Providing a user-friendly report with remediation guidance, the service performs dynamic (DAST), static (SAST) and behavioural analysis of native and hybrid iOS and Android apps, promptly detecting the wide spectrum of most common weakness and vulnerabilities, including OWASP mobile top ten.

Mobile backend:

• 88% of API and web services used in the mobile backend contain exploitable vulnerabilities allowing access to sensitive or even confidential data
• 69% of API and web services used in the mobile backend do not have sufficient anti-automation mechanisms or protections (e.g. WAF) against common web attacks

Android applications:

• At least one OWASP mobile top ten vulnerability was found in 97% of applications
• Over 78% of applications have at least one high and two medium risk vulnerabilities
• Over 63% of applications have no or weak encryption when sending or receiving sensitive data
• Every second application contains hardcoded encryption keys, credentials or other sensitive data
• Over 56% of applications use exceeding or undocumented entitlements, thus endangering privacy
• Less than 5% of applications use anti-debugging mechanisms to impede reverse-engineering
• Less than 30% of applications follow secure-coding best practices and guidelines

iOS applications:

• At least one OWASP mobile top ten vulnerability can be found in 85% of applications
• Over 69% of applications have at least one high and two medium risk vulnerabilities
• Over 50% of applications have no or weak encryption when sending or receiving sensitive data
• Every second application contains hardcoded encryption keys, credentials or other sensitive data
• Over 40% of applications use exceeding or undocumented entitlements, thus endangering privacy
• Less than 9% of applications use anti-debugging mechanisms to impede reverse-engineering
• Less than 20% of applications follow secure-coding best practices and guidelines

Ilia Kolochenko, CEO and founder of High-Tech Bridge, said: “Mobile applications have become an inseparable part of everyday business and private life. In light of skyrocketing data breaches, many different research reports urge to enhance mobile application security and privacy.

“Unfortunately, most developers just don’t have enough resources, time or budget to properly test their mobile app before going to production. At High-Tech Bridge, we are excited to fulfil this gap and offer a unique online service for the benefit of the cybersecurity community and independent developers.

“We should however, keep in mind that the most dangerous and detrimental vulnerabilities mainly lay in the mobile backend that can be reliably detected using ImmuniWeb Mobile. It also provides advanced manual testing of business logic and identify other complicated flaws undetectable in full automation.”

Written from press release by Leah Alger

The post High-Tech Bridge announces new security service Mobile X-Ray appeared first on DevOps Online North America.

Software security has always been misconstrued as ‘IT security.’ Whenever people are asked “Is your software secure?” the answer is “We have a firewall!”

Well, it is high time people become more knowledgeable!

With the advent of digital age, when all, well almost all, software applications are on the web and mobile, this leads to applications falling prey to attacks from various corners where people are continuously sniffing for such vulnerable software.

Many enterprise also works with a false comfort that ‘my application is not external facing and thereby not prone to attacks’. OWASP – the most popular online security community – tells that many internal facing applications have also been prone to attacks, more than we think.

It is not inconceivable that few odd sounding cyber news would start becoming headlines across the globe. My creative mind is suggesting some possibilities below:

• ‘Deliver drone gets hijacked in mid-air’
• ‘GPS gets confused as Maps are distorted’
• ‘Implant pace maker gets remote controlled’
• ‘Malware cross credits salaries’
• ‘Bride turns out to be holographic image’

While this is from my wild imagination, it is naïve to think this is not going to happen. This could happen and could happen very soon.

The security architecture

Attacks to software application happen after the network and operating system has given way – this is in the simplest form.

Lloyds Insurance CEO puts the cyber crime costs to businesses at US$400 billion a year. This tells how much is at stake for the businesses and how important it is to secure our software applications.

Security threat modelling – the start

It is important to carry out security threat modelling before we jump into security review of the source code. While threat modelling is primarily to safeguard enterprise interests, it should be carried out from the Attacker’s Mindset rather than the Defender’s Mindset.

It goes beyond this post’s scope of describing threat modelling, but entities like OWASP have got resources that could help in doing effective threat modelling. Security threat modelling should consider the following:

• Sources of threats.
• Attack surface – defined through the application internal & external interfaces.
• Possible attacks – where can the salvo be served from.
• Potential business/technical impacts.
• Required controls – this is decided based on organisation’s risk appetite.

CyberSecurity Market Ventures projects an expenditure of US$1 trillion on cybersecurity initiatives from 2017 to 2021.

Build the right team

It is important that you build the right team to secure your software applications. You will need team members who have got expertise in thinking creatively on how an attacker can damage, and implement controls.

It is not the technical skill alone that makes a person a good security auditor/reviewer, but ability to understand the business context and review the applications that matter most.

Just a small addendum, DevOps stresses on security of application and there is a new branch of it called DevSecOps that is becoming strong. Software security is a moving target: ‘what was strong yesterday is fully vulnerable today’, and that’s the fun in it!

What I’ve given here is the start; there is more to secure software development.

Happy securing!

This article was originally published on LinkedIn, and edited for web by Cecilia Rehn.

The post Be ready to secure your software appeared first on DevOps Online North America.