This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Projects/OWASP Mobile Security Project/Roadmap"
From OWASP
Jack Mannino (talk | contribs) |
Jack Mannino (talk | contribs) |
||
| Line 11: | Line 11: | ||
<u>'''In Progress'''</u> | <u>'''In Progress'''</u> | ||
| − | '''''Threat Model''''' | + | '''''Threat Model''''' |
| − | *Platform-agnostic mobile threat model | + | *Platform-agnostic mobile threat model |
| − | *Platform-/technology specific elements | + | *Platform-/technology specific elements |
| − | *Threats (e.g. App-store Curators or Carriers) | + | *Threats (e.g. App-store Curators or Carriers) |
| − | *Attack Surface (e.g. Android IPC or Apple iCloud) | + | *Attack Surface (e.g. Android IPC or Apple iCloud) |
*Define and trace ''who'' attacks ''what'', ''where'' and ''how''<br> | *Define and trace ''who'' attacks ''what'', ''where'' and ''how''<br> | ||
| − | |||
| − | *Intended to raise awareness and help prioritize security efforts | + | '''''Top 10 Mobile Risks''''' |
| − | *Presented in a platform-agnostic format | + | |
| + | *Intended to raise awareness and help prioritize security efforts | ||
| + | *Presented in a platform-agnostic format | ||
*Focuses on areas of risk instead of specific vulnerabilities | *Focuses on areas of risk instead of specific vulnerabilities | ||
| − | '''''Top 10 Mobile Controls''''' | + | '''''Top 10 Mobile Controls''''' |
| − | *10 controls that solve many problems | + | *10 controls that solve many problems |
| − | *Platform-agnostic where possible | + | *Platform-agnostic where possible |
*Can be used as a checklist | *Can be used as a checklist | ||
| − | '''''Platform-Specific Guidance''''' | + | '''''Platform-Specific Guidance''''' |
| − | *Build around the Top 10 Risks and Controls | + | *Build around the Top 10 Risks and Controls |
| − | *Explains how an issue pertains to a specific platform | + | *Explains how an issue pertains to a specific platform |
*Provides good and bad code examples | *Provides good and bad code examples | ||
| − | '''''Training''''' | + | '''''Training''''' |
| − | *GoatDroid- A fully self-contained training environment for performing security testing against Android applications. Includes several Android apps, embedded RESTful web services, databases, and a GUI featuring several tools for automating common testing tasks. | + | *GoatDroid- A fully self-contained training environment for performing security testing against Android applications. Includes several Android apps, embedded RESTful web services, databases, and a GUI featuring several tools for automating common testing tasks. |
*iGoat- A modular training platform for iOS applications. iGoat includes an XCode project that can be loaded into the iOS simulator for live testing of apps. Developers can apply code fixes and instantly observe the results to demonstrate their effectiveness. | *iGoat- A modular training platform for iOS applications. iGoat includes an XCode project that can be loaded into the iOS simulator for live testing of apps. Developers can apply code fixes and instantly observe the results to demonstrate their effectiveness. | ||
| − | '''''Cheat Sheets''''' | + | '''''Cheat Sheets''''' |
| − | *Easy to consume, straight-to-the-point tutorials | + | *Easy to consume, straight-to-the-point tutorials |
*Practical guidance for a variety of issues and mobile platforms | *Practical guidance for a variety of issues and mobile platforms | ||
| − | '''''Security Testing Methodologies''''' | + | '''''Security Testing Methodologies''''' |
| − | *Approaches for static and dynamic security analysis | + | *Approaches for static and dynamic security analysis |
*Covers what to look for and how to look for it | *Covers what to look for and how to look for it | ||
| + | <br> | ||
| + | <u>'''Future Initiatives'''</u> | ||
| − | + | *Formal Secure Development Guide | |
| − | |||
| − | * | ||
*Secure Libraries (ESAPI for Android, ESAPI for iOS, etc.) | *Secure Libraries (ESAPI for Android, ESAPI for iOS, etc.) | ||
<br> | <br> | ||
Revision as of 15:15, 30 September 2011
Overview
The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation.
Our primary focus is at the application layer. While we take into consideration the underlying mobile platform and carrier inherent risks when threat modeling and building controls, we are targeting the areas that the average developer can make a difference. Additionally, we focus not only on the mobile applications deployed to end user devices, but also on the broader server-side infrastructure which the mobile apps communicate with. We focus heavily on the integration between the mobile application, remote authentication services, and cloud platform-specific features.
Project Components
In Progress
Threat Model
- Platform-agnostic mobile threat model
- Platform-/technology specific elements
- Threats (e.g. App-store Curators or Carriers)
- Attack Surface (e.g. Android IPC or Apple iCloud)
- Define and trace who attacks what, where and how
Top 10 Mobile Risks
- Intended to raise awareness and help prioritize security efforts
- Presented in a platform-agnostic format
- Focuses on areas of risk instead of specific vulnerabilities
Top 10 Mobile Controls
- 10 controls that solve many problems
- Platform-agnostic where possible
- Can be used as a checklist
Platform-Specific Guidance
- Build around the Top 10 Risks and Controls
- Explains how an issue pertains to a specific platform
- Provides good and bad code examples
Training
- GoatDroid- A fully self-contained training environment for performing security testing against Android applications. Includes several Android apps, embedded RESTful web services, databases, and a GUI featuring several tools for automating common testing tasks.
- iGoat- A modular training platform for iOS applications. iGoat includes an XCode project that can be loaded into the iOS simulator for live testing of apps. Developers can apply code fixes and instantly observe the results to demonstrate their effectiveness.
Cheat Sheets
- Easy to consume, straight-to-the-point tutorials
- Practical guidance for a variety of issues and mobile platforms
Security Testing Methodologies
- Approaches for static and dynamic security analysis
- Covers what to look for and how to look for it
Future Initiatives
- Formal Secure Development Guide
- Secure Libraries (ESAPI for Android, ESAPI for iOS, etc.)
