[Owasp-mobile-security-project] Top 10 Risks Presentation

[Sarath Geethakumar]

Jack/All,

Congrats on an excellent presentation/work. I believe the risks aptly
address most of the issues in mobile security.
However I have the following suggestions/comments:

1) Widen Scope of *M3 - Insufficient Transport Layer Protection* to "*Insecure
Transport/Medium of Communication*" and include HTTP, SMS & PUSH
notifications in the same. I see a lot more apps out there sending critical
information (like pwd's etc) using SMS & PUSH messages, which are equally as
bad as  HTTP. Widening the scope will provide room for addressing all
insecure communication protocols used today and in future.

2) Also, I see that the you have rightly emphasized the importance of
leveraging platform specific API's and best practices, multiple times. I
often see that developing/designing a common architecture to work across
multiple platforms leads to security loopholes. As Jason Rouse has said (a
new list member) "Coding frameworks to cater to the least-common-denominator
of functionality or feature sets" is deadly to security. Hence I
believe "*Least
Common Denominator Approach*" could potentially be a separate category of
risk under the top 10 and could be used to address security risks associated
with not leveraging platform best practices.

My 2 cents.

Thanks & Regards,
Sarath Geethakumar


On Tue, Sep 27, 2011 at 9:50 AM, Jack Mannino <jack at nvisiumsecurity.com>wrote:

> I've posted the presentation that Mike Zusman, Zach Lanier, and myself gave
> at Appsec USA last week in Minneapolis.
>
> http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks
>
> The list is out in release candidate form, and we want to take the next 60
> days to refine it.  Some risks may move up or down by the time we release
> the final version.
>
> Again, a top 10 list serves ONLY as a starting point.  Our goals with the
> Top 10 are to: 1) promote awareness and 2) give teams somewhere to start
> when trying to write secure apps.  By no means is the Top 10 a comprehensive
> framework for developing secure mobile apps.  That part is what comes next
> =)
>
> If you have feedback, please post it to the list so we can keep a dialogue
> going amongst the group.
>
> *Jack Mannino
> *
>
> _______________________________________________
> Owasp-mobile-security-project mailing list
> Owasp-mobile-security-project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-mobile-security-project
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-mobile-security-project/attachments/20110927/65d0389d/attachment.html