Research/Presentations

Mobile AppSec: Development and Alphabet Soup

There are approximately 6 billion mobile devices in the world today and the number of mobile applications available in the Google Play and Apple AppStore’s is around 1.5 million. Vulnerabilities and mobile malware are skyrocketing, and development of new applications and release of new devices continue at an increasing pace. We are treating mobile application security like a foreign language and are struggling with alphabet soup concerning BYOD, MDM, MAM, and MNM. Dave will explain his experiences in running a mobile application security practice and the solutions he is seeing in the industry in regard to effectively managing the mobile security of devices, applications, and data. Dave will talk about how to effectively protect your data and applications from the bad guy.

Real World Application Security in Real Time

Application security has never been more important, yet traditional approaches are starting to fall apart as applications get larger, faster, and more complex while software development has accelerated to “ludicrous speed.” Unless something changes quickly, the world’s entire, limited pool of security experts will soon be completely absorbed seeking out Cross Site Scripting (XSS) vulnerabilities. A new, automated approach called IAST has the potential to achieve better vulnerability analysis results in a way that is much more compatible with the way in which software is developed.

https://www.brighttalk.com/webcast/288/66827

Mobile Application Security – There’s No App For That

Presented by: Dave Lindner, Global Practice Manager – Application Security Services & OWASP Mobile Top Ten Mobile Project Contributor

The number of mobile applications available in the Google Play and Apple App Stores is nearing 1.5 million and vulnerabilities are skyrocketing. On average, Aspect finds {11.6} vulnerabilities in every mobile application we verify. Dave will share his experiences leading Aspect’s Mobile Application Security practice, including the tools and advanced techniques we use. Mobile application security isn’t only about writing secure apps. Organizations also have to protect themselves against employees who download malicious and vulnerable applications and use them on their mobile devices at the same time they access corporate systems. Dave will talk about BYOD, BYON, and MDM issues as they pertain to protecting your data and applications from the bad guy. Join David as he explains mobile application security and why your existing web application security practice needs to adapt and change as this new threat grows in importance. Dave has first-hand expertise in helping clients in the financial and retail sectors with their mobile application security programs.

Get Rugged! The Practical Path to Securing the Software that Powers Your Business

Would it surprise you to know that although the threat has changed dramatically in the last 30 years, the techniques for building secure code have hardly advanced at all? We trust software with our lives, our safety, our healthcare, our communications and our businesses. Unfortunately, there are over 925 different ways that developers can introduce vulnerabilities. The result is widespread flaws that criminals who know how can exploit them and cause malicious harm to others. What does it take to create and deploy secure applications? How do you get a handle on your application portfolio? How do you create a positive, practical and responsible application security program? Join Jeff Williams to learn about the steps your organization can take immediately to Get Rugged and improve your organization’s security posture.

Mobile Applications & Proxy Shenanigans

 

With over 5 Billion mobile devices presently in use, mobile applications enable new threats and attacks which introduce significant risks to organizations. As such, it is imperative that we perform our normal application security procedures on all mobile applications, including pen testing and code reviews. Pen testing mobile applications has proven to be difficult when typical application security testing practices are employed. Proxying mobile traffic for examination and modification is anything but straightforward and every application presents its own, unique challenges. David and Dan will explain the issues that arise when trying to proxy mobile application traffic. Join Dan and Dave as they provide guidance and a roadmap so that you may overcome these obstacles.

Keynote: Stop Fighting It – How to Ruggedize Your Culture and Make Security Easy

Many organizations have reacted to the onslaught of vulnerabilities in their code by searching harder – more dynamic scans, more static analysis, more code review, and more penetration testing. But the cost and complexity of these reactive programs will continue to increase until they are completely ineffective. The only way to get in front of the problem is to find a new path that leads to healthier software development lifestyle.

Proactive Mobile Forensics: Where is Your Data?

With over 5 Billion mobile devices presently in use, mobile applications enable new threats and attacks which introduce significant risk. The biggest risks are data loss through an exploit or from devices being lost or stolen. Are your mobile applications susceptible to common software vulnerabilities? Do you know what critical data is being stored on these devices and backed up in the cloud? Is your sensitive data protected if a device is lost or stolen? Join David as he explains how to be proactive by examining your mobile applications, provisioned devices and their footprints.

Securing the Cloud- Best Practices from Private to Public

Join industry leaders representing the top IT security publications, alliances and organizations
as they discuss best practices for securing your data in private, hybrid and public environments.

Panelists: Peter Judge, UK Editor, Tech Week Europe (moderator)
Jeff Williams, CEO Aspect Security
Daniele Catteddu, Managing Director EMEA, Cloud Security Alliance
David Mortman, Chief Security Architect, enStratus
JD Sherry, Director- Public Sector IT Security Solutions, Trend Micro

View webcast: http://www.brighttalk.com/webcast/288/46455

Unraveling Some of the Mysteries around DOM-based XSS

DOM-based XSS was first revealed to the world back in 2005 by Amit Klien, when it was an interesting theoretical vulnerability. In 2012, with the push towards Web 2.0 well into the mainstream, DOM-based XSS has become a very commonly uncovered and exploited vulnerability, but it’s poorly understood.

Don’t Get Injected: Verify Your Code

There’s only one surefire way to prevent SQL injection, the #1 most frequent and damaging application security attack: verify that your code does not have SQL injection vulnerabilities. SQL injection allows hackers to steal or modify everything in your database. Code review is the most effective analysis technique for finding SQL injection flaws, and it also pinpoints exactly where the flaw is located, making it much easier and faster to remediate. If your organization is still solely focused on application penetration testing, you are wasting your time and putting your organization at risk. Join Dave and learn about the simple genius of performing application code review to efficiently identify vulnerabilities in your applications.