mobileMobile Application Security

Our consultants have been assessing mobile applications since 2008. We offer both static and dynamic analysis techniques, and can assess both native and web-based/service applications, and API testing. As mobile device and application testing has matured in the most recent years, we prefer to get involved in the Software Development Life-Cycle (SDLC) approach; where it is not only easier to assess the application and associate API's before the additional layers of security are applied, but to help reduce testing cost in the final stages of development. Our last phase of testing is usually the cryptographic protocols, SSL certificate pinning, and reverse engineering which are always the hardest and most time consuming form of testing. Early investment in security testing means that this last phase can be reduced backed by the evidence of security triage in the previous stages of the development life cycle. Netscylla follows the traditional OWASP Mobile Security Testing Guide (MSTG), to align with developer security practises.
More details on MSTG can be found here: OWASP Mobile Testing Guide.

Methodologies

DAST

Dynamic Application Security Testing is a black-box security testing methodology in which an application is tested from the outside in by examining an application in its running state and trying to attack it just like an attacker would in the real world.

SAST

Static Application Security Testing is a white-box testing methodology which tests the application from the inside out by examining its source code for conditions that indicate a security vulnerability might be present.

Which one is right for your organisation?

The two methodologies approach applications very differently. They are most effective at different phases of the software development life cycle (SDLC) and find different types of vulnerabilities. For example, SAST detects critical vulnerabilities such as cross-site scripting (XSS), SQL injection, and buffer overflow earlier in the SDLC. DAST, on the other hand, uses an outside-in penetration testing approach to identify security vulnerabilities while web applications are running.