You can't secure what you don't acknowledge.SM

Tuesday, February 12, 2013

Mobile app security testing - are you checking for all the flaws?

I plan to write a related post soon on my mobile app security assessments. In the meantime, I wanted to share a tool with you that plays a key role in mobile app security: Checkmarx CxDeveloper (or perhaps more appropriately called CxSuite).

If you're a developer, QA professional, security manager, or IT generalist, this is a good tool to have for all of those gotta-have-now apps that everyone is throwing together getting in the app stores.

I've used CxDeveloper to find flaws in iOS and Android-based apps that may not be discovered via traditional testing such as:
  • Code injection
  • Session fixation
  • Path traversal
  • Weak passwords
  • Hard-coded cryptographic keys

...all things that I'm not smart enough to find on my own. Nor do I have the time.

For a few years now, I've dealt with the folks at Checkmarx and everyone from their CTO to their Director of Marketing - and a few others in between - has been super nice and responsive to my sometimes ridiculous requests.

Here's a guest blog post I've written for them:
Three compelling reasons to check your mobile app source code

And a webinar as well:
The Business Value of Partial Code Scanning

I also cover CxDeveloper in my Mobile Security chapter in the latest edition of my book Hacking For Dummies.

CxDeveloper isn't without its flaws. It's installation process and interface can be cumbersome but nothing that can't be overcome. It's certainly a worthy alternative to the big-box competitors...check it out if you want to find out the rest of the story with your mobile apps.