TECHNOLOGY TRANSFER PRESENTS
KEN VAN WYK Developing secure applications for the iPhone ROME MAY 12-13, 2011 VISCONTI PALACE HOTEL - VIA FEDERICO CESI, 37 ROME (ITALY)
info@technologytransfer.it www.technologytransfer.it
Developing secure applications for the iPhone
ABOUT THIS SEMINAR This class looks at the unique security problems faced by application developers writing code for today’s mobile platforms. In this first class of the smart phone series, we take a close look at Apples iOS platform used by iPhones, iPads, and iPod Touch devices. The class presents a clear and practical view of the problems, how they can be attacked, as well as remediation steps against the various attacks. It is heavily hands-on driven to not just describe but demonstrate both the problems and the solutions available. This class starts with a description of the security problems faced by today’s software developer, as well as a detailed description of relevant the Open Web Application Security Project’s (OWASP) Top 10 of 2010 security defects. These defects are studied in instructor-lead sessions as well as in hands-on lab exercises in which each student learns how to actually exploit the defects to “break into” a real Web application. (The labs are performed in safe test environments.) Next, the class covers the security principles that apply to smart phones, as well as illustrates them through case studies and further hands-on exercises. The iOS platform architecture and application architecture are then covered in detail, with descriptions of security services at the network/platform layer as well as security services available within the applications themselves. The class then looks at common security mechanisms found within applications, and discusses how to securely implement them in applications. To bring this all together, the class then covers development activities that can be performed throughout the design, implementation, and testing of an application.
WHO SHOULD ATTEND This course is intended for Apple iOS application Developers with hands-on experience using Apple’s Xcode software development kit, as well as iOS application Designers and Architects.
REQUIREMENTS Each student will need to provide a laptop computer for the hands-on lab exercises. Recommended minimum configurations include the following: • Apple OS X Snow Leopard with current updates • Apple Xcode software development kit for iOS • Registration into Apple’s iPhone development program strongly recommended • Approximately 10 gigabytes of available disk space • 2-4 gigabyte of RAM
OUTLINE 1. Preparation phase: understanding the problem
7. Code review
• What are the issues that result in mobile software that is susceptible to attack? • Why do smart phone software developers continue to develop weak software?
• Effective methods review source code for weaknesses - Manual peer reviews - Automated code scans 8. Security testing
2. Security principles for smart phones • Security principles that directly apply to smart phone applications • OWASP Top-10 issues that are pertinent to smart phones • Hands-on exercises to illustrate the problems 3. Platform architecture • Detailed discussion of iOS platform security features - Application sandboxing - Hardware encryption - Application signing - App store process • Testing applications using the device emulator 4. Application architecture • Design and architecture of secure applications - Stand-alone applications - Client-server applications - Network applications 5. Common security mechanisms • A detailed and prescriptive look at vital security mechanisms and how to securely implement them - Network communications - Authentication - Access control - Protecting sensitive data - Database usage 6. Design review using Threat Modeling • Reviewing designs using Threat Modeling • Finding the weaknesses in an application architecture • Documenting how the weaknesses can be exploited • Deciding what and how to mitigate the weaknesses
• Hands-on team Threat Modeling exercise • Review a design step by step for weaknesses • Discuss what should be mitigated and how 9. Getting started • How to best put class concepts into practice in a real world development environment 10. Questions and answers
INFORMATION PARTICIPATION FEE
HOW TO REGISTER
GENERAL CONDITIONS
€ 1200
You must send the registration form with the receipt of the payment to: TECHNOLOGY TRANSFER S.r.l. Piazza Cavour, 3 - 00193 Rome (Italy) Fax +39-06-6871102
GROUP DISCOUNT
The fee includes all seminar documentation, luncheon and coffee breaks.
VENUE
Visconti Palace Hotel Via Federico Cesi, 37 Rome (Italy)
SEMINAR TIMETABLE
9.30 am - 1.00 pm 2.00 pm - 5.00 pm
within April 27, 2011
PAYMENT
Wire transfer to: Technology Transfer S.r.l. Banca Intesa Sanpaolo S.p.A. Agenzia 6787 di Roma Iban Code: IT 34 Y 03069 05039 048890270110
If a company registers 5 participants to the same seminar, it will pay only for 4. Those who benefit of this discount are not entitled to other discounts for the same seminar. EARLY REGISTRATION
The participants who will register 30 days before the seminar are entitled to a 5% discount. CANCELLATION POLICY
A full refund is given for any cancellation received more than 15 days before the seminar starts. Cancellations less than 15 days prior the event are liable for 50% of the fee. Cancellations less than one week prior to the event date will be liable for the full fee. CANCELLATION LIABILITY
In the case of cancellation of an event for any reason, Technology Transfer’s liability is limited to the return of the registration fee only.
first name ............................................................... surname ................................................................. job title ...................................................................
May 12-13, 2011 Visconti Palace Hotel Via Federico Cesi, 37 Rome (Italy) Registration fee: € 1200
KEN VAN WYK Developing secure applications for the iPhone
Stamp and signature
organisation ........................................................... address .................................................................. postcode ................................................................ city ......................................................................... country ................................................................... telephone ...............................................................
If registered participants are unable to attend, or in case of cancellation of the seminar, the general conditions mentioned before are applicable.
fax .......................................................................... e-mail .....................................................................
Send your registration form with the receipt of the payment to: Technology Transfer S.r.l. Piazza Cavour, 3 - 00193 Rome (Italy) Tel. +39-06-6832227 - Fax +39-06-6871102 info@technologytransfer.it www.technologytransfer.it
SPEAKER Ken Van Wyk is an internationally recognized information security expert and author of the O’Reilly and Associates books, “Incident Response and Secure Coding”. In addition to providing consulting and training services through his company, KRvW Associates, LLC, he currently holds numerous positions: as a monthly columnist for on-line security Portal, eSecurityPlanet and a Visiting Scientist at Carnegie Mellon University’s Software Engineering Institute. Mr. van Wyk has 20+ years experience as an IT Security practitioner in the academic, military, and commercial sectors. Mr. Van Wyk also served a two-year elected position as a member of the Steering Committee for the Forum of Incident Response and Security Teams (FIRST) organization. At the Software Engineering Institute of Carnegie Mellon University, Mr. van Wyk was one of the founders of the Computer Emergency Response Team (CERT®).