Monday, 4 May 2015

Public Key Pinning Boosts Website Security




In the effort to mitigate man-in-the-middle (MITM) attacks, which uses fraudulent SSL certificates, the Public Key Pinning Extension for HTTP (HPKP) has been designed, in order to create a more reliable method of approving a Web server's digital certificate. HPKP permits a site administrator to put up a certificate authority's (CA) public key or certificate to their server's certificate and send the data in an HTTP header. This enables browsers and other apps to see that a server's certificate is approved and signed by a specific whitelisted CS, rather than depending on a chain verification certificate to validate it. The certificate verification stage of the connection is used to carry out the check, prior to any data being sent by the browser.


Google Chrome has been supporting Public Key Pinning for some time now and it has helped in detecting fraudulent SSL certificate issued by DigiNotar, employed in a MITM attack against Google users in Iran and as intermediate CA certificates wrongly issued by TurkTrust. These lapses in the CA infrastructure are sabotaging the confidence in the CA hierarchy of trust. This is the main reason why important browsers are embracing certificate pinning. Besides, public key pinning is supported by Firefox and Google Chrome, Microsoft is also considering it for inclusion in Internet Explorer and a new Web browser, Spartan.

Firefox and Chrome involve a built-in pinset – a list of certificates that are acceptable for big, high security websites – but as of now, no browsers are supporting dynamic pinsets. This means that the list of agreeable certificate authorities for every pinned domain has to be re-loaded at the time of application build-in. This brings in scalability issues and removes all but the major websites. With the help of website application security services, Both vendors try and look at how well dynamic pinsets have to be supported. Web administrators who want to prepare their websites for dynamic pinning have to return the Public Key Pins HTTP header, if their site is accessed over HTTPS. For example, the following header can be send through a web server, which tells the browsers to join a specific SSL certificate with a website.

Header set Public-Key-Pins "pin-sha256=\"base64+info1==\"; pin-sha256=\"backup+pin+here==\"; max-age=15768000; includeSubDomains" (Note: This requires enabling of apache mod_headers)

Including a pin for a backup certificate, which is not being used in production, is also a good practice. This assures that the site is accessible, even after the main certificate gets removed.

Wednesday, 8 April 2015

Application Security Testing Helps in Safeguarding Your Apps from Threats


 
Like any other program, a mobile app is also vulnerable to security threats. With the growth of a large number of apps, which require storing and sharing of critical data like bank details or credit card information, personal ID's, data related to health, or making transactions. Because of this, security testing for mobile applications has become essential. It is important to analyze the threat and to plan out how to defend your mobile app against it. Conducting a test without security awareness is not a good idea.


Third-party libraries and codes are used in most of the mobile apps that are developed today. Third-party support is usually related to security threats, against which an app is vulnerable. Even if an app developer is aware of such threats, the performance can be ruined due to the open source components of the app. It also has the capability of sinking the app in the market, even before it emerges. 


Why Should Enterprises Be Concerned?

According to Gartner reports, in 2015, more than 75 percent of apps will not clear security tests – in iOS, android and windows platforms, as the fundamental business related security standards are lacking. The consequences are huge for enterprises as policies are at risk of being breached with critical business related data.

App Security Vulnerabilities

Usage of open source codes for non-core differentiating features is a customary practice and is openly accepted in the process of app development. Time and resources are saved over coding for elements that are non-essential in the app. Therefore, developers cannot ignore guiding third-party libraries and codes, as a part of app development. It is important to grasp the issues and license restrictions related with third-party codes, in order to understand the kind of security exposure faced by your app. A broad-based vulnerability database is created when you register to security updates, which directs towards the category of security threat that is applicable to your app, and checks for reported security concerns. Security threats that go unreported are related to proprietary code extensions or technological evolution, which can cause serious problems in application technology.

Third-Party Open Source Components Security Checklist

Automated testing tools like software security testing should be used to conduct the testing. The app developer should be fully aware of third-party open source components like security ramifications and issues on app users and apps. Capability with third-party party codes make sure that app developer takes complete responsibility of the security issues that are related to it and prohibits hacking by taking care of security flaws and app vulnerabilities.




Monday, 16 March 2015

Enterprises Losing Billions Due to Vulnerable S/W Applications




Forbes recently published an article called '#1 Cyber Security Threat to Information Systems Today', based on the survey conducted by Sungard Availability Services. 55% of respondents gave the top spot to vulnerable web applications.

According to Joe Caruso, the founder and CEO of GDF (Global Digital Forensics), a leading cyber security provider in New York, 'There are a few factors that converge to make applications a tricky cyber security concern for many organizations'.

Organizations today use so many web apps on so many different platforms that the numbers can get dizzying, not to mention the human resource and tools required to keep tabs on security. Then, there are a large number of developers creating apps, who come from every corner of the world with promises of offering customized apps at low costs. But, most often than not, security is not a part of the codes. They are able to provide functionality, effectiveness and convenience, but the safety features are not up to the mark. If security is not a part of the development cycle of an application, organizations can find themselves at the risk of cyber-attacks that can exploit their most valuable and sensitive data. Such attacks can prove to be very costly as well as messy for an organization.

The most effective software security solutions prioritize threats , from both the cause and effect standpoint. Complete in-depth testing of applications is usually not an option. It may be possible for a small company with limited amount of apps, but for a bigger organization that has thousands of apps on the books and where new applications are being implemented all the time, the expense and man-hours related to testing would be restrictive.

But, all apps are not the same, some do not pose a threat as they are not connected to sensitive company information and client data. They do not provide a gateway to intruders and they are of lower priority than others, which may be of medium or high risk. Specialized tools are required to judge the risks as there may be a lot of room for interpretation. Specific methods and expertise is required to approach the problem, for any real hope of success.

Vulnerability Tests to Determine the Risks

A skilled vulnerability assessment is required to determine the risks posed by every application. These assessments may include comprehensive penetration testing of every application, which determines whether they are susceptible to attacks.










Tuesday, 17 February 2015

Handling Security Issues, Slowing the Internet of Things




The potential of the Internet of Things (IoT) is becoming increasingly exiting for the IT industry, but this excitement carries a hidden danger, according to a report from HP.

HP is not the only one voicing concerns: FTC in the US is taking a closer look at the IoT and Ofcom in UK is investigating a framework for the technology, so that it develops in ways that is benefiting for consumers.

HP's concern is that, as soon as one security issue is solved by the IT industry, it moves on to create another one.

In a recent article, HP's Daniel Miessler states 'It seems that every time we introduce a new space in IT we lose 10 years from our collective security knowledge,'. Daniel Miessler heads the research team at HP Fortify on Demand and is a leader in OWASP Internet of Things Top 10 Project. He further says, 'Around 10 years ago we started talking about applications being the horizon technology, and we proceeded to build a global application portfolio ignoring the security lessons learned from the network world'.

'Then, five years ago, we decided that mobile was the real place to be. So everyone started building mobile apps while ignoring everything we've learned from securing web and thick-client applications', he said.

The issue concerning him now is that if they continue with this trend, they will have a new space that ignores web application security as well as mobile security lessons, but it can get much worse than that.

IoT is not just considered a new insecure space, he said, 'It's a Frankenbeast of technology that links network, application, mobile and cloud technologies together into a single ecosystem, and it unfortunately seems to be taking on the worst security characteristics of each'.

In a recent IoT security report, HP Fortify on Demand surveyed 10 devices through multiple product types and found that on an average there are 20 vulnerabilities present in every system. These products spanned TV's, home automation hubs, thermostats and alarm systems.

In terms of dealing with these issues practically, Miessler points at the work of Open Web Application Security Project (OWASP), which has come up with 10 key issues. They are:

  • Insecure web interfaces
  • Insecure mobile interfaces
  • Insufficient authentication and authorization
  • Insecure cloud interfaces
  • Insecure network services
  • Privacy concerns
  • Lack of transport encryption
  • Insufficient allowance for security systems configuration
  • Poor physical security
  • Insecure firmware and software
 After considering the possible external threats, the next step is to look at internal weaknesses. For example, when weak passwords are used, an organization's authentication will not be sufficient. 

Tuesday, 3 February 2015

Analyze World Encryption Software Market Trends and Predict 2019 with Applications and Deployment





The encryption software market is growing in popularity mainly due to the new trend of Bring Your Own Device (BYOD). There is a huge demand among organizations these days, to increase efficiency by safeguarding data transfer across mobile devices, with the help of emails.

Although encryption software market provisions have influenced both the user segments of enterprises as well as SMBs, there are some factors that confine growth in this market. For example, increase in organizational overhead expenses slows the process of its adoption. Also, expansive heterogeneity in devices platform augments the issue of functional interoperability among encryption solutions.

Taking this into consideration, the report further identifies the latest trends and patterns boosting the progression in the encryption software market in all regions.

The working ways of organizations are changing with extensive technological advancements like mobility and cloud. Diverse technological progressions such as social media, mobility, cloud and PC's, have been incorporated in businesses and they have led to growth in the data being generated across companies. Mobility is being used for superior productivity and this fact is quite evident from the widespread usage of mobile devices in businesses. Thus, the extensive usage of mobile devices such as tablets, smart phones, as well as removable media that accesses and transmits business data, increases the chances of data loss and breaches. This encourages adoption of data security solutions and Mobile Application Security across organizations. Also, the increasing security apprehensions in accessing business information and transfer of data across devices, calls for more security solutions.

Moreover, the adoption of encryption software is protected because of the evolution of authorized regulatory standards connected to data transfer and its security, which needs to be adhered with diverse industry verticals such as PCI DSS for BFSI and HIPPA for healthcare, as these solutions follow certain regulatory norms and facilitate secured access to data. Therefore, the development of these solutions further increase the demand of encryption software around the world.

Nowadays, organizations are taking up data security solutions to embrace flexible work culture in a secure way. It allows flexibility in work patterns for employees and increases productivity for companies.

Market sizing and forecasting exercises take different assumptions into considerations. Some of these assumptions include economic, political, technological, social and economic factors. The forecasts in emerging regions are expected not to be seriously affected because of the market fluctuations.

Get more information from here http://www.avyaan.com/blog/secure-your-smartphone/