app development in a legal and it environment | sherpany @security zone 2014
DESCRIPTION
Sherpany hat im Frühling 2014 entschieden für die bereits etablierte Weblösung Investor Webservice zur elektronischen Fernabstimmung eine mobile Version für iOS & Android zu veröffentlichen. Dabei spielen im Spannungsfeld zwischen IT & Recht nebst der allgemeinen Security insbesondere Vertraulichkeit und Integrität der Daten auf dem Endgerät eine entscheidende Rolle. Mathias Brenner beschreibt den Projektverlauf und führt aus Businesssicht durch die hohen Anforderungen von Kunden wie Swiss Re, Nestlé, Novartis sowie weiteren namhaften Unternehmen aus SPI / SMI.TRANSCRIPT
![Page 1: App Development in a legal and IT environment | Sherpany @Security Zone 2014](https://reader033.vdocuments.site/reader033/viewer/2022060116/557db367d8b42a351d8b4fb2/html5/thumbnails/1.jpg)
App Development in a legal and IT environment
![Page 2: App Development in a legal and IT environment | Sherpany @Security Zone 2014](https://reader033.vdocuments.site/reader033/viewer/2022060116/557db367d8b42a351d8b4fb2/html5/thumbnails/2.jpg)
Speaker Mathias Brenner Company Sherpany
Agilen;a AG Posi;on Chief Opera;ons Officer
Entrepreneur Mainfacts -‐ B.SC. in Business Administra;on
-‐ Advanced Federal Cer;ficate in IT -‐ Scrum Master
![Page 3: App Development in a legal and IT environment | Sherpany @Security Zone 2014](https://reader033.vdocuments.site/reader033/viewer/2022060116/557db367d8b42a351d8b4fb2/html5/thumbnails/3.jpg)
Speaker Sven Vetsch Company Redguard AG Posi;on Partner
Chief Technology Officer Main facts -‐ 10 years of experience
in informa;on security
-‐ B. Sc. Computer Sience (specializa;on IT security)
-‐ Leader OWASP Switzerland Chapter
![Page 4: App Development in a legal and IT environment | Sherpany @Security Zone 2014](https://reader033.vdocuments.site/reader033/viewer/2022060116/557db367d8b42a351d8b4fb2/html5/thumbnails/4.jpg)
Mobile eBanking -‐ a secure payment method?
![Page 5: App Development in a legal and IT environment | Sherpany @Security Zone 2014](https://reader033.vdocuments.site/reader033/viewer/2022060116/557db367d8b42a351d8b4fb2/html5/thumbnails/5.jpg)
![Page 6: App Development in a legal and IT environment | Sherpany @Security Zone 2014](https://reader033.vdocuments.site/reader033/viewer/2022060116/557db367d8b42a351d8b4fb2/html5/thumbnails/6.jpg)
![Page 7: App Development in a legal and IT environment | Sherpany @Security Zone 2014](https://reader033.vdocuments.site/reader033/viewer/2022060116/557db367d8b42a351d8b4fb2/html5/thumbnails/7.jpg)
![Page 8: App Development in a legal and IT environment | Sherpany @Security Zone 2014](https://reader033.vdocuments.site/reader033/viewer/2022060116/557db367d8b42a351d8b4fb2/html5/thumbnails/8.jpg)
We don‘t receive the votes as casted by the shareholders.
![Page 9: App Development in a legal and IT environment | Sherpany @Security Zone 2014](https://reader033.vdocuments.site/reader033/viewer/2022060116/557db367d8b42a351d8b4fb2/html5/thumbnails/9.jpg)
…what if some of the votes where manipulated during transmission?
![Page 10: App Development in a legal and IT environment | Sherpany @Security Zone 2014](https://reader033.vdocuments.site/reader033/viewer/2022060116/557db367d8b42a351d8b4fb2/html5/thumbnails/10.jpg)
![Page 11: App Development in a legal and IT environment | Sherpany @Security Zone 2014](https://reader033.vdocuments.site/reader033/viewer/2022060116/557db367d8b42a351d8b4fb2/html5/thumbnails/11.jpg)
Technical risks…
… most mobile applica;ons use HTTP as a communica;on protocol -‐ like your web browser
… HTTP is a clear-‐text-‐protocol – all of your traffic from / to the server is unencrypted
… but there is HTTPS (HTTP over SSL/TLS) ?
![Page 12: App Development in a legal and IT environment | Sherpany @Security Zone 2014](https://reader033.vdocuments.site/reader033/viewer/2022060116/557db367d8b42a351d8b4fb2/html5/thumbnails/12.jpg)
China Internet Network Informa;on Center
Sécrétariat Général de la Défense Na;onale
Honkong Post (Government of Hong Kong)
Bundesamt für Informa;k und Telekom. (BIT)
Do you trust the following ins;tu;ons with all of your communica;on?
…
![Page 13: App Development in a legal and IT environment | Sherpany @Security Zone 2014](https://reader033.vdocuments.site/reader033/viewer/2022060116/557db367d8b42a351d8b4fb2/html5/thumbnails/13.jpg)
![Page 14: App Development in a legal and IT environment | Sherpany @Security Zone 2014](https://reader033.vdocuments.site/reader033/viewer/2022060116/557db367d8b42a351d8b4fb2/html5/thumbnails/14.jpg)
![Page 15: App Development in a legal and IT environment | Sherpany @Security Zone 2014](https://reader033.vdocuments.site/reader033/viewer/2022060116/557db367d8b42a351d8b4fb2/html5/thumbnails/15.jpg)
DEMO
![Page 16: App Development in a legal and IT environment | Sherpany @Security Zone 2014](https://reader033.vdocuments.site/reader033/viewer/2022060116/557db367d8b42a351d8b4fb2/html5/thumbnails/16.jpg)
… use HSTS Headers
The solu;on is…
… directly connect over HTTPS, never send a single unencrypted HTTP request
… only accept trusted cer;ficates
… Cer;ficate Pinning
![Page 17: App Development in a legal and IT environment | Sherpany @Security Zone 2014](https://reader033.vdocuments.site/reader033/viewer/2022060116/557db367d8b42a351d8b4fb2/html5/thumbnails/17.jpg)
But never do this…
![Page 18: App Development in a legal and IT environment | Sherpany @Security Zone 2014](https://reader033.vdocuments.site/reader033/viewer/2022060116/557db367d8b42a351d8b4fb2/html5/thumbnails/18.jpg)
Manipula;ng votes from a major shareholder
![Page 19: App Development in a legal and IT environment | Sherpany @Security Zone 2014](https://reader033.vdocuments.site/reader033/viewer/2022060116/557db367d8b42a351d8b4fb2/html5/thumbnails/19.jpg)
… or can someone impersonate a shareholder to vote in his/her name?
![Page 20: App Development in a legal and IT environment | Sherpany @Security Zone 2014](https://reader033.vdocuments.site/reader033/viewer/2022060116/557db367d8b42a351d8b4fb2/html5/thumbnails/20.jpg)
![Page 21: App Development in a legal and IT environment | Sherpany @Security Zone 2014](https://reader033.vdocuments.site/reader033/viewer/2022060116/557db367d8b42a351d8b4fb2/html5/thumbnails/21.jpg)
Technical risks…
… classic web applica;ons use session cookies to keep their users authen;cated for a predefined ;me
… depending on the sensi;vity of your applica;on, you want a user to be logged out even aaer a few minutes of inac;vity
… when did you have to re-‐enter your login creden;als when using a mobile applica;on?
… that is why we use API tokens / keys
![Page 22: App Development in a legal and IT environment | Sherpany @Security Zone 2014](https://reader033.vdocuments.site/reader033/viewer/2022060116/557db367d8b42a351d8b4fb2/html5/thumbnails/22.jpg)
![Page 23: App Development in a legal and IT environment | Sherpany @Security Zone 2014](https://reader033.vdocuments.site/reader033/viewer/2022060116/557db367d8b42a351d8b4fb2/html5/thumbnails/23.jpg)
Technical risks…
… most of the ;me API keys / tokens have a very long lifespan of several days, weeks, months or they never expire
![Page 24: App Development in a legal and IT environment | Sherpany @Security Zone 2014](https://reader033.vdocuments.site/reader033/viewer/2022060116/557db367d8b42a351d8b4fb2/html5/thumbnails/24.jpg)
The solu;on is…
… for sensi;ve ac;ons ask the user to re-‐enter the password
… only allow users to have a limited amount of API keys / tokens
… change the API keys / tokens oaen
… from ;me to ;me force your users to log in again
![Page 25: App Development in a legal and IT environment | Sherpany @Security Zone 2014](https://reader033.vdocuments.site/reader033/viewer/2022060116/557db367d8b42a351d8b4fb2/html5/thumbnails/25.jpg)
Thea of the mobile device and manipula;ng exis;ng votes
![Page 26: App Development in a legal and IT environment | Sherpany @Security Zone 2014](https://reader033.vdocuments.site/reader033/viewer/2022060116/557db367d8b42a351d8b4fb2/html5/thumbnails/26.jpg)
… or can an abacker overtake the mobile applica;on itself and gather and/or modify
data?
![Page 27: App Development in a legal and IT environment | Sherpany @Security Zone 2014](https://reader033.vdocuments.site/reader033/viewer/2022060116/557db367d8b42a351d8b4fb2/html5/thumbnails/27.jpg)
![Page 28: App Development in a legal and IT environment | Sherpany @Security Zone 2014](https://reader033.vdocuments.site/reader033/viewer/2022060116/557db367d8b42a351d8b4fb2/html5/thumbnails/28.jpg)
Technical risks…
… SQL injec;on, Cross-‐Site Scrip;ng (XSS)
![Page 29: App Development in a legal and IT environment | Sherpany @Security Zone 2014](https://reader033.vdocuments.site/reader033/viewer/2022060116/557db367d8b42a351d8b4fb2/html5/thumbnails/29.jpg)
DEMO
![Page 30: App Development in a legal and IT environment | Sherpany @Security Zone 2014](https://reader033.vdocuments.site/reader033/viewer/2022060116/557db367d8b42a351d8b4fb2/html5/thumbnails/30.jpg)
The solu;on is…
… input / output valida;on, encoding, …
… prepared statements
… you have to secure the communica;on channels
… user input is always dangerous – treat it like that
![Page 31: App Development in a legal and IT environment | Sherpany @Security Zone 2014](https://reader033.vdocuments.site/reader033/viewer/2022060116/557db367d8b42a351d8b4fb2/html5/thumbnails/31.jpg)
Security Development Lifecycle
![Page 32: App Development in a legal and IT environment | Sherpany @Security Zone 2014](https://reader033.vdocuments.site/reader033/viewer/2022060116/557db367d8b42a351d8b4fb2/html5/thumbnails/32.jpg)
IT Security Management Phase 0 / 1
Phase 1 -‐ Planning / Design
Phase 0 -‐ Before the project Developer Training
Design / Architecture review from a security point of view
Brainstorming and / or challenging security controls
![Page 33: App Development in a legal and IT environment | Sherpany @Security Zone 2014](https://reader033.vdocuments.site/reader033/viewer/2022060116/557db367d8b42a351d8b4fb2/html5/thumbnails/33.jpg)
IT Security Management Phase 2 / 3
Phase 2 -‐ Implementa;on Regular security reviews
Security contact where developers can get answers to their ques;ons
Phase 3 -‐ Evaluate / Test Penetra;on tes;ng
Source code review (of cri;cal components)
![Page 34: App Development in a legal and IT environment | Sherpany @Security Zone 2014](https://reader033.vdocuments.site/reader033/viewer/2022060116/557db367d8b42a351d8b4fb2/html5/thumbnails/34.jpg)
IT Security Management Phase 4
Phase 4 – Release / Maintenance Reoccurring security tests for the new threats and newly added features
Keep your documenta;on updated
![Page 35: App Development in a legal and IT environment | Sherpany @Security Zone 2014](https://reader033.vdocuments.site/reader033/viewer/2022060116/557db367d8b42a351d8b4fb2/html5/thumbnails/35.jpg)
Lessons learned…
… there are real threats to your applica;on and your users
… security as a part of the development process is cheaper and more efficient in the long run
… mobile applica;ons aren’t immune to vulnerabili;es
… get an external partner for security consul;ng and verifica;on
… learn from your past mistakes
![Page 36: App Development in a legal and IT environment | Sherpany @Security Zone 2014](https://reader033.vdocuments.site/reader033/viewer/2022060116/557db367d8b42a351d8b4fb2/html5/thumbnails/36.jpg)
Q & A