Auditor, ITIL, MCSA and CCNA. Henry is based in Hong Kong. Henry Hon Principal Security Consultant CISSP, CISA, CEH, CCSK, PCIP, ISO 20000 Auditor, ISO 27001 Lead Auditor
  • 19. Cybersecurity Team Member Profiles ©Pactera.SECCOEConfidential.AllRightsReserved. 19 Johnson has more than 5 years of experience in information security consultancy. Prior to joining Pactera, Johnson served as a security consultant within several consulting institutions, delivering professional services for clients across Asia-Pac, in various industrial sectors including banking, insurance, telecom, retail, e-commerce, hospitality, charity, etc. Johnson’s expertise includes application, network, and system vulnerability assessment, security and regulatory compliance audit, penetration testing, IT governance and security advisory. He holds a Master’s degree in Telecommunications, a Bachelor’s degree in Electronic & Communications Engineering, as well as industry certifications including CISM, CEH, ECSA, MCP, SCSA and CCNA. Johnson is based in Hong Kong Johnson Zhang Senior Security Consultant CISM, CEH, ESCA Josh is one of the world’s recognized cybersecurity expert with over 17+ years hands-on experience, covering all vertical markets from financial, federal government, state government, aerospace, defense, and public sectors performing red-team penetration testing, network and application vulnerability assessment, ethical hacking, threat/Intel, and covert entry, RFID, wireless security assessment, phishing assessment, cloud security review. For a Fortune 10 financial institution, Bank of America, Josh has create an insider threat program, external penetration testing exercise, lead security incident response and analysis, and coordination with law enforcement. Josh has served major BFSI and technology clients in the U.S., ASEAN region, and Australia, including Bank of America, Commonwealth Bank of Australia, and Bank of Japan. He is also an author of a distributed phishing framework that is frequently utilized in global enterprises. Josh is also a frequent speaker at the international cybersecurity conferences such as BlackHat, Defcon, BSides, DerbyCon, RuxCon, NOLACon, and InfraGard. He is certified as CEH, OPST, OPSA, OSSTMM Trainer. Josh is based in U.S. Joshua Perrymon Senior Security Consultant CEH, OPST, OPSA, OSSTMM Trainer
  • 20. Thank You Contact: Kyle Lai, CISSP, CSSLP, CISA, CIPP/US/G CISO, Head of Cybersecurity Services Kyle.Lai@Pactera.com @KyleOnCyber www.pactera.com Pactera Cybersecurity Services