What are the mobile handset security solutions used by you / your organization.
What are the pro's and cons of usage of these solution - and how far have you been successful in implementing these - were there any loopholes / issues faced in using them?.
In general, can you suggest a set of guidelines to watch for when going for going for selecting a specific solution in this context.
Are these solutions also inter-operable/compatible with the solutions used on the PC's/laptops.
We like using the android platform for a few reasons.
1) Tracking "company resources". If you are going to see hookers and you have a company phone, then we know about it. We if you are kidnapped, then we know your last location.
2) Remote wipe If a phone is stolen, it could have company passwords or other intellectual property on them. This is important to our information retention policy.
Please refer to following links
https://www.owasp.org/images/4/40/OWASP_Advanced_Mobile_Application_Code_Review_Techniques.pptx
Register here for more
lab.nowsecure.com
https://www.owasp.org/images/9/94/MobileTopTen.pdf
Related
I have a Node.js backend running on an EC2 Instance with a Mongo DB.
I need to make some changes to my iOS App along with the Backend. I have already shared the Frontend Source Code with the developer, but I don't want to share the backend (if I don't have to directly..)
I have come across Github but I am totally new to it - also I am not a developer myself.
How can I use it for my purpose? Also, can 2 developers - say iOS developer and android developer then work on the code at the same time, without causing any mess?
What would you suggest me to do?
Appreciate any help! Thank you
Android and iOS developer can work together it will not cause any issue.
Now coming to your question first of all why a frontend developer needs to look at the backend code?..
If it's necessary ask them particularly what they wants to know may be backend code documentation can help or if the guy just need a look at some specific thing you can use some remote softwares like TeamViewer or else you don't have any options he have to look at code you can use last option to ask him sign the NDA (Non Disclosure Agreement)
As a security professional I am curious to know if anybody is aware of security issues with the open source web conferencing product BigBlueButton and/or Mconf?
Thanks
Ron
I found this document: https://www.dropbox.com/s/jz7x1fglgawc8ef/BBB-MCONF-NOTES.pdf?dl=0 that describes what look to be some serious security problems. If this document is to be believed it might not be a good idea to use these applications.
According to this thread in which one of the core developers of BigBlueButton commented about security, https://groups.google.com/d/msg/bigbluebutton-dev/GzxfilVDpes/oCguFWyFEmUJ
He says:
"..there is no representation of security in BigBlueButton. None. We (the core developers) are not trying to build a secure web conferencing system." -Fred Dixon
Bob it appears that underlying intent & focus of BigBlueButton is not on security but rather capabilities. Perhaps there are ways to plumb in security aspects during or post-implementation efforts.
I'm going to be creating a few small mobile applications and have managed to find a great online Git repo hosting services that is free. It even comes with online issue tracking software but appears to be mainly geared towards the development team. I was hoping it would also have an interface for end-users to log issues/features and allow them to vote on what they wanted but it does not have this. It does expose an RESTful API but I didn't want to go down that path and wanted something ready to go (once configured).
I don't think I need it to be integrated with the Git repo so having something that is purely standalone would be great but I would definitely want something that is online as I don't want to install software on my local PC.
In summary, my requirements are:
Free or very cheap
Simple end-user interface to allow users
to submit issues/features
Allow end-users to vote on their own or other users issues/features
Visible status of issues/features (i.e. whether they are pending, in progress, rejected, fixed etc)
A more advanced management system for me as a developer to manage the
issues
Some basic reports/charts/graphing would be great
Email/RSS notification of new issues/suggestions would be great too
Something that is ready to go after some configuration/settings.
Can anyone recommend something that would be suitable for this?
TIA
I based my question on a website I saw a while back but couldn't find it. Anyway, I've now found it again (it's called http://www.uservoice.com/). It's not really issue tracking but more of a way of letting end-users report features and allow them to vote on them. The important thing is that it is a very user friendly interface which is perfect for end-users. Obviously, I would then need to maintain issues/features in my own system (e.g. Mantis) and then manually sync features requested in uservoice to Mantis but that shouldn't be a big issue. Anyway, this perfectly meets my needs for my low volume applications at the moment.
I'm looking at Github and it looks great. I see there are business accounts you can set up to version control your work. I know there is a lot of open source stuff on there, but is it common practice for businesses to store solutions on there? And more importantly, is it safe? As the solutions are not to be viewed by anyone else.
For what it's worth, I just transitioned my company's source to GitHub, using private repositories. Also, I've been keeping commercial products of my own on GitHub in the same way for some time
It's working great. Your account has a list of 'contributors' for each repository, which controls who can view / commit to each one.
The business accounts on GitHub are suitable for you if you do not want to store your code on someone else's server. Sign up for this if you want to keep your repositories "behind the firewall" by installing the software on your own server.
References:
GitHub Enterprise (this is the "business" plan)
GitHub Security
Concerning safety - there was a similar question a few months ago.
Check it (and my answer there :-) out:
How safe is it to host sensitive data on repository sites like github, bitbucket, etc.?
I don't know if it's common practice for companies to store their code online...but I guess that a lot of companies don't like the idea of hosting their intellectual property at some third party.
Probably "company culture" makes a big part of it.
I'd say that "hip" internet startups are more likely to host their stuff online than "conservative" enterprises/"non-techy" companies.
Some of the "hip internet" companies (for example Facebook, Twitter, GitHub...) at least have open-sourced part of their stuff, but I don't know which of them also host their private stuff there and which don't.
(except GitHub, I read somewhere that they host ALL of their stuff themselves...makes sense :-)
Another example: Headspring Software (where quite a few known .NET developers work) runs nearly completely on online services.
The linked blog post doesn't explicitly mention where they host their source code, but I wanted to mention this example anyway because of all the other stuff they have outsourced.
Many "conservative" companies wouldn't even want their e-mail/calendar/sales data at some third-party provider in the cloud...let alone their source code.
I want to know if there is a possibility to add a team member in iPhone Developer Portal that will have permissions (see / modify / update) ONLY to one application.
The reason - there is a big company (that has many applications in the App Store) that uploaded one of my applications and I have hard time to send an update to the application (can't access the guy that is responsible for all the iPhone applications).
I want to ask them to add me as a team member, but they might agree only if I won't be able to see/touch any other application except the one that I have developed...
Thank you.
I don't believe this is possible; there are no per-app permissions.
The available "roles" are explained here:
http://developer.apple.com/programs/roles/index.php
It seems a bit odd if they trust you to write an application that they've published under their corporate identity, but don't trust that you'll only change what you're meant to. Either way is seems the only solution to your problem is likely to be a non-technical one; you need to find a way to get to that guy, whether it's appealing to his better nature, or finding a path to someone more senior who can lean on him.