developing secure applications for the iphone
DESCRIPTION
The class explains how to develop secure applications for IPHONETRANSCRIPT
TECHNOLOGY TRANSFER PRESENTS
Developing
KENVAN WYK
secure applicationsfor the iPhone
ROME MAY 12-13, 2011VISCONTI PALACE HOTEL - VIA FEDERICO CESI, 37
ROME (ITALY)
Developing secure applications for the iPhone
ABOUT THIS SEMINAR
This class looks at the unique security problems faced by application developers writing code for today’s mobileplatforms. In this first class of the smart phone series, we take a close look at Apples iOS platform used byiPhones, iPads, and iPod Touch devices. The class presents a clear and practical view of the problems, howthey can be attacked, as well as remediation steps against the various attacks. It is heavily hands-on driven tonot just describe but demonstrate both the problems and the solutions available.This class starts with a description of the security problems faced by today’s software developer, as well as adetailed description of relevant the Open Web Application Security Project’s (OWASP) Top 10 of 2010 securitydefects. These defects are studied in instructor-lead sessions as well as in hands-on lab exercises in whicheach student learns how to actually exploit the defects to “break into” a real Web application. (The labs are per-formed in safe test environments.)Next, the class covers the security principles that apply to smart phones, as well as illustrates them throughcase studies and further hands-on exercises. The iOS platform architecture and application architecture arethen covered in detail, with descriptions of security services at the network/platform layer as well as securityservices available within the applications themselves.The class then looks at common security mechanisms found within applications, and discusses how to securelyimplement them in applications.To bring this all together, the class then covers development activities that can be performed throughout the de-sign, implementation, and testing of an application.
WHO SHOULD ATTEND
This course is intended for Apple iOS application Developers with hands-on experience using Apple’s Xcodesoftware development kit, as well as iOS application Designers and Architects.
REQUIREMENTS
Each student will need to provide a laptop computer for the hands-on lab exercises. Recommendedminimum configurations include the following:
• Apple OS X Snow Leopard with current updates• Apple Xcode software development kit for iOS• Registration into Apple’s iPhone development program strongly recommended• Approximately 10 gigabytes of available disk space• 2-4 gigabyte of RAM
OUTLINE
1. Preparation phase: understanding the problem
• What are the issues that result in mobile softwarethat is susceptible to attack?
• Why do smart phone software developers continueto develop weak software?
2. Security principles for smart phones
• Security principles that directly apply to smartphone applications
• OWASP Top-10 issues that are pertinent to smartphones
• Hands-on exercises to illustrate the problems
3. Platform architecture
• Detailed discussion of iOS platform security features- Application sandboxing- Hardware encryption- Application signing- App store process
• Testing applications using the device emulator
4. Application architecture
• Design and architecture of secure applications- Stand-alone applications- Client-server applications- Network applications
5. Common security mechanisms
• A detailed and prescriptive look at vital securitymechanisms and how to securely implement them- Network communications- Authentication- Access control- Protecting sensitive data- Database usage
6. Design review using Threat Modeling
• Reviewing designs using Threat Modeling• Finding the weaknesses in an application architecture• Documenting how the weaknesses can be exploited• Deciding what and how to mitigate the weaknesses
7. Code review
• Effective methods review source code for weaknesses- Manual peer reviews- Automated code scans
8. Security testing
• Hands-on team Threat Modeling exercise• Review a design step by step for weaknesses• Discuss what should be mitigated and how
9.Getting started
• How to best put class concepts into practice in a realworld development environment
10.Questions and answers
KEN VAN WYKDevelopingsecure applicationsfor the iPhone
May 12-13, 2011Visconti Palace HotelVia Federico Cesi, 37Rome (Italy)
Registration fee:€ 1200
If registered participants are unable to attend,or in case of cancellation of the seminar, thegeneral conditions mentioned before areapplicable.
first name ...............................................................
surname .................................................................
job title ...................................................................
organisation ...........................................................
address ..................................................................
postcode ................................................................
city .........................................................................
country ...................................................................
telephone ...............................................................
fax ..........................................................................
e-mail .....................................................................
�
Send your registration formwith the receipt of the payment to:Technology Transfer S.r.l.Piazza Cavour, 3 - 00193 Rome (Italy)Tel. +39-06-6832227 - Fax +39-06-6871102info@technologytransfer.itwww.technologytransfer.it
Stamp and signature
INFORMATION
PARTICIPATION FEE
€ 1200
The fee includes all seminardocumentation, luncheon and coffeebreaks.
VENUE
Visconti Palace HotelVia Federico Cesi, 37Rome (Italy)
SEMINAR TIMETABLE
9.30 am - 1.00 pm2.00 pm - 5.00 pm
HOW TO REGISTER
You must send the registration form withthe receipt of the payment to:TECHNOLOGY TRANSFER S.r.l.Piazza Cavour, 3 - 00193 Rome (Italy)Fax +39-06-6871102
withinApril 27, 2011
PAYMENT
Wire transfer to:Technology Transfer S.r.l.Banca Intesa Sanpaolo S.p.A.Agenzia 6787 di RomaIban Code:IT 34 Y 03069 05039 048890270110
GENERAL CONDITIONS
GROUP DISCOUNT
If a company registers 5 participants tothe same seminar, it will pay only for 4.Those who benefit of this discount are notentitled to other discounts for the sameseminar.
EARLY REGISTRATION
The participants who will register 30 daysbefore the seminar are entitled to a 5%discount.
CANCELLATION POLICY
A full refund is given for any cancellationreceived more than 15 days before theseminar starts. Cancellations less than15 days prior the event are liable for 50%of the fee. Cancellations less than oneweek prior to the event date will be liablefor the full fee.
CANCELLATION LIABILITY
In the case of cancellation of an event forany reason, Technology Transfer’sliability is limited to the return of theregistration fee only.
Ken Van Wyk is an internationally recognized information security expert and author of the O’Reilly and Asso-ciates books, “Incident Response and Secure Coding”. In addition to providing consulting and training ser-vices through his company, KRvW Associates, LLC, he currently holds numerous positions: as a monthlycolumnist for on-line security Portal, eSecurityPlanet and a Visiting Scientist at Carnegie Mellon University’sSoftware Engineering Institute.Mr. van Wyk has 20+ years experience as an IT Security practitioner in the aca-demic, military, and commercial sectors. Mr. Van Wyk also served a two-year elected position as a member ofthe Steering Committee for the Forum of Incident Response and Security Teams (FIRST) organization. At theSoftware Engineering Institute of Carnegie Mellon University, Mr. van Wyk was one of the founders of the Com-puter Emergency Response Team (CERT®).
SPEAKER