|
|
Welcome to the CSA APAC Cloud Codebook!
A monthly newsletter, and your source for the most up-to-date news on CSA APAC Region.
|
|
|
|
|
|
Corporate Members Spotlight
Check out what our corporate members are doing!
|
|
|
|
Trend Micro (Taiwan), 17 August, Taipei, Taiwan
The CSA APAC team visited Trend Micro’s office in Taipei on the 17th of August and met up with Trend’s VP for APAC Marketing, Ms. Amy Ma. The team shared with Trend Micro activities and projects that CSA has been doing in the region and the group also discussed further partnership opportunities such as co-marketing activities in APAC.
|
|
|
|
|
Metricstream (India), 10 September, Bangalore, India
The CSA APAC team met Metricstream, CSA corporate member to collaborate jointly on the initiatives and sought to further strengthen the relationship by offering corporate member benefits. CSA and Metricstream will be partnering to work on a research paper focusing on Top 10 priorities for CIOs for 2016 in cloud security.
|
|
|
|
|
|
Memoir of An Analyst
Our thoughts on cloud security
|
|
|
|
Mobile Application Security Testing
|
|
Recap of the previous edition
In the previous edition, the topic was centered around legal aspects of cloud computing. For example, due to the geographical distribution of data centers, data stored in these data centers are subjected to different local laws and regulations in terms of how data is to be governed. These aspects should be considered when we purchase cloud services. In this edition, we will be looking at security issues that are much closer to our daily lives – security issues of mobile apps.
Can we live without our mobile devices?
Can you imagine life without your mobile devices? When was the last time you used your mobile device? How many mobile apps are installed in your phone?
Recent statistic pointed out that the number of global users of mobile devices has passed the number of desktop users in the year 2014 [1]. People tend to spend more time with their mobile devices than with their desktops. In fact, 89% of their time spent on media is through the mobile apps.
In this episode of the Memoirs of an Analyst, we would like to talk about the security issues around mobile apps. Researchers have been saying that users tend to ignore terms & conditions and permissions requested by the apps [2]. However, does reading through the T&C and permissions grantee that the app is safe to use? Not at all.
What happen if the app is not secured?
Imagine that Instagram app is installed in your phone and has permission to take photos with your phone’s camera. If Instagram app itself is not secure enough, it might get compromised. Then malicious users can take photos via the camera without notifying you. In fact, if an app which has permissions to operate your phone in different ways (e.g. Facebook app has over 30 permissions to control your phone) get compromised, the malicious user can do more than just to take photos with the camera.
What can we do?
To make sure mobile apps are secure, a standard vetting and certification scheme should be developed. Through vetting and certifying mobile apps, app developers will be able to identify and fix the flaws in the apps before releasing it in the market. More importantly, users can understand how secure an app is before installing it onto their devices.
Our Mobile Application Security Testing (MAST) working group is working on a white paper about app security testing and vetting process which uses both static and dynamic analysis to analyse apps. Including dynamic analysis in the testing and vetting process is a must as some of the flaws may not be detected by static analysis [3]. Through analysing areas such as permissions, data protection, application collusion, code obfuscation and password management. We can identify either an app is secure or not.
The testing and vetting process will further be developed into our certification scheme. The certification scheme certifies apps with a maturity model. Similar to CSA STAR, the CSA mobile application security testing certification scheme will allow users to understand how secure an app is just by seeing the certificate issued by CSA.
In the future, when you see an app is CSA certified, do not hesitate and install it! References
[1] D. Bosomworth, “Mobile marketing statistics 2015”, Smart Insights, 2015. [Online]. Available: http://www.smartinsights.com/mobile-marketing/mobile-marketing-analytics/mobile-marketing-statistics/. [Accessed: 01- Oct- 2015].
[2] P. G. Kelley et al., “A Conundrum of Permissions: Installing Applications on an Android Smartphone,” in Lecture Notes in Computer Science, vol. 7398, Financial cryptography and data security, J. Blyth et al. Heidelberg: Springer, 2012
[3] S. Quirolgico et al., “NIST Special Publication 800-163 - Vetting the Security of Mobile Applications”, National Institute of Standards and Technology, Gaithersburg, United States, 2015.
Further Reading
J. Chin, “Apple Targeted as Malware Infects China Mobile Apps”, WSJ, 2015. [Online]. Available: http://www.wsj.com/articles/apple-targeted-as-hackers-infect-popular-chinese-mobile-apps-with-malware-1442750168. [Accessed: 01- Oct- 2015].
T. Kontzer, “Most of Your Mobile Apps Have Been Hacked'” Baselinemag.com, 2015. [Online]. Available: http://www.baselinemag.com/enterprise-apps/slideshows/most-of-your-mobile-apps-have-been-hacked.html. [Accessed: 01- Oct- 2015].
J. Pagliery, “Hackers are draining bank accounts via the Starbucks app”, CNNMoney, 2015. [Online]. Available: http://money.cnn.com/2015/05/13/technology/hackers-starbucks-app/. [Accessed: 01- Oct- 2015].
Arxan, “Arxan’s Annual Report: ‘State of Mobile App Security’ Reveals an Increase in App Hacks for Top 100 Mobile Apps – Arxan”, 2014. [Online]. Available: https://www.arxan.com/arxans-annual-report-state-of-mobile-app-security-reveals-an-increase-in-app-hacks-for-top-100-mobile-apps/. [Accessed: 01- Oct- 2015].
|
|
|
|
CSA Events and Activities
The latest updates about CSA APAC events and activities.
|
|
|
|
|
CSA Certification & Assurance Seminar, 13 August, Mumbai, India
CSA Mumbai Chapter organised its first Certification & Assurance Seminar in Mumbai on the 13th of August. Participants include experts from BSI, HP and EY. This seminar aimed to increase awareness on topics such as CSA STAR Certification, Attestation and CCSK Certification. Keith Prabhu, Founder of CSA Mumbai Chapter as well as Chairman of CSA India Regional Coordination Body, mentioned during the event the importance of the role of CSA in building a trusted Cloud ecosystem. Abbas Godhrawala of EY, NR Ravindra of BSI and Sunil Deorukhkar of HP also provided inputs on the cloud security industry.
|
|
|
|
|
|
Meeting with Executive Yuan (Federal Government Office of the Republic of China), 18 August, Taipei
The CSA APAC team, together with Senior Computer Scientist, Tim Grance, visited Executive Yuan, Federal Government Office, in Taiwan. During the meeting, the team met up with the Vice Premier of the Republic of China, Simon Chang (second right). The team also updated Mr. Chang on-going developments and activities that CSA APAC had. Particularly, the group discussed innovation plans, developments and execution across Asia Pacific, including Taiwan. Mr. Chang mentioned that Taiwan would be supportive of this development and that he looked forward to further collaboration in the future.
|
|
|
|
|
|
Taiwan Summit 2015, 18-20 August, Taipei, Taiwan
Taiwan Summit 2015 was held from the 18th to the 20th of August in Taipei. Third of its series, the conference was co-organised by the CSA Taiwan Chapter and the Honeynet Project Taiwan Chapter. The event aimed to keep attendees up-to-date with the global trends of information security research, covered topics like large-scale network attacks that had garnered much media attention in recent years. The conference had 300 attendees and the sponsors were Arbor Networks, Gapertise, Chunghwa Telecom, Fortinet, CISCO, Core Cloud Tech, Systex, Akamai, Lastline, SGS, Sanfran Technologies Inc. and many more. It was then followed by a one-day information security camp for children.
|
|
|
|
|
|
Meeting with officials from Industrial Development Bureau (IDB) Ministry of Economic Affairs, 20 August, Taipei
Together with the CSA Taiwan Chapter, the CSA APAC team visited the Industrial Development Bureau (IDB) under the Ministry of Economic Affairs on the 20th of August. The team met up with the Director General of IDB, Ming-Ji Wu (centre). The group discussed and explored collaboration opportunities in various areas in the cloud security industry. The Managing Director of CSA APAC, Aloysius Cheang, updated Mr. Wu on the Mobile App Security Testing (MAST) project that CSA’s Taiwanese executive corporate member, Gapertise, is leading. The group also discussed possible new projects in IoT and development of CSA Innovation Initiative in Taiwan. Mr. Wu also contributed a few thoughts and comments on Innovation Initiative and stated that IDB would fully support this initiative.
|
|
|
|
|
|
Meeting at the HK Legislative Council, 31 August, Hong Kong
Aloysius Cheang (third right), Managing Director of CSA APAC, together with Ronald Tse (second right), CEO of Ribose, a CSA corporate member based out of HK and Chairman of Cloud Security Alliance Hong Kong & Macau Chapter, Claudius Lam (first right), visited Charles Mok (third left), ICT Legislator of HK SAR, at HK Legislative Council on the 31st of August. The group sought to align CSA strategies to HK ICT strategies. Charles mentioned that the Council would work together with CSA to implement these strategies.
|
|
|
|
|
|
Meeting with Hong Kong Applied Science and Technology Research Institute, 1 September, Hong Kong
CSA APAC visited Hong Kong Applied Science and Technology Research Institute (ASTRI)’s office in Hong Kong on the 1st of September. The group discussed the renewal of the MOU between CSA and ASTRI. ASTRI is to work closely with CSA to develop innovation runway for university graduates so that these graduates could have access to CSA Innovation Initiative and fundings.
|
|
|
|
|
|
(ISC)2 Asia Pacific, 1 September, Hong Kong
CSA APAC team met up with (ISC)2 Managing Director Asia Pacific, Clayton Jones. Two parties discussed future collaboration plans and more importantly, the two organisations finalised the CCSP trainer schedules.
|
|
|
|
|
|
Meeting with SecureIT and Instasafe, 9 September, Bangalore, India
The CSA APAC team met C.N Shashidharan from SecureIT and Sandeep Kumar Panda from Instasafe, who are also members of CSA Bangalore Chapter. The discussion led to how CSA Bangalore Chapter could collaborate on CSA APAC initiatives by extending and strengthening their advocacy, outreach and corporate alignment.
|
|
|
|
|
|
Meeting with various Indian National Councils, 10 September, Bangalore, India
The CSA APAC team met up with Amar Prasad Reddy from National Cyber Security and Research Council of India to discuss potential collaborations on the 10th of September in Bangalore, India. Also at the meeting were Director General of National Cyber Safety and Security Standards and founding members of Recruitment Analysis Council. The group focuses on discussing joint collaboration in adoption of CSA STAR certification and its derivative as Indian National Cloud Provider requirement and adoption CSA education and training framework.
|
|
|
|
|
|
Inaugural Bangalore Summit, 11 September, Bangalore, India
CSA Bangalore Chapter had its first annual Security Summit 2015 on the 11th of September. The theme of the summit was “Cloud and Security - The Next Cyber Battlefield”. The event created networking and collaboration opportunities between various specialists and researchers from the information security and cloud services industries. During the event, India’s top-notch information security experts presented and discussed topics such as emerging threats, challenges, mitigation strategies and solutions. The conference had more than 100 participants, amongst them were leading security and digital forensics practitioners.
|
|
|
|
|
|
CSA Supported Conferences
The latest updates about CSA APAC supported conferences
|
|
|
|
|
CLOUDSEC APAC, 25 August, Singapore
CSA APAC supported CLOUDSEC Asia Pacific 2015, which was held from the 25th to the 26th of August in Singapore. Director of the CSA Singapore Chapter, Anthony Lim (second right), took part in a panel discussion titled “Preparing for the Unexpected”.
|
|
|
|
|
|
Data Privacy Asia 2015, 25-27 August, Singapore
CSA APAC supported Data Privacy Asia 2015 from the 25th to the 27th of August in Singapore. The event drew almost 40 speakers from more than 15 countries to discuss globally important issues in data protection, privacy and cybersecurity. CSA provided a keynote speaker, Francoise Gilbert, who is the General Counsel of CSA.
|
|
|
|
|
|
CSA Taiwan Chapter
Featured chapter of the month
The Cloud Security Alliance Taiwan Chapter was co-founded by its Secretary General, Aha Lin and Yi-Lang Tsai, who is the Chairman of the CSA Taiwan Chapter. The chapter works with many Taiwanese domestic cloud services and computing associations to establish a benchmark for local cloud security industry. The Taiwanese cloud services industry is facing various foreign challenges and is also in the process of establishing cloud security operating policy. Therefore, the CSA Taiwan Chapter plays a critical role in shaping the cloud security standards in Taiwan. The main objectives of Taiwan Chapter are to assist domestic development of information security framework in cloud services, promote cloud security certification and relevant trainings. Other than regular knowledge sharing seminars and annual Taiwan Summit, the chapter also organises hacking competitions for all age groups and information security camps for children and teenagers.
|
|
|
|
|
APAC Volunteer Leadership Spotlight
|
|
|
|
|
Mr. Yi-Lang Tsai
Yi-Lang Tsai is the Cloud Security Alliance Taiwan Chapter Founder and Chairman. He is also the chapter leader of the Honeynet Project in Taiwan. He is a Research Fellow at the Taiwan Computer Security Incident Response Team, where he works for the Taiwan Academic Network (TANet) to detect and analyse security incidents. He is also a Director at the National Center for High-Performance Computing, where he leads and manages major security projects. In addition, Yi-Lang is an expert in UNIX/Linux, Windows OS, communication network technology, network security, ISMS and digital forensics. He is also a well-known IT commentator and author in Taiwan, having published 34 books and written many columns in various professional IT publications.
|
|
|
CSA APAC Events
- Inaugural CSA Innovation Conference, 28-29 October, 2015, Singapore
Registration is open now! To register for free: Click Here
For more information please visit: Click Here
- Inaugural CSA New Zealand Summit, 19 November, 2015, Wellington, New Zealand
- 3rd CSA APAC Congress and 6th CSA Greater China Summit,1-3 December, 2015, Guangzhou, China
Registration is open now! To register: Click Here
For more event information: Click Here
CSA APAC-Supported Events
- Govware, 8-10 October, 2015 Singapore
For more details and to register: Click Here
- Hack In The Box, 12-16 October, 2015 Singapore
S$200 discount for CSA members: CSA-HITB2015SG; for more details and to register: Click Here
- Cloud Expo Asia 2015, 28-29 October, 2015 Singapore
For more event information and to register for free: Click Here
|
|
|
Co-Editors for this Newsletter:
- Lynne Yang - Assistant Research Analyst
- Mobile: +65 9726 2846
- Email: [email protected]
- Mickey Law - Assistant Research Analyst
- Mobile: +64 21 049 3893
- Email: [email protected]
If you are interested in utilising the CSA Cloud Codebook for marketing purposes, please contact the co-editors.
|
|
|
