Back To Schedule
Tuesday, January 24 • 11:00am - 11:50am
Threat Modeling for Mobile

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

How do you know how to build your application securely, or what to look for when you’re performing a security assessment of an application? One critical part of figuring this out is the application’s threat model. For many years, development teams and security teams have been dealing primarily with web applications that generally have a common threat model. We have gotten so used to this threat model that we often don’t even think about it.

As we are increasingly dealing with mobile applications, we need to rethink this approach. The mobile ecosystem is complex and there is no one threat model that applies to all mobile applications. Based on over twelve years of experience working in the mobile ecosystem (starting before smartphones were a thing) and testing thousands of mobile applications, we have developed a variety of threat models for different types of mobile applications as well as mobile operating systems.

With mobile applications, we’re no longer running inside a mature client application (browser) that provides many security features to us like secure communication, same origin policy, etc. that cannot be overridden by web applications. This has interesting security implications. There are many more security issues that we need to be aware of when developing and testing mobile applications. Without understanding the security issues in different types of mobile applications, we are inevitably going to produce vulnerable applications and even waste money on unnecessary controls. This talk will demystify the mobile ecosystem and will outline how to develop threat models for your mobile applications. It will dig into technical details such as how security features Android and iOS, as well as in cross-platform development frameworks like Apache Cordova are implemented, and how that impacts mobile applications.

avatar for Amit Sethi

Amit Sethi

Senior Principal Consultant, Cigital
Amit Sethi is a Senior Principal Consultant and the Director of the Mobile Practice and the Advanced Penetration Testing Practice at Cigital. He has over 12 years of experience in the security industry as well as a Masters degree in Cryptography. He has extensive experience performing... Read More →

Tuesday January 24, 2017 11:00am - 11:50am PST
Marion Davies Guest House