Shifting left: Continuous testing for better app quality and security

Originally presented on September 19, 2018 Given the volume and velocity of mobile apps, there simply aren’t enough resources to test them all in the same manner. There has to be a better way. NowSecure introduces a new framework to help organizations craft a Risk-Based Mobile App Security Testing strategy. Watch the presentation here: https://www.nowsecure.com/webinars/a-risk-based-mobile-app-security-testing-strategy/

Originally Recorded March 18, 2020 DevSecOps enthusiast D.J. Schleen unveils the latest updates to the DevSecOps Reference Architecture, an extensive chart of open-source tools and third-party applications that now includes mobile app pipelines. Join us to score your own copy and learn: + The most popular tools and integrations to automate and scale your pipeline + How and where mobile DevSecOps differs from web + Where to apply dynamic and interactive application security testing to speed app delivery

Andrew Hoog, founder of NowSecure, gave a presentation on managing third-party mobile app risk in healthcare. He discussed how BYOD and use of personal devices is common in healthcare despite risks. Analysis of top hospitals found on average 89 apps per device, representing over 2 million potential points of risk. Analysis of medical apps found many had significant security issues putting patient data at risk. Hoog advocated for vetting all third-party apps used through tools like NowSecure to identify and remedy security issues in order to better manage third-party mobile app risk.

From the creators behind top mobile tools R2 and FRIDA, get the inside scoop on the R2 and FRIDA OSS projects. Led by NowSecure Research Team including David Weinstein, Ole André and Pancake (Sergi Àlvarez), this webinar speaks to our favorite mobile AST OSS projects. Peek behind the curtain on these tools, check out on their latest updates, and learn about potential future enhancements.

Our threat research team spends every waking moment reverse-engineering and cracking mobile apps and devices to help organizations reduce mobile risk. Originally presented on October 24, 2017, mobile security expert and NowSecure founder Andrew Hoog explains the attacker’s point-of-view, what attackers are looking for in mobile banking or financial services apps, and what makes your mobile app an appetizing target. He then provides tips for deploying a mobile app security testing program to ensure you proactively plug security holes, squash privacy leaks, and fill compliance gaps in your mobile apps.

The document discusses cybersecurity fundamentals for bar associations. It covers why cybersecurity is important, how to conduct an asset-based risk assessment, common attack vectors like phishing and ransomware, and frameworks and best practices like the NIST Cybersecurity Framework. It also provides examples of vulnerabilities found on a local bar association's web server and outlines five practical cybersecurity tips for organizations, such as patching systems, using strong authentication, encrypting data, and outsourcing security functions.

Mobile apps fall in scope for a number of regulatory requirements that govern the banking and financial services industries, such as: guidelines from the Federal Financial Institutions Examination Council (FFIEC), the Gramm–Leach–Bliley Act (GLBA), New York State cybersecurity requirements for financial services companies, the Payment Card Industry Data Security Standard (PCI DSS), the Sarbanes-Oxley Act, and more. Luckily, a repeatable mobile app security assessment program and standardized reporting go a long way in both achieving compliance objectives and securing mobile apps and data. Originally presented on August 22, 2017, NowSecure Security Solutions Engineer Brian Lawrence explains: -- How and where exactly mobile apps fall in scope for various compliance regimes -- Mobile app security issues financial institutions must identify and fix for compliance purposes -- How assessment reports can be used to demonstrate due diligence

+ How do vulnerable mobile apps and insecure V2D communications put drivers and manufacturers at risk? + Applying crashworthiness and safety ratings concepts to mobile app and connected car cybersecurity + How to manage mobile app security defects and vulnerabilities in the connected car and mobile app development process

Over the last few years Seculert and other leading security companies have discovered many advanced malwares lurking on company networks that have gone undetected by standard advanced threat prevention solutions. Enterprises are now realizing that they need to find alternative solutions to protect their network. Learn why depending on malware prevention alone is no longer an option. Join Seculert’s CTO Aviv Raff for an in-depth webinar. Aviv Raff will address: - How recent malware such as Dexter and Shamoon entered company networks despite their APT prevention systems - How Seculert discovered Shamoon - Why your peers are moving to malware detection instead of prevention - How Big Data is an indispensable tool to fight Advanced Persistent Threats Raff is responsible for the fundamental research and design of Seculert’s core technology. Don’t miss out on hearing from the expert.

A mobile app that’s vulnerable to man-in-the-middle (MITM) attacks can allow an attacker to capture, view, and modify sensitive traffic sent and received between the app and backend servers. At NowSecure, Michael Krueger and Tony Ramirez spend their days performing penetration tests on Android and iOS apps, which include exploiting MITM vulnerabilities and helping developers fix them. These slides are from a 30-minute webinar with Michael & Tony about MITM attacks on mobile apps and how to prevent them that will cover: -- Identifying man-in-the-middle vulnerabilities in mobile apps -- How to execute a mobile man-in-the-middle attack -- Right and wrong ways to implement certificate validation and certificate pinning

This document discusses Splunk's security vision, strategy, and platform. It outlines Splunk's positioning as a leader in security information and event management. It describes Splunk's security portfolio and how the platform can be used to prevent, detect, respond to and predict security threats. It also provides examples of how Splunk has helped customers in various industries improve their security operations and gain insights from security and other machine data.

This is the materials for BSSN Focus Discussion Group about how to (relatively) securing the web applications infrastructure

Daniel Kandel, VP of R&D at Skycure, gave a presentation reviewing mobile security trends in 2016 and predictions for 2017. In 2016, there was an increasing focus on attacking iOS devices and more targeted attack types. Various malware incidents occurred, such as Accessibility Clickjacking and HummingBad. In 2017, mobile attacks are predicted to grow more sophisticated using zero-day exploits. Mobile corporate espionage is also expected to increase. Organizations will need diversified mobile security strategies that can protect both managed and unmanaged devices from these evolving threats.

Presented on August 23, 2017 at the League of Women in Cyber Security meetup (https://www.meetup.com/League-of-Women-in-Cybersecurity/events/242071337/). his talk will provide an intro to honeypots and their benefits, an intro to deception in cyber security, and an overview of HoneyPy and HoneyDB.

Learn about how ransomware works in this slide deck. To view the on-demand webinar in its entirety, click here: http://bit.ly/2jBhYXF

This document discusses embedding security into the software development lifecycle (SDLC) in light of the General Data Protection Regulation (GDPR). It outlines why security in the SDLC is important to identify and fix vulnerabilities early. The document introduces the OWASP Software Assurance Maturity Model (SAMM) as a framework to implement best practices for security in the SDLC. It maps GDPR requirements to the domains covered by SAMM to show how the two reinforce each other and how organizations can improve SDLC security practices to comply with GDPR.

This document discusses the digital revolution and cyber threats in the world. It notes that while life has improved in many ways due to technological advances, cyber attacks pose new risks and challenges. The document outlines various cyber attack vectors like attacks on cars, infrastructure and IoT devices. It argues that consolidated, proactive security across networks, cloud and mobile devices is needed to stay ahead of evolving threats. Check Point Software is presented as a leader in cyber security that provides such a holistic prevention-oriented approach through its unified security platform.

Gene Gotimer is a senior architect at Coveros, Inc. who presented on adding security testing tools to the delivery pipeline. He discussed how security is often neglected until late in the process, forcing teams to choose between fixing issues and delaying release or accepting security risks. Gotimer argued for incorporating security testing earlier in the pipeline using various tools to detect obvious security problems and make it easier to find less obvious issues through repeated testing as code is improved. This allows developing better security processes and releasing more securely without delays.

This document provides information about a presentation titled "Integrating Automated Testing into DevOps" given by Jeff Payne of Coveros, Inc. It includes biographical information about Jeff Payne, an agenda for the presentation, and content that will be covered, including definitions of DevOps, common DevOps terminology, automated testing for continuous integration and continuous delivery, environments for testing, common tools used, and demos of automated testing.

The document discusses how cloud computing is transforming product development by enabling design thinking, agile teaming, DevOps, and achieving organizational flow. It provides examples of how companies are developing products faster and scaling ideas quickly using AWS services like EC2, Lambda, and Fargate. Microservices, two-pizza teams, and continuous testing allow Amazon to rapidly adapt based on customer feedback.

Many enterprises who are embarking on a journey to the cloud view this effort as an opportunity to transform their operations and development practices. DevOps, agile software development, and design thinking are the popular methodologies that are being used to create a more customer-centric mindset and speed up the delivery of new products & features. This session breaks down the essential components of each methodology and provides best practices on navigating the challenges that are commonly encountered when adopting these methods during a cloud migration. About the event AWS Transformation Day is designed for enterprise organizations migrating to the cloud to become more responsive, agile and innovative, while staying secure and compliant. Join us for this one-day event and we’ll share our experiences of helping enterprise customers accelerate the pace of migration and adoption of strategic services. Who should attend? This event is recommended for IT and business leaders who are looking to create sustainable benefits and a competitive advantage by using the AWS Cloud. CIOs, CTOs, CISOs, CDOs, CFOs, IT leaders and IT professionals, enterprise developers, business decision makers, and finance executives.