[Owasp-Mobile-Project] Fwd: Mobile Top 10

Venkatesh Jagannathan venki at owasp.org
Mon Sep 20 23:43:54 EDT 2010 

Hi,
I would also like to include the following considerations:

0. Compliance & GRC
1. Device Level Security (Physical)
2. Safe Downloads & Malware Protection
3. End User Security Training

Whenever one designs for a mobile development platform, the above
considerations must definitely be included.



On Fri, Sep 17, 2010 at 5:38 PM, Ludovic Petit <ludovic.petit at owasp.org>wrote:

> In fact, forget *"Well, my opinion is that we should also ensure a secure
> design to ensure that the systems meet the business requirements, which
> should be clearly defined before we address the security",* as we do not
> aim to write something business-oriented.
>
> However, and just fyi for those interested about the topic from a global
> perspective, here's two other interesting inputs:
>
> BONDI, http://bondi.omtp.org/default.aspx
>
> GSM World OneAPI, http://www.gsmworld.com/oneapi/
>
> Cheers
> - Ludovic
> ---------- Forwarded message ----------
> From: Ludovic Petit <ludovic.petit at owasp.org>
> Date: Fri, Sep 17, 2010 at 12:27 PM
> Subject: RE: [Owasp-Mobile-Project] Mobile Top 10
> To: owasp-mobile-project at lists.owasp.org
>
>
> Hi guys
>
> Sorry, I've been quite quiet for a while, I was on business trip.
>
> Well, my opinion is that we should also ensure a secure design to ensure
> that the systems meet the business requirements, which should be clearly
> defined before we address the security.
>
> I would suggest that the "system", I mean the environment, i.e. the overall
> Mobile -secure- context, should protect against the following security
> threats:
>
>    - *Privacy*, where there is a risk of disclosure of personal
>    information, such as the usage, identity etc. This also covers data in
>    storage and transmission
>    - *Authentication* of the identities of the network elements, so that
>    it is not possible for one element to masquerade as another
>    - *Integrity* of the data, so that it not possible to change the data
>    in storage and transmission
>    - *Security of the software*, so that the software cannot be
>    hacked/subverted (from buffer overflow to more sophisticated attacks)
>    - *Denial of Service* threats, where the system may be degraded
>
> and eventually (but my feeling is that this is a little bit out of the
> scope)
>
>    - *Hardware integrity*, so that it is not possible to subvert the
>    hardware, and keep sensitive processes secure (secure boot etc, see TR0 and
>    TR1 below).
>
> In such a case, reference could be made to the following relevant materials
> for background (from the OMTP - Open Mobile Terminal Platform):
>
> OMTP Security Threats on Embedded Consumer Devices
>
> http://www.omtp.org/Publications/Display.aspx?Id=57664db6-5feb-4476-ab0c-cf2891732a0c
>
> Advanced Trusted Environment: OMTP TR1
>
> http://www.omtp.org/Publications/Display.aspx?Id=3531a022-c606-42ad-bf02-4c8d10dc253e
>
> OMTP Trusted Environment: OMTP TR0
>
> http://www.omtp.org/Publications/Display.aspx?Id=4e5c11e5-4779-4775-ac5a-cfad53f6aa36
>  Again, it's just an idea, and as such, some of the above proposals/items
> could be of course removed, depending the way we would like to achieve a
> Mobile Top Tenand what has to be taken into account.
>
> My feeling is that we must focus on Apps, Secure Coding, but Apps, more or
> less in the same way of the Top Ten BUT, Mobile-oriented, so that both
> document could complete each other.
>
> Anyway, this is just ideas.
>
> --
> Ludovic
>
>  ------------------------------
> *From:* owasp-mobile-project-bounces at lists.owasp.org [mailto:
> owasp-mobile-project-bounces at lists.owasp.org] *On Behalf Of *Sherif Koussa
> *Sent:* Thursday, September 16, 2010 10:35 PM
> *To:* Mike Zusman
> *Cc:* owasp-mobile-project at lists.owasp.org
>
> *Subject:* Re: [Owasp-Mobile-Project] Mobile Top 10
>
>  I am just going to keep a list of tasks here accompanying this
> conversation and please feel free to edit\add\remove
>
> 1- Define scope: mobile apps vs mobile browsers (tendency to remove the
> apps optimized for mobile web browsers)
> 2- Define scope: mobile apps vs server apps serving these mobile apps
> 3- Spell out or distinguish pre-installed apps
> 4- are we going to push for better crypto in the hardware/OS layer, or
> focus on correcting common crypto flaws made by third-party devs?
> 5- What is considered sensitive data? Should we push to encryp this data
>
> Sherif
>
>
> _______________________________________________
> Owasp-mobile-project mailing list
> Owasp-mobile-project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-mobile-project
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-mobile-project/attachments/20100921/6d0a5a6a/attachment.html

More information about the Owasp-mobile-project mailing list