MDM solutions are ubiquitous in today's enterprise environment. They provide a way for security and IT departments to mitigate the risk of mobile malware and lost/stolen devices when personal devices are being used to access and store corporate resources.
Like any other piece of software being deployed on a large scale, we need to ask the questions "is it secure?," "what are the risks?"; because MDM is a security product itself, this crucial step seems to have been overlooked. With a few exceptions, the security community has not had much to say about vulnerabilities in MDM products and this is likely due to the extremely restrictive licensing requirements to gain access to the software.
This talk focuses on vulnerabilities in MDM products themselves. Through a number of penetration tests we have conducted on our clients, we have discovered and leveraged critical vulnerabilities in MDM solutions to gain access to sensitive information. We will provide an overview of these vulnerabilities, some of which seem to be systemic across a number of products.
Stephen is an accomplished application developer, systems administrator, entrepreneur, and academic. Stephen is experienced with secure development practices, hardening configuration of servers, and reviewing processes and code to secure information. Prior to joining NTT Com Security, Stephen was a lead developer on a project that dealt with large amounts of personal health information. Stephen's secure development background gives him a strong sense of where to find application bugs, how to exploit them, and how to fix them in a cost-effective manner. Like the rest of the NTT Com Security ethical hacking team, Stephen is an active member of the security community and has identified vulnerabilities in Mozilla FireFox, and other products such as Adobe ColdFusion. He is an active developer of penetration testing tools and techniques including assisting with research and development on the clusterd application server attack toolkit. Stephen has also spoken at a large development conference to demonstrate advanced web application attacks.