[Owasp-mobile-security-project] Top 10 Risks Presentation
sarath at sarath-g.com
Tue Sep 27 16:16:09 EDT 2011
Congrats on an excellent presentation/work. I believe the risks aptly
address most of the issues in mobile security.
However I have the following suggestions/comments:
1) Widen Scope of *M3 - Insufficient Transport Layer Protection* to "*Insecure
Transport/Medium of Communication*" and include HTTP, SMS & PUSH
notifications in the same. I see a lot more apps out there sending critical
information (like pwd's etc) using SMS & PUSH messages, which are equally as
bad as HTTP. Widening the scope will provide room for addressing all
insecure communication protocols used today and in future.
2) Also, I see that the you have rightly emphasized the importance of
leveraging platform specific API's and best practices, multiple times. I
often see that developing/designing a common architecture to work across
multiple platforms leads to security loopholes. As Jason Rouse has said (a
new list member) "Coding frameworks to cater to the least-common-denominator
of functionality or feature sets" is deadly to security. Hence I
Common Denominator Approach*" could potentially be a separate category of
risk under the top 10 and could be used to address security risks associated
with not leveraging platform best practices.
My 2 cents.
Thanks & Regards,
On Tue, Sep 27, 2011 at 9:50 AM, Jack Mannino <jack at nvisiumsecurity.com>wrote:
> I've posted the presentation that Mike Zusman, Zach Lanier, and myself gave
> at Appsec USA last week in Minneapolis.
> The list is out in release candidate form, and we want to take the next 60
> days to refine it. Some risks may move up or down by the time we release
> the final version.
> Again, a top 10 list serves ONLY as a starting point. Our goals with the
> Top 10 are to: 1) promote awareness and 2) give teams somewhere to start
> when trying to write secure apps. By no means is the Top 10 a comprehensive
> framework for developing secure mobile apps. That part is what comes next
> If you have feedback, please post it to the list so we can keep a dialogue
> going amongst the group.
> *Jack Mannino
> Owasp-mobile-security-project mailing list
> Owasp-mobile-security-project at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-mobile-security-project