Tuesday, July 16, 2013

Mobile Application Security Testing

Our mobile application security service provides in depth security testing of mobile applications to conform to high security standards. We test the application for vulnerabilities and provide a detailed report with proof of concept. Detailed remediation procedures are also included to the report to fix the issues.

Torrid Networks is specialized in performing both security testing of the client side mobile application and the server side software to identify the vulnerabilities. Testing is performed on all the major mobile platforms including:

iPad
iPhone
Blackberry OS
Android
Windows mobile

We follow time proven and industry standard mobile application security testing methodologies to be most efficient and thorough mobile security service provider.

Torrid Network’s mobile application security testing covers all the issues highlight in “OWASP Mobile Top 10” and beyond:

Insecure Data Storage
Weak Server Side Controls
Insufficient Transport Layer Protection
Client Side Injection
Poor Authorization and Authentication
Improper Session Handling
Security Decisions Via Untrusted Inputs
Side Channel Data Leakage
Broken Cryptography
Sensitive Information Disclosure
Unauthorized SMS and dialing
And many more…

A detailed diagram on mobile application security testing can be referred as below:

Benefits

Identify design flaws and improve the security of your application.
Determine if client software may be manipulated to provide unauthorized access.
Identifies specific risks to the organization and provides detailed recommendations to mitigate them.
Supports user confidence in application security.
Helps prevent application downtime and improve productivity.
Protect your organization’s information assets and reputation.

Mobile Application Security Testing Deliverable

1. Management Report:

A high-level executive summary report highlighting the key risk areas to help the leadership taking informed decisions

2. Technical Vulnerability Report:

A detailed report about security issues discovered, its impact, comprehensive remediation procedures along with online references.

3. Best Practices Document

Guidelines based on industry standards which can be used by the development teams.

No comments:

Cyber Security

Cyber Security - Securing Your Business

View the latest
Copy of Advance

The official publication of ADS Group

Find out More

ADS Events

Less - + More

Cyber Security - Securing Your Business

/ Security / Cyber Security - Securing Your Business

Cyber threats to your Business
Where can you go for advice and support?
CPNI - The Full Picture

Cyber threats to your Business

Why does cyber security matter to you?

The government has classed cyber attacks as one of the four most significant risks to national security. Suppliers must recognise customer concerns and take steps to address them.
Cyber insecurity poses a real risk for companies’ reputations, bottom lines and share prices. Successful attacks can disrupt business operations and production cycles, cause products to fail, result in customers losing confidence in you as a supplier, and force you to redevelop to products.
Hostile states and competitors are interested in information on mergers and acquisitions activity, joint venture intentions, strategic direction and Intellectual Property.
Apart from the theft of sensitive business information, there is also the threat that cyber-based systems can be disrupted to prevent normal service. A denial-of-service (DoS) attack could, for example, prevent customers from accessing key websites, such as those for sales. Industrial controls systems can also be disrupted.
The cost of a cyber-security breach is estimated to be between £450,000 to £850,000 for large businesses and £35,000 to £65,000 for smaller ones.
The rise in cyber crime is most noticeable for small businesses; they’re now experiencing incident levels previously only seen in larger organisations.
As Primes take steps to improve their own cyber security, attackers are targeting companies in the broader supply chain. The supply chain is only as strong as its weakest link. All companies – and government – are in this together.

The government's '10 Steps to Cyber Security' notes that:

Information is critical to today's business

Information and the techologies that are used to store and process it are vital to the success of your business. Intellectual property, confidential or sensitive data provide a competitive advantage, one in which other less scrupulous organisations would be verk keen to get hold off. At the same time, the need to access and share information more widely, using a broad range of connecting technologies is increasing the risk to the corporate information base.

Compromise of information assets can damage companies

A single successful attack could destroy a company's financial standing or reputation. Information compromise can lead to material financial loss through loss of productivity, of intellectual property, reputational damage, recovery costs, investgative time, regulatory and legal costs.

Many players pose a risk to information

There are many types of people who pose a risk to business information assets:

Cyber Criminals - interested in making money from fraud or from the sale of valuable information
Industrial Competitors and Foreign Intelligence Services - interested in gaining an economic advantage for their own companies or countreis
Hackers - those who find interfering with computer systems an enjoyable challenge
Hacktivists - those who wish to attack companies for political or ideological motives
Employees - or those who have legitimate access, either by accident or deliberate misuse.

Examples of the impact on business

The attached PowerPoint file gives two examples which show the real impact successful cyber attacks can have on companies, including causing a loss of revenue (by forcing a company office to close for a period of time) and loss of reputation and products (by diverting items in transit). These examples are from companies in the defence sector.

Cyber attacks - examples of the impact (102.0 KB)

Where can you go for advice and support?

1. '1O Steps to Cyber Security' Guidance

The governmemt has published guidance for companies which is available here: www.gov.uk/government/publications/cyber-risk-management-a-board-level-responsibility and www.gov.uk/government/publications/cyber-security-what-small-businesses-need-to-know.

2. CPNI's Cyber Risk Management Advice and Cyber Security Guidance

The Centre for the Protection of National Infrastructure (CPNI) protects national security by providing protective security advice (covering physical, personnel and cyber security) to the UK's Critical National Infrastructure (CNI). CPNI works to raise awareness at Board level as well as at a technical level across the CNI. Cyber security advice and guidance is available on the CPNI website at: www.cpni.gov.uk, for example:

Strategic and technical: 20 critical security controls for effectivecyber defence Technology-specific advice: examples include mobile devices, SCADA security and cloud computing
Personnel security advice: security culture and awareness; employee risk management and risk assessment guidance
Threat-based: examples include distributed denial of service, spear phishing, insider misuse of IT, online reconnaissance.

3. CPNI's Cyber Risk Advisory Service

The Cyber Risk Advisory Service delivers advice to senior executives and board members of the UK’s most economically important companies and academic institutions, to inform their understanding of the impact of cyber threats, and the effect on the long-term performance and competitiveness of the organisation.The in-depth support provided assists executives in reviewing their corporate risk management strategy, helping them to interpret the cyber threat and determine the organisation’s exposure (risk). This service is only available to organisations which meet specific eligibility requirements. For more information, please email enquiries@cpni.gsi.gov.uk.

4. Certified advice and providers

CESG, the information security arm of GCHQ, works closely with the cyber security industry to enable industry to provide certified cyber security services to government and to industry. These services are provided by a variety of companies including specialist SMEs, audit houses, major consultancies, and multinational companies. Services include:

Risk management consultancy through the CESG Listed Advisor scheme (CLAS): www.cesg.gov.uk/servicecatalogue/CLAS/Pages/CLAS.aspx
Penetration testing of networks and systems to assess their ulnerability to an attacker through the CHECK scheme: www.cesg.gov.uk/servicecatalogue/CHECK/Pages/index.aspx - and the industry body's equivalent run by the Council of Registered Ethical Security Testers, CREST: www.crest-approved.org
Cyber Incident Response through a twin track approach ncompassing a broadly based CREST (Council of Registered thical Security Testers) scheme endorsed by GCHQ and CPNI, and a small, focused GCHQ and CPNI scheme designed to respond to sophisticated, targeted attacks against networks of national significance. See: www.cesg.gov.uk/servicecatalogue/cir/Pages/Cyber-Incident-Response.aspx

5. Cyber Security Information Sharing Partnership (CISP)

The CISP facilitates the sharing of information and intelligence on cyber security threats in order to make UK businesses more secure in cyberspace. The CISP includes a secure online collaboration environment where government and industry (both large and SME) partners can exchange information on threats and vulnerabilities in real time. Companies can also ask for specific advice from the government's fusion cell through CISP, free of charge. www.cisp.org.uk

6. ActionFraud

Action Fraud is the UK’s single point for reporting all fraud and online financial crime. Crime can be reported online 24 hours a day, seven days a week, and the Action Fraud call centre can also be contacted to report crimes during working hours and at the weekend. When a serious threat or new type of fraud is identified, Action Fraud will place an alert on its website which contains advice for individuals and businesses to protect themselves from becoming victims of fraud. www.actionfraud.police.uk

CPNI - The Full Picture

Produced by the CPNI, the above video provides an example of the associated risks of a SME from a cyber attack.

Last modified : January 23, 2014

Way2Security

Blog Archive

Tuesday, July 16, 2013

Mobile Application Security Testing

Benefits

Mobile Application Security Testing Deliverable

No comments: