Security Basics
Mobile Application Pen-Testing Consulting Sep 23 2012 11:01PM
J Teddy (jteddylists gmail com) (1 replies)
Re: Mobile Application Pen-Testing Consulting Sep 25 2012 05:16PM
Jeffrey Walton (noloader gmail com)
Hi,

> I am looking for any recommendations on companies that can perform
> penetration testing for both Android and Apple apps.
Cigital is one of them. I know a few of their Pen Testers very well.
(Cigital is not the only company, and others can give you
recommendations).

> Is there anything specific I should have included in a SOW?
They seem to be pretty standard for application owner - define scope,
test the app, classify vulnerabilities, offer remediations. If its a
mobile application, I would recommend including the wireless channel.
If the testers can set up a proxy and read the communications, they
have broken your channel (so many folks just don't get it yet:
"Mobile, SSL/TLS, and Certificate or Public Key Pinning,"
http://lists.owasp.org/pipermail/owasp-mobile-security-project/2012-Augu
st/000330.html).

As for what to give them: give them whatever they need. if they need
an un-encypted binary, give it to them so the testers can get to
testing implementation, design, and architecture. If they spend time
on decryption they are not performing the primary testing. Ditto for
doing things like obfuscation and removing classes.dex from a test APK
(!!!). Its OK to show them an encrypted, stripped and obfuscated
binary, but try to keep the testers focused on testing the
implementation, and validating the design and architecture.

Jeff

On Sun, Sep 23, 2012 at 7:01 PM, J Teddy <jteddylists (at) gmail (dot) com [email concealed]> wrote:
> Hi,
> I am looking for any recommendations on companies that can perform
> penetration testing for both Android and Apple apps.
>
> Is there anything specific I should have included in a SOW?

------------------------------------------------------------------------

Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus