AppSec Europe 2016 has ended
Back To Schedule
Friday, July 1 • 15:00 - 15:45
Everything You Need to Know About Certificate Pinning, But Are Too Afraid To Ask

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Pinning Certificates (“Cert Pinning”) trends perennially, coming to the fore with each new SSL hack. Security urges developers to pin certs and many mobile apps do — some applying pinning to problems it doesn’t solve while others do so entirely unnecessarily. What risks does pinning really reduce? What should a developer consider prior to deciding to pin certs? Are there tradeoffs? Once decided, how should they do it?

Taking a perspective useful to both developers and penetration testers, this presentation covers these tradeoffs; from how organizational maturity impacts viability, to the risk reduction offered by the choices developers make about which elements of the certificate and chain to validate. 
The presentation will quickly recap the basics of certificates, their chains, and SSL validation.

Expect to leave understanding common misconceptions and key subtleties of pinning that may in fact /decrease/ security or impose undue complexity. Expect to understand common developer mistakes in pinning, for example in mobile WebViews. By the end of the presentation attendees will understand organizational and operational complexities, relevant design, and implementation-level detail.

avatar for John Kozyrakis

John Kozyrakis

Technical Strategist, Cigital
John Kozyrakis is a Technical Strategist at Cigital and his primary area of expertise is mobile application security. Over the years, he has been involved with penetration testing, reviewing source code, security architecture and reverse engineering. John works with software architects... Read More →

Friday July 1, 2016 15:00 - 15:45 CEST
Room B (Tiziano Ballroom Sec. 1)