Agenda: - SDLC vs S-SDLC - Mobile development security process - What tools using for security testing? - How to integrate into existing processes? - What additionally you can do?

1. Secure SDLC in mobile
software development

2. Mykhailo Antonishyn
Application security expert
I work in cyber security more than 5 years.
Application security consultant at Access Softek Inc.
Co-founder of ByteCode security team
4+ years experience in fintech.
Telegram: @medwed_2015
Gmail: antonishin.mihail@gmail.com
Speaker

3. SDLC vs S-SDLC
Mobile development security process
What tools using for security testing?
How to integrate into existing processes?
What additionally you can do?
Agenda
IMPLEMENT INTO
CURRENT PROCESS
TOOLS
S-SDLC FOR MOBILE
APPLICATIONS
SDLC vs SECURE SDLC

4. SDLC vs Secure SDLC

5. Secure Software Development Lifecycle
REQUIREMENTS ANALYSIS
MAINTENNANCE
• Monitoring issues
• Response on emergency of
applications
• Accelerators
SECURITY TESTING
• Static and Dynamic
Application Security Testing
(SAST, DAST)
• Composition Analysis
• Bug tracking tool integration
• Automated Self Serviced
Dashboards
• Accelerators
RELEASE
• Checks issues in docker
containers
• Checks and review CI/CD
pipiline
DEVELOPMENT
• Static code analysis
• Dependency checks
• Check insecure functions and
libraries
• Use special plugins for
security issues checks while
debugging applications
• Security Standards Compliance
• Assess the current level of maturity
• Identify Gaps
• Create a roadmap for next level maturity
• Security Policies and Processes
DESIGN
• Risks Assessment & Analysis
• Threat Modelling
• Attack Surface analysis

6. Requirements Analysis
SECURITY STANDARDS AND POLICIES
• ISO 27034
• GDPR
• NIST 800-163
• NIAP
• MASVS
• Company strategy
• Local security policies
REQUIREMENTS
• Time-line
• Process and communications with teams
• Security requirements for product
• Response plan

7. Design
RISK ASSESMENT AND ANALYSIS
Risk assessment is the combined effort of
identifying and analyzing potential (future)
events that may negatively impact individuals,
assets, and/or the environment (i.e. hazard
analysis); and making judgments "on the
tolerability of the risk on the basis of a risk
analysis" while considering influencing factors
(i.e. risk evaluation).
THREAT MODELLING
Threat modeling is a process by which
potential threats, such as structural
vulnerabilities or the absence of appropriate
safeguards, can be identified, enumerated, and
mitigations can be prioritized.
ATTACK SURFACE ANALYSIS
Attack Surface Analysis is about mapping out what parts of a system
need to be reviewed and tested for security vulnerabilities. The point of
Attack Surface Analysis is to understand the risk areas in an
application, to make developers and security specialists aware of what
parts of the application are open to attack, to find ways of minimizing
this, and to notice when and how the Attack Surface changes and what
this means from a risk perspective.

8. Development
TOOLS
DESCRIPTION
DELIVERABLES
• Report from SonarCube
• Security issues while debugging applications
• Integration of scanning tool into CI/CD pipeline
A static code scan and dependency checks are the
first step towards truly understanding where your
products weaknesses lie, and how critical they
might be to your business’ continuity and
reputation.

9. Security Testing
ATTACK GUIDES
OWASP MSTG
NIST 800-163
NIAP
CRITICAL ISSUES
Tools
Users unawareness
OWASP Mobile TOP 10
OWASP TOP 10
Wi-Fi weaknesses
OWASP API Security TOP 10
SECURITY TESTING PROCESS
Deploy testing environment
Configure testing devices
Build testing mobile application's
SAST and DAST
Reporting and Remediation
Custom exploit development and
exploitations
A highly effective method of assessing security that
demonstrates security weaknesses by modelling the
actions that a real attacker would take

10. Release
obtaining feedback from end-users in order to
make appropriate tweaks
confirming that the software in production
meets customer and user needs according to
the initial requirements
conducting maintenance and support tasks
FACTORS
confirming that the software works as optimally
in the production environment as it did in the
development environment
The release phase of the Software Development Life Cycle
(SDLC) is traditionally associated with production,
deployment, and post-production activities.
In this phase, post-production tasks (after deployment) in
traditional SDLC models do not greatly involve development
engineers. Operations admins and security engineers
typically complete most of thee functions, which may include
software monitoring, security testing, incident response, etc.
In the Secure Software Development Life Cycle (SSDLC),
developers are responsible for completing additional security
tasks, which - even in the post-production stage of the
release phase - integrates security with development.
DESCRIPTIONS

11. Maintenance
• CONTINUOUS MONITORING AND LOGGING
OF THE SOFTWARE
• USING MONITORING TOOLS TO WATCH FOR SECURITY EVENTS
AND TRENDS FOR ATTACK SIGNATURES
• MONITOR 3RD PARTY LIBRARIES FOR
EXTERNAL VULNERABILITIES

12. WHAT ELSE?

13. External Security Audits
Automatic Scanning
Vulnerability
Assessment
Penetration Testing Red Teaming
Scope Defined by scanner
OWASP Top 10 and
beyond
Defined by organization Identified by Red Team
Objective
Uncover many
vulnerabilities
Uncover many
vulnerabilities false-
positive free
Penetrate into the
system and meet
specific goal
Continuous simulation
of real-world attack
Threat Emulation Basic Basic Advanced
Advanced and
persistent
Rules Defined by scanner
Well defined and
agreed
Well defined and
agreed
Anything goes
Employee Awareness Typically aware Typically aware Discussable Limited number
Vulnerability Scanning
Manual Testing
Simulating Attackers
Partially
Social Engineering
Physical/Wi-Fi netw.
per request
Required Security
Maturity
Just running application
(DEV, UAT env.)
Just running
application
(DEV, UAT env.)
Production-Like
infrastructure (Pre-
PROD env.)
Production
Environment with Blue
Team
Typical Duration
Recommended only as a
part of other
assessments
2 weeks 2-4 weeks Continuously
Auto
Scanning
2-3 days
Vulnerability
Assessment
2 weeks
Penetration
Testing
2-4 weeks
Red Teaming
Continuously
D
E
P
T
H
Recommended levels of security testing services
according to Customer’s Maturity level of Security
processes and posture:

14. Bug Bounty

15. Trainings
• Security news of special technologies
• Updates
• Vulnerable and security library
• Security plugins
• Tools for security testing

16. Code Protection
TOOLS
CODE HARDERING RUNTIME APPLICATION SELF-
PROTECTION
CODE OPTIMIZTION
Obfuscation of names of
classes, fields and
methods of arithmetic
instructions, control flow,
native code and library
names, resources and
SDK method calls
Encryption of classes,
strings, assets, resource
files and native libraries
Detection of debugging tools,
emulators, rooted devices,
hooking frameworks, root cloaking
frameworks and tampering
SSL pinning and Webview SSL
pinning
Certificate checks
Removal of redundant code, logging
code and metadata, unused resources
and native libraries
Code and resource optimization

17. Domains
We work with tech start-ups & enterprises to achieve accelerated hyper growth / time to market,
through 'software engineering excellence', providing access to the best emerging technology
teams.
Governance Banking
FinTech
eCommerce
Telecom Energy
Blockchain
Automotive
Crypto
Health care

18. Q&A