6 Ways to Build an Insecure Mobile Application

Daniel Miessler, Principal Security Architect
Companies continue to move more and more of their infrastructure to the cloud, and while many focus well on infrastructure security they forget that most compromises occur at the application layer. This talk will walk through the most dangerous and commonly seen application vulnerabilities in the Fortify on Demand testing practice. It will include discussion of the various risks, the mistakes that lead to their introduction, and how to avoid them.
Aug 1 2013
38 mins
6 Ways to Build an Insecure Mobile Application
Join us for this summit:
More from this community:

Application Development

Webinars and videos

  • Live and recorded (1114)
  • Upcoming (40)
  • Date
  • Rating
  • Views
  • Jack Madden converses with James Rendell to get the CA perspective on Enterprise Mobility Management’s (EMM) future potential. EMM must not for get BYOD but also go beyond it into Mobile App Management (MAM) and find ways to keep users personal information and employers information separated and find a way to embrace the Internet of Things.
  • Jack Madden discusses Enterprise Mobility with Arun Bhattacharya to get the CA perspective on the way it should be. This means going beyond BYOD and MDM, and embracing MAM, MEM, MCM, and IoT. For many companies, finding the balance between employers and users privacy and security has been a problematic issues.
  • In this webinar, we’ll be going back to basics to cover what DevOps is and why should you care about it, but also discuss more advanced topics like proactively analyzing business applications during the development phase, and bringing down the silos between developers, IT operations, QA, and the business.

    Sign-up for this webinar with John Jelinek, the co-founder of DevOps Live, and Matt Zanderigo of Riverbed for some expert coaching on taking the plunge to DevOps, smoothing out the interaction between development and operations, and gaining visibility into application change to help speed up application rollouts.

    In this webinar, you’ll learn:
    •How to initiate a DevOps transformation, notable traits of successful DevOps cultures and how to get both Dev and Ops to work together effectively
    •How to ensure performance defects are discovered early with sufficient detail to fix the issue with Application Performance Management.
    •How companies like Michelin and National Instruments have reduced production issues up to 30%, and streamlined their application rollout process up to 6 times faster.

    Meet Our Guest Speaker
    John Jelinek is the co-founder of DevOps Live, a meetup group focused on bringing down silos between developers, IT operations, QA, and the business. John is also a Developer Evangelist for TradeStation Technologies, Inc. He helps software engineers build new innovations on the Web with the TradeStation WebAPI, a real-time source for financial market data. He lives in North Dallas with his wife and two daughters.
  • Tras crear un prototipo inicial de su aplicación para una vista previa limitada ya es hora de que el equipo pase a consolidar la arquitectura haciéndola más robusta y tolerante a los fallos antes de lanzarla oficialmente al público final.

    En este capítulo se tratan conceptos de la infraestructura de AWS tales como regiones y zonas de disponibilidad; además, se explica cómo utilizar tales características para incrementar la tolerancia de la aplicación a los fallos.

    Servicios y características tratados
    •Conceptos clave sobre infraestructura (regiones y zonas de disponibilidad)
    •Equilibro de carga elástico (Elastic Load Balancing)
    •Amazon RDS

    •Creación de una AMI basada en una instancia en ejecución
    •Creación y configuración de un equilibrador de carga elástico
    •Zonas de disponibilidad múltiples con Amazon RDS
    •Alarmas con Amazon CloudWatch
  • Una vez expandida con éxito la capacidad del centro de datos a Amazon Web Services para los entornos de desarrollo y prueba, el equipo de IT se enfrenta a un nuevo reto en cuanto a la capacidad, es decir, cómo almacenar la cada vez mayor cantidad de datos generados por las aplicaciones empresariales y mantener los costes a la baja. Además, también se enfrentan al reto de mantener copias de seguridad de esos datos de manera adecuada.

    Este capítulo aborda ambas cuestiones con servicios como Amazon S3 y Amazon Glacier.


    •AWS Storage Gateway
    •Datos de Amazon S3 a Amazon Glacier

    Servicios y características tratados:
    •Amazon S3
    •Amazon Glacier
    •AWS Storage Gateway
    •AWS Import / Export
  • Enterprises are realizing that the opportunity of data analytics is maximum when the data is fresh and represents the "current reality" of operations or customer experience. The business value of data dramatically falls with its age.

    As IT and line-of-business executives begin to operationalize Hadoop and MPP based batch Big Data analytics, it's time to prepare for the next wave of innovation in data processing.

    Join this webinar on analytics over real-time streaming data.

    You will learn about:
    •How business value is preserved and enhanced using Real-time Streaming Analytics with numerous use-cases in different industry verticals
    •Technical considerations for IT leaders and implementation teams looking to integrate Real-time Streaming Analytics into enterprise architecture roadmap
    •Recommendations for making Real-time Streaming Analytics – real – in your enterprise
    •Impetus StreamAnalytix – an enterprise ready platform for Real-time Streaming Analytics
  • This Analyst Briefing will cover key findings from Frost & Sullivan’s suite of video technology research for 2013, as well as the Digital Media research team’s impressions and conclusions from the 2014 National Association of Broadcasters (NAB) Show, taking place April 5-10, 2014 in Las Vegas.

    Reasons to Attend:

    •Understand key technical trends in content delivery and monetization, and their impact on video encoding/transcoding offerings
    •Gain insight into worldwide market growth opportunities
    •Receive highlights related to the competitive landscape
    •Identify customer perceptions and requirements when choosing vendors and solutions
  • Many customers who want to deliver application releases quicker, find bugs earlier and eliminate testing infrastructure turn to Capgemini’s Test Environment Management (TEM) services, which leverages CA LISA® Service Virtualization. The TEM methodology incorporates automated regression testing and virtual test environments; enabling greater coverage of non-function tests. The resulting test environment expedites delivery of new application features to business users, reduces costs and ensures higher quality production systems.

    Join CA Technologies & Capgemini on April 16, 2014 at 10:00 am ET to learn how these capabilities are delivered by Capgemini, the functionality of the CA Technologies tools that make it possible, and a customer’s experience with the Capgemini TEM - CA Technologies solution.
  • Questo è il primo episodio di una serie di webinar che illustreranno le diverse modalità in cui AWS viene utilizzato dai team di sviluppo agili. Tutti gli episodi faranno riferimento a una startup impegnata nell'apertura di una nuova area di business, illustrando i vantaggi offerti dall'utilizzo di AWS. La startup puo' essere una nuova realtà o un centro di innovazione all'interno di una azienda esistente, ad esempio per seguire il lancio di un nuovo prodotto.

    In questo episodio vengono descritti i principali vantaggi di AWS per le startup e i team IT agili, soffermandosi su come il team abbia sviluppato rapidamente un prototipo funzionante utilizzando i diversi servizi offerti dalla piattaforma.
  • Join AWS for this Building Scalable Web Applications webinar where we will explain the key architectural patterns used to build applications in the AWS cloud, and how to leverage cloud fundamentals to build highly available, cost effective web-scale applications.

    You will also learn how to design for elasticity and availability within AWS using a common web architecture as a reference point and discuss strategies for scaling, security, application management and global reach. If you want to know how to make your applications truly scale then join this webinar to learn more.

    Reasons to attend:

    • Understand the architectural properties of powerful, scalable and highly available applications in the Amazon cloud
    • Learn about Amazon regions and services that operate within them that enable you to leverage cloud scaling
    • Discover how to manage data with services like Amazon S3, Amazon DynamoDB and Amazon Elastic MapReduce to remove constraints from your applications as your achieve web-scale data volumes
    • Hear about customer case studies and real-world examples of scaling from a handful of resources to many thousands in response to customer demand

    Who should attend?

    • Developers, operations, engineers and IT architects who want to learn how to get the best from their applications in AWS
  • Channel
  • Channel profile
Up Down
  • Introducing a New Level of on Demand Application Security Recorded: Mar 27 2014 58 mins
    According to Gartner, by 2015, ninety-nine percent of mission -critical applications in Global 2000 companies will contain open source. The ease of using open source components speeds development and creates competitive advantage but can introduce security risk into your organization. Do you know what open source components are used in your application landscape?

    Sonatype and HP Fortify are the first to deliver a new level of application security that includes static and dynamic testing coupled with open source component analysis. Join this session to learn how your organization can use Fortify on Demand to gain complete visibility into what components you are using and if there are known vulnerabilities or license obligation that bring risk to your organization and your customers.
  • The Application Blind-spot Recorded: Feb 18 2014 28 mins
    In many organizations, Security Operation Center teams have little to no visibility into application security events. This is a significant challenge because security teams can’t protect the organization If they can't identify threats. With the evolution of threats targeting applications as the weakest link in the security ecosystem, security teams need help closing the security gap that results from improper user access as well as an improper usage of applications. For many organizations it takes up to 270 days to recognize that they have been breached and it’s often a 3rd party such as customer that highlights the issue. Can your organization wait for a breach to happen to react? Attend this webcast to hear from HP security experts, as they articulate specific use case examples.
  • The 6 Deadly Mistakes of Mobile Application Development Recorded: Dec 13 2013 39 mins
    Everyone's heading to mobile and attackers are following. To stay ahead of the curve you need to think like the enemy. In this talk Fortify on Demand Principal Security Architect, Daniel Miessler, talks about what makes mobile security different, the OWASP (mobile) top ten and deadly mistakes NOT to make during mobile app development.
  • HP Fortify Secure Agile SDLC Recorded: Nov 22 2013 28 mins
    As the number of web application intrusions rise, the need for application software developers to identify and remediate vulnerabilities is more apparent than ever. This webinar will cover tools, education, and techniques that help security teams partner with development to maintain a secure application posture without slowing the pace of development or hindering the rapid delivery of business value in an agile development framework.
  • 2013 4th Annual Cost of Cyber Crime Study Results: Asia Recorded: Oct 31 2013 60 mins
    2013 Cost of Cyber Crime Study: Australia & Japan

    Join us for the 2013 results presentation of the second annual Cost of Cyber Crime study for Australia and Japan. Conducted by Ponemon Institute and sponsored by HP Enterprise Security, a total of 64 Australian and Japanese organizations participated. According to the findings, cyber attacks increased 12 percent in Australia and 32 percent in Japan. The costs associated with this increase in Australia were $772,903 and ¥265 million in Japan. “Findings from the report also show that each week Australian and Japanese organizations experienced on average 1.4 successful attacks per company”
  • 2013 4th Annual Cost of Cyber Crime Study Results: Europe Recorded: Oct 30 2013 62 mins
    2013 Cost of Cyber Crime Study: UK, Germany & France

    Join us for the 2013 results presentation of the second annual Cost of Cyber Crime study for the United Kingdom and Germany. For the first time, the research was conducted in France. Conducted by Ponemon Institute and sponsored by HP Enterprise Security, a total of 110 UK, German and French organizations participated. According to the findings, cyber attacks increased 16 percent in the UK and 21 percent in Germany. The costs associated with this increase in the UK and Germany were £904,886 and €830,169, respectively. For the first time, it was determined that the average cost of a cyber attack in France was €3.89 million. Findings from the report also show that each week UK and German organizations experienced on average 1.3 successful attacks per company. French organizations experienced an average of 1 cyber attack per company.
  • 2013 4th Annual Cost of Cyber Crime Study Results: Americas Recorded: Oct 29 2013 61 mins
    Join us for the 2013 results presentation of the 4th Annual Cost of Cyber Crime Study, conducted by Ponemon Institute and sponsored by HP Enterprise Security. This study, based on a benchmark sample of U.S. organizations, shows that cyber attacks not only increased 12 percent last year, the costs associated with those attacks increased by an average of 26 percent or $2.6 million per organization. Findings from the report also show that each week, an organization can expect two of the many cyber attacks launched against it to succeed.

    Join us for this important webinar and learn how:
    • All industries and all sizes of organizations fall victim to cyber crime, but to different degrees.
    • Denial of service, malicious insiders and web-based attacks comprise the most costly crimes.
    • Attacks can be mitigated by SIEM, enterprise governance, application security testing and other prevention-focused strategies and technologies.
  • Real-world cross-site request forgery and scripting Recorded: Oct 10 2013 40 mins
    Cross-site request forgery (CSRF) and cross-site scripting (XSS) are two of the most serious web vulnerabilities today, but few know about them in detail. In this session, we'll show you real-world attacks that may be using CSRF and XSS, tell you what they can do to you if you're vulnerable, and explain how to find and validate these threats.
  • Threat Central – Cloud based Threat Intelligence Sharing Recorded: Oct 9 2013 24 mins
    In the new generation of cyber defense, security intelligence becomes a key element. Recent technology advances provide the foundation for a new type of threat intelligence sharing platform to organize, collaborate, and manage risk more effectively. This sharing platform makes your security program more effective with actionable protection.
  • HTML5 Security Threats Recorded: Aug 14 2013 34 mins
    HTML5: A Beautiful Disaster

    HTML5 enables web developers to create rich user experiences with application features like cross-origin communication, local storage, sandboxed iframe, and web sockets. However, the features that make HTML5 powerful can also leave your applications ripe for exploitation. Join us as we scrutinize the top five threats to HTML5. We’ll demonstrate specific features that not only introduce new attack vectors, but also undo critical protection mechanisms in legacy web applications. You’ll hear how attackers can use HTML5 features to bypass clickjacking protections, render anti-CSRF protections useless, and open new avenues for data thieves. You’ll also learn ways to protect your applications. The session will include demonstrations and real-world examples highlighting incorrect usage of HTML5 features, tips for secure HTML5 development, and ways to fortify legacy applications impacted by HTML5-related browser enhancements.
  • 6 Ways to Build an Insecure Mobile Application Recorded: Aug 1 2013 38 mins
    Companies continue to move more and more of their infrastructure to the cloud, and while many focus well on infrastructure security they forget that most compromises occur at the application layer. This talk will walk through the most dangerous and commonly seen application vulnerabilities in the Fortify on Demand testing practice. It will include discussion of the various risks, the mistakes that lead to their introduction, and how to avoid them.
  • How PCI has changed application security Recorded: Jul 24 2013 45 mins
    If your organization deals with credit card information, then you’re familiar with PCI compliance standards. And if you’re like most IT security professionals, you’re still perfecting your methods of achieving PCI compliance and application security in general. If you’re wrestling with decisions such as whether to outsource security testing, to implement a firewall, or to build security into your development processes, then attend this session. Presenters will discuss the ways in which PCI has changed application security (not always for the better), and explain how your organization can best approach this complicated issue. You’ll learn what the roadblocks to PCI compliance are, how your organization can best achieve it, and where your application security should go next.
  • Mobile Malfeasance - Exploring Trends in Dangerous Mobile Code Recorded: Jun 18 2013 61 mins
    Please join us as we explore the OWASP Mobile Top 10 classification system and metrics from a large case study of a real enterprise facing the deployment and assessment of a large number of mobile applications. Developers, Managers, and team leads will leave with resources and guidelines to start mobile security both at the process level and code level, including how to handle external mobile development teams they might contract.
  • Gaining Threat Intelligence and Combating the Four Most Common Attack Vectors Recorded: Jun 12 2013 36 mins
    The HP Security Research team (HPSR) is hard at work monitoring the threat landscape for new campaigns, profiling actors to understand their motivations, identifying the tools they use and determining how credible certain threats might be. It’s part of a long-term strategy for developing a new threat intelligence-sharing model. Why is that important? It will provide real-time info from the larger security community-- enterprises like yours, industry security organizations and security vendors-- that can be used to automate and catch these breaches immediately.

    Learn about HP’s findings, including these culprits: injection flaws, DDoS, various phishing techniques and zero day vulnerabilities. How can you address the inevitable breaches that will occur?
  • Why Your Cloud Provider Security Logo Doesn’t Mean a Thing Recorded: May 16 2013 49 mins
    As more applications have moved to the cloud, the industry has seen a proliferation of application security issues. In 2012, several cloud service providers were breached as a direct result of application security vulnerabilities. Before you choose a cloud service provider, make sure that it answers the series of security questions created by the Cloud Security Alliance (CSA). CSA has created a checklist of industry-accepted ways to document what security controls exist in IaaS, PaaS, and SaaS offerings – creating more transparency for enterprises. The speakers will walk attendees through this blueprint, helping them to become more adept at identifying service provider security readiness. They'll also discuss some of the most common application vulnerabilities, including unencrypted passwords, SQL Injection, and those that impact poorly architected mobile apps.
  • What is Application Security? Recorded: Apr 9 2013 30 mins
    A primer on application security and why governments and modern enterprises need it. What is application security? Simply put, it is about ensuring that every single line of code is secure and every single software application– whether it is built for the desktop, cloud or mobile device— is safe from cyber attackers and hackers. The thesis is about eliminating exploitable security risk in software at the application code level, making it immune to attack even if intruders get past perimeter defenses and identifying the preventable costs associated with application layer attacks.
  • Mobile Application Integrity: Being Good When No One is Watching (Your Security) Recorded: Feb 14 2013 49 mins
    Mobile devices are a hot trend amongst security topics this year. While most cover the angle of the device management, only few go into testing the applications. Since the mobile application vulnerability landscape is still young, there is a need to classify these vulnerabilities so that development teams can focus and root them out of their codebases. Join us as we explore the OWASP Mobile Top 10 classification system and metrics from a large case study of a real enterprise facing the deployment and assessment of a large number of mobile applications. Developers, Managers, and team leads will leave with resources and guidelines to start mobile security both at the process level and code level, including how to handle external mobile development teams they might contract. Get ahead of upcoming PCI compliance by addressing your mobile software early!
  • Mobile Apps under Attack – How to Secure and Protect Your Apps Recorded: Dec 12 2012 48 mins
    Join us to explore the mobile application threat landscape and identify ways to prepare for reverse engineering and tampering attacks.

    The mobile App Economy is growing explosively as businesses are seeking to embrace innovation to provide new products and services to consumers, partners, and employees. However, malicious hackers and criminal organizations are now targeting these applications with a growing number of sophisticated attacks. Security of mobile apps, rather than devices, has become the new focal point as well as a top level concern for all stakeholders.

    In this webinar, mobile security experts, James Lynn, Practice Principal of HP Fortify and Vince Arneja, VP of Product Management of Arxan Technologies will explore the mobile application threat landscape to identify a wide range of threats from vulnerability based attacks to reverse engineering and tampering attacks. The presenters will also address how to achieve comprehensive mobile application security within the SDLC to manage risk and exposure for B2C, B2E and B2B applications and protect today’s App Economy from theft, fraud, malware invasion, and tampering. You will gain insights how to develop and launch vulnerability-free, self-defending, and tamper-proofed applications that can withstand the new attacks.

    HP Fortify is the leader in Software Security Assurance with solutions that contain, remove, and prevent software vulnerabilities. Arxan Technologies is the leader in protecting the App Economy with application protection solutions that are deployed on over one hundred million devices by Fortune 500 and global financial services.
  • Don’t be a Wiki Leak! Preventing Insider Threat Breaches Recorded: Oct 3 2012 39 mins
    In the wake of Wikileaks breaches in recent years, resulting from insider threat breaches, organizations began looking not only at perimeter defense but also at solutions that serve as a “Single Pane of Glass” in order to monitor and thwart insider threat and data loss activities. Specifically, organizations want to incorporate disparate applications, processes and mobile devices into the Single Pane of Glass view. In this webinar, you will learn how HP Enterprise Security solved these types of customer challenges to ensure that their “Wiki doesn’t leak.”

    Speaker: Ray Patterson, Vice President of Global Services, HP Enterprise Security Products

    About Ray Patterson
    Ray is a veteran information security executive, having held leadership roles at VeriSign, Oracle, ArcSight, and currently at HP Enterprise Security Products (ESP). In his present role, Ray leads the Global Government Services business where his organization solves critical cyber security challenges for customers through the ESP portfolio of security solutions such as ArcSight, Fortify and Tipping Point. He also frequently presents and speaks on emerging cyber security issues impacting business and government. Ray is a retired Lieutenant Colonel, U.S Army, and is a graduate of George Washington University (MBA), George Mason University (BS), Virginia Tech (BA), and is a Certified Public Accountant.
  • Social Networking: Risky for the Enterprise? Recorded: Sep 6 2012 49 mins
    Social networking for most of us is becoming wrapped into our DNA. This is especially important for the next generation workforce. Additionally, the employees today and those of tomorrow will expect the capability to blog and social network with corporate assets and corporate bandwidth. Additionally, these technologies are being widely used for corporate marketing and communication. That is why it's important to look at all aspects of securing your infrastructure and more importantly, the people that drive your organization today. This involves educating people, corporate process and the right security technologies. The following session will cover the benefits and the security risks inherit with social networking across all business verticals. Additionally, the author will provide a use case analysis of information that is gathered via web beacons that harvest information unknowing to the user.
Proactively Securing Software for the Enterprise.
Listen to experts from HP, partners and customers discuss pressuring issues across application security.
Try a powerful marketing platform for your videos and webinars. Learn more  >

Embed in website or blog

Successfully added emails: 0
Remove all
  • Title: 6 Ways to Build an Insecure Mobile Application
  • Live at: Aug 1 2013 7:25 pm
  • Presented by: Daniel Miessler, Principal Security Architect
  • From:
Your email has been sent.
or close
You must be logged in to email this