Sunday, February 26, 2017

Mobile app security testing are you checking for all the flaws

Mobile app security testing are you checking for all the flaws


I plan to write a related post soon on my mobile app security assessments. In the meantime, I wanted to share a tool with you that plays a key role in mobile app security: Checkmarx CxDeveloper (or perhaps more appropriately called CxSuite).

If youre a developer, QA professional, security manager, or IT generalist, this is a good tool to have for all of those gotta-have-now apps that everyone is throwing together getting in the app stores.

Ive used CxDeveloper to find flaws in iOS and Android-based apps that may not be discovered via traditional testing such as:
  • Code injection
  • Session fixation
  • Path traversal
  • Weak passwords
  • Hard-coded cryptographic keys

...all things that Im not smart enough to find on my own. Nor do I have the time.

For a few years now, Ive dealt with the folks at Checkmarx and everyone from their CTO to their Director of Marketing - and a few others in between - has been super nice and responsive to my sometimes ridiculous requests.

Heres a guest blog post Ive written for them:
Three compelling reasons to check your mobile app source code

And a webinar as well:
The Business Value of Partial Code Scanning

I also cover CxDeveloper in my Mobile Security chapter in the latest edition of my book Hacking For Dummies.

CxDeveloper isnt without its flaws. Its installation process and interface can be cumbersome but nothing that cant be overcome. Its certainly a worthy alternative to the big-box competitors...check it out if you want to find out the rest of the story with your mobile apps.

Available link for download