Security Basics mailing list archives

Re: Mobile Application Pen-Testing Consulting

From: Jeffrey Walton <noloader () gmail com>
Date: Tue, 25 Sep 2012 13:16:07 -0400

Hi,

I am looking for any recommendations on companies that can perform
penetration testing for both Android and Apple apps.

Cigital is one of them. I know a few of their Pen Testers very well.
(Cigital is not the only company, and others can give you
recommendations).

Is there anything specific I should have included in a SOW?

They seem to be pretty standard for application owner - define scope,
test the app, classify vulnerabilities, offer remediations. If its a
mobile application, I would recommend including the wireless channel.
If the testers can set up a proxy and read the communications, they
have broken your channel (so many folks just don't get it yet:
"Mobile, SSL/TLS, and Certificate or Public Key Pinning,"
http://lists.owasp.org/pipermail/owasp-mobile-security-project/2012-August/000330.html).

As for what to give them: give them whatever they need. if they need
an un-encypted binary, give it to them so the testers can get to
testing implementation, design, and architecture. If they spend time
on decryption they are not performing the primary testing. Ditto for
doing things like obfuscation and removing classes.dex from a test APK
(!!!). Its OK to show them an encrypted, stripped and obfuscated
binary, but try to keep the testers focused on testing the
implementation, and validating the design and architecture.

Jeff

On Sun, Sep 23, 2012 at 7:01 PM, J Teddy <jteddylists () gmail com> wrote:

Hi,
I am looking for any recommendations on companies that can perform
penetration testing for both Android and Apple apps.

Is there anything specific I should have included in a SOW?


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

Current thread:

Mobile Application Pen-Testing Consulting J Teddy (Sep 24)
- Re: Mobile Application Pen-Testing Consulting Jeffrey Walton (Sep 25)