As a pentester, it’s always a different story when we are the ones writing the report. Being on the receiving end is stressful, even more so when you throw compliance into the mix. I figured since I have been fielding questions left and right about what to do when it comes to mobile applications and HIPAA compliance, I would simply write a blog post on the topic.
I like to think about myths as common ideas that seem to perpetuate regardless of the rapid pace of technology change that is part of the modern world. When I’m out talking to folks about securing mobile apps I find that the same ideas about what enterprise security being perpetuated.
Many of the myths that I come across appear to offer panaceas that are comforting to the status quo. The idea that the newest iPhone or Samsung device will automatically make enterprise mobility safe. If enterprise data is encrypted then it is perfectly safe. If we put a wall around our apps and data then no one will be able to get in. These are comforting myths.
As we’ve discussed, the program maturity model for Application Security has six levels. You should be able to recognize at which stage of the curve your particular organization is. The easiest one to recognize is an approach to AppSec called “Do Nothing”. Let’s assume if you are reading this, that’s not you.
If your organization is already pursuing an ad-hoc testing approach to manage the security of your software, you are not alone. Most enterprises with in-house application development teams do some kind of ad hoc AppSec testing, usually during the software QA process. Most organizations who understand the fundamental importance of AppSec start here.
In the final installment of Talking Code our panel survey the latest security trends taking hold in the enterprise. Much of the discussion revolves around securing the organizational supply chain as consumer-focused services continue to progress into de facto enterprise systems.
A security researcher found an exploitable vulnerability on the U.S. Government’s Healthcare.gov portal. In other news: the sun rose in the East every day this week.
The news out of Washington D.C. this week was that the Government’s troubled Healthcare.gov web site isn’t just dysfunctional – it’s also insecure. This, after an independent security researcher named Ben Simo found an exploitable vulnerability on the U.S. Government’s Healthcare.gov portal that would allow a remote attacker to gain access to applicants’ accounts, according to reports on CNN and The Washington Post.
In honor of Halloween, I did a quick analysis of 30 Halloween-themed Android games to see how many were sending data and to where. While not all apps that send data are malicious, the following stats are spooky for privacy conscious folks:
- 16 apps sent data various US locations (53%)
- 5 apps sent data outside of the US (17% — see pictures below)
- Only 9 apps sent no data (30%)
Robert Lemos has an excellent summary of the state of the debate on disclosure of exploit code in his column at Dark Reading. In it, I’m quoted briefly:
Software vulnerabilities are often discovered independently, suggesting that silencing the disclosure of a vulnerability and how to exploit the flaw would merely allow a bad actor more time to use an attack, says Darren Meyer, senior security researcher at Veracode, an application security firm.
In the penultimate episode of Talking Code the panel discuss standards-based and ad-hoc security protocols in regard to the inclusion of bluetooth technology in medical devices. Our experts seek to shed some light on a topical issue that ultimately concerns the security risks that come with added functionality.
One of my national cyber security month activities was participating in an employee awareness day at NYU Langone Medical Center. Kudos to the infosec team for putting on a nice event.
Since the audience was doctors, nurses and students my goal was to present mobile security statistics in a memorable way. I had two slides showing at a very high level how mobile malware works, but one of the main points I wanted to convey was an app doesn’t have to be malware to do you harm.
Backdoor, schmackdoor – it’s Christmas Shopping Season, y’all!
This morning my blog, The Security Ledger, ran a story about research from the firm Duo Security that provided more evidence (if any was needed) that the fast-emerging market for IP-enabled “stuff’ has a serious reckoning with the security and privacy crowd.