Security Basics mailing list archives
Re: Mobile Application Pen-Testing Consulting
From: Jeffrey Walton <noloader () gmail com>
Date: Tue, 25 Sep 2012 13:16:07 -0400
Hi,
I am looking for any recommendations on companies that can perform penetration testing for both Android and Apple apps.
Cigital is one of them. I know a few of their Pen Testers very well. (Cigital is not the only company, and others can give you recommendations).
Is there anything specific I should have included in a SOW?
They seem to be pretty standard for application owner - define scope, test the app, classify vulnerabilities, offer remediations. If its a mobile application, I would recommend including the wireless channel. If the testers can set up a proxy and read the communications, they have broken your channel (so many folks just don't get it yet: "Mobile, SSL/TLS, and Certificate or Public Key Pinning," http://lists.owasp.org/pipermail/owasp-mobile-security-project/2012-August/000330.html). As for what to give them: give them whatever they need. if they need an un-encypted binary, give it to them so the testers can get to testing implementation, design, and architecture. If they spend time on decryption they are not performing the primary testing. Ditto for doing things like obfuscation and removing classes.dex from a test APK (!!!). Its OK to show them an encrypted, stripped and obfuscated binary, but try to keep the testers focused on testing the implementation, and validating the design and architecture. Jeff On Sun, Sep 23, 2012 at 7:01 PM, J Teddy <jteddylists () gmail com> wrote:
Hi, I am looking for any recommendations on companies that can perform penetration testing for both Android and Apple apps. Is there anything specific I should have included in a SOW?
------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Mobile Application Pen-Testing Consulting J Teddy (Sep 24)
- Re: Mobile Application Pen-Testing Consulting Jeffrey Walton (Sep 25)