App Development in a legal and IT environment
Speaker Mathias Brenner Company Sherpany
Agilen;a AG Posi;on Chief Opera;ons Officer
Entrepreneur Mainfacts -‐ B.SC. in Business Administra;on
-‐ Advanced Federal Cer;ficate in IT -‐ Scrum Master
Speaker Sven Vetsch Company Redguard AG Posi;on Partner
Chief Technology Officer Main facts -‐ 10 years of experience
in informa;on security
-‐ B. Sc. Computer Sience (specializa;on IT security)
-‐ Leader OWASP Switzerland Chapter
Mobile eBanking -‐ a secure payment method?
We don‘t receive the votes as casted by the shareholders.
…what if some of the votes where manipulated during transmission?
Technical risks…
… most mobile applica;ons use HTTP as a communica;on protocol -‐ like your web browser
… HTTP is a clear-‐text-‐protocol – all of your traffic from / to the server is unencrypted
… but there is HTTPS (HTTP over SSL/TLS) ?
China Internet Network Informa;on Center
Sécrétariat Général de la Défense Na;onale
Honkong Post (Government of Hong Kong)
Bundesamt für Informa;k und Telekom. (BIT)
Do you trust the following ins;tu;ons with all of your communica;on?
…
DEMO
… use HSTS Headers
The solu;on is…
… directly connect over HTTPS, never send a single unencrypted HTTP request
… only accept trusted cer;ficates
… Cer;ficate Pinning
But never do this…
Manipula;ng votes from a major shareholder
… or can someone impersonate a shareholder to vote in his/her name?
Technical risks…
… classic web applica;ons use session cookies to keep their users authen;cated for a predefined ;me
… depending on the sensi;vity of your applica;on, you want a user to be logged out even aaer a few minutes of inac;vity
… when did you have to re-‐enter your login creden;als when using a mobile applica;on?
… that is why we use API tokens / keys
Technical risks…
… most of the ;me API keys / tokens have a very long lifespan of several days, weeks, months or they never expire
The solu;on is…
… for sensi;ve ac;ons ask the user to re-‐enter the password
… only allow users to have a limited amount of API keys / tokens
… change the API keys / tokens oaen
… from ;me to ;me force your users to log in again
Thea of the mobile device and manipula;ng exis;ng votes
… or can an abacker overtake the mobile applica;on itself and gather and/or modify
data?
Technical risks…
… SQL injec;on, Cross-‐Site Scrip;ng (XSS)
DEMO
The solu;on is…
… input / output valida;on, encoding, …
… prepared statements
… you have to secure the communica;on channels
… user input is always dangerous – treat it like that
Security Development Lifecycle
IT Security Management Phase 0 / 1
Phase 1 -‐ Planning / Design
Phase 0 -‐ Before the project Developer Training
Design / Architecture review from a security point of view
Brainstorming and / or challenging security controls
IT Security Management Phase 2 / 3
Phase 2 -‐ Implementa;on Regular security reviews
Security contact where developers can get answers to their ques;ons
Phase 3 -‐ Evaluate / Test Penetra;on tes;ng
Source code review (of cri;cal components)
IT Security Management Phase 4
Phase 4 – Release / Maintenance Reoccurring security tests for the new threats and newly added features
Keep your documenta;on updated
Lessons learned…
… there are real threats to your applica;on and your users
… security as a part of the development process is cheaper and more efficient in the long run
… mobile applica;ons aren’t immune to vulnerabili;es
… get an external partner for security consul;ng and verifica;on
… learn from your past mistakes
Q & A
Recommended
