Auditing an AppPresented by:

Joe Dalessandro

Head of Security & Technology Audit

Australian Unity

Session 2C

Coverage – 30 minutes. Q&A 15 minutes.

• Where is this in the universe?

• What are the threats?

• Mobile application auditing- practical• Is this different?

• What do we do?• What should we co-source? Why?

• Frame the plan

• Yes, I will share the slides.

• Yes, you can email me directly:

• jad@siriusmatters.com.au

• linkedin.com/in/joedalessandro

• You do not have to scramble to take notes or pictures.

Where is this in the universe?

• How did we get here?

• What is Security & Technology Audit?

Where is this in the universe?

• How do we fit the pieces together? Context

• Where are we going?

Where is this in the universe?

• Mobile App development fits into a number of areas across CobIT

• We are not auditing a mobile phone!

Where is this in the universe?

• Mobile App development fits into a number of areas across CobIT

• We are not auditing a mobile phone!

How do we talk about it?• Collaborating with

your IT department and your Level 2 stakeholders such as Risk should be straightforward

• Purpose - Security -Useability - Reliability

Why you should audit your organisation’s app?• Threats:

• No mobile device or mobile app strategy exists – lost productivity and reputational harm and potentially regulator or legal action

• DEV users: IDM: Both internal and external.

• Coding: bugs, vulnerability, insecure coding - data leakage, malware propagation and service disruption.

• Conveniences: device features such as Bluetooth- data leakage, interception, theft.

• Transactions with internal resources (information assets, APIs)

Practical point #1

• Starting cold? Must produce an audit in FY19? • Steps:

• OAIC and ISACA are your best friends.

• Download these two resources immediately

• Connect with your ERM group and get any risk assessments or BIAs

• Determine the scope of use of your orgs mobile app. (don’t forget platforms)

• Request guiding docs and kick-off

• Develop test plan based upon ------

• Provide stakeholders an audit of maturity and management oversight as you would with any security & technology audit

Normal Methodology: Scoping• So is this different? No

• We need to define the assets, the threats and the effect.

• We need to determine how mature our organisation is at development and mgmt oversight

• We need to assess our team and determine how to direct and execute the work. This is where co-sourcing comes into play.

• Planning

Practical point #2

• Governance

• A strategy, policy and supporting procedures exist and is maintained for mobile application use, development and growth

• The mobile application development and release process is subject to management oversight to ensure requirements for secure code development, controlled release, data management and application maintenance and enhancement.

Normal Method. Planning

• Operational Management

• All branded APPs are created using defined requirements that include minimum security, development (coding), usability and brand standards

• APP development (Internal & External (outsourced)) is documented, monitored, controlled and undergoes consistent process(es).External APP development is monitored and follows risk assessment guidance (API controls incl).

• Change policies and procedures are appropriately applied, detailed, risk assessed, consistent, and employed for all APPs

• APPs are released via a documented, centralised process that considers testing results, segregation of duties and access controls, and logging

• APP store management and credentials are controlled, monitored and centralised

• APPs connecting to ORG resources (Information Assets (data) and/or customer data) containerise or session-cache data and do not store credentials or data locally on the handset

• Two APPs: APP1 and APP2 will be stress-tested for security vulnerabilities and data leakage

Hybrid Method. Testing• Developing a test plan

• Governance

• Operations

• Co-sourcing• Why co-source?

• How do we do it?

• Value for money

Client Side Vulnerabilities

Theory & Concepts

• Go through the files in the APK/IPA one by one

• Decompose, decompile, reverse engineer, analyse

• Low-hanging fruits:• Sensitive data

• Left-over credentials

• Undocumented API calls

• More advanced:• How does the application store user credentials?

• How are user session managed?

What people forgot to clean up before going into production

Insecure planning, architectureand design decisions

Server Side Vulnerabilities

Theory & Concepts• Go through the API endpoints one-by-one,

with and without credentials

• Test the robustness of the security controls. Such as:• Authentication

• Authorisation

• Session Management

• Input Validation

• Logging and Auditing

• Error Handling

Normal Method. Report Delivery

• Status update memos

• So is this different? No

• Report delivery will fit into your existing methodology.

• You may need to walk your risk folks through the threats and vulnerabilities. If your risk folks use FAIR that will provide you a number of inputs for scenario planning back in planning.

• As always you will need to be judicious with your use of technical terms in your written reports

How can I help? Q&A + References• https://www.isaca.org/Journal/archives/2016/volume-4/Pages/elements-of-an-is-it-audit-strategy-part-1.aspx

• https://www.isaca.org/Knowledge-Center/Research/Documents/Aligning-COBIT-ITIL-V3-ISO27002-for-Business-Benefit_res_Eng_1108.pdf

• https://leanpub.com/mobile-security-testing-guide

• https://github.com/OWASP/owasp-masvs/releases/download/1.1.3/OWASP_Mobile_AppSec_Verification_Standard_1.1.3_Document.pdf

• http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Securing-Mobile-Devices-Using-COBIT-5-for-Information-Security.aspx

• http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Securing-Mobile-Devices.aspx

• https://www.isaca.org/Journal/archives/2017/Volume-6/Pages/auditing-mobile-devices.aspx

• https://github.com/OWASP/owasp-mstg/blob/master/Checklists/Mobile_App_Security_Checklist-English_1.1.xlsx

• https://www.oaic.gov.au/resources/agencies-and-organisations/guides/guide-for-mobile-app-developers-checklist.pdf

• https://www.isaca.org/bookstore/Pages/Product-Detail.aspx?Product_code=WAPDP

• END

• Yes, you can email me directly: jad@siriusmatters.com.au• http://www.linkedin.com/in/joedalessandro