In an era where digital threats loom large, the imperative for robust security measures is more definite than ever. One industry at the forefront of this battle is the realm of web and mobile application security. As technology advances, so do the tactics of those seeking to exploit vulnerabilities, making the expertise of security professionals critical in protecting sensitive data and infrastructure.
At the helm of this critical domain stands Prathibha Muraleedhara, a seasoned Manager of Security Architecture and Researcher. With a wealth of experience spanning various esteemed organizations and certifications, her expertise has been instrumental in strengthening defenses against a myriad of cyber threats. With a master’s degree in information system security, a research background and an array of certifications such as CEH and GWAPT, Prathibha’s insights into the complications of mobile security vulnerabilities have been invaluable in shaping effective easing strategies.
Driving forward the security agenda at Stanley Black & Decker, Inc., Prathibha leads initiatives that encompass the breadth of security testing, architecture review, and vulnerability disclosure programs. Her research is in the field of automating and optimizing these security programs and the latest security trends in the industry. Her extensive technical knowledge has been shared through multiple technical articles, whitepapers, and book chapters. In addition, her expertise and mentoring have guided and inspired numerous professionals and students, leading to their growth and development in the cybersecurity field.
In the emerging era of technology, where innovation collides with risk, Prathibha remains at the forefront, anticipating emerging threats and advocating for proactive security measures. As the digital realm continues to expand, her foresight and dedication underscore the vital role of security professionals in protecting the integrity of our digital infrastructure.
In an interview conducted by Anish Miller (Deputy Editor, CIOLook,) Prathibha shared valuable facts about her journey so far in the industry.
Below are the excerpts from the interview.
How long have you been working in web and mobile application security testing, and what certifications or qualifications do you have in this field?
Over the past decade, I have served as a web and mobile security testing expert for reputable organizations, including Paladion Networks, KPMG, HP Inc., and Stanley Black & Decker. I hold a master’s degree in information system security from the University of Houston and am certified with CEH and GWAPT.
I consistently research the latest security exploits in web and mobile applications, cloud services, industry products, and industrial OT networks. Additionally, I have authored numerous articles and book chapters and have presented at conferences.
Can you provide examples of security vulnerabilities you commonly detect and how you address them?
Based on my research and industrial experience, I have seen attackers exploit several mobile security vulnerabilities. Here are some examples of these vulnerabilities and ways to address them:
- Weak Authentication: If authentication mechanisms are weak, attackers can more easily access sensitive data or resources on the mobile device. To mitigate this, organizations can introduce robust authentication mechanisms such as biometric authentication or two-factor authentication.
- Malware: Malware is harmful software that can be installed on a mobile device without the user’s knowledge or permission. To tackle this, users and organizations can install antivirus software on their mobile devices and ensure that they download apps only from reliable sources.
- Data Leakage: When sensitive data is transmitted or stored insecurely, it can lead to data leakage. To counter this, organizations can implement encryption technologies to safeguard sensitive data and ensure that data transmission takes place only through secure channels.
- Jailbreaking and Rooting: Jailbreaking and rooting are techniques used to eliminate the security restrictions imposed by mobile operating systems, which can make mobile devices more vulnerable to attacks. To address this, organizations can implement mobile device management (MDM) solutions that apply security policies and restrict jailbroken or rooted devices from accessing sensitive resources.
- Insecure Wi-Fi Connections: Insecure Wi-Fi connections can expose mobile devices to man-in-the-middle attacks. To mitigate this, users and organizations can confirm that they connect only to secure Wi-Fi networks and use VPNs to encrypt their traffic.
In conclusion, the most effective way to resolve mobile security vulnerabilities is to establish a comprehensive mobile security strategy that incorporates a blend of technical controls, user education, and best practices.
Can you share some examples of web and mobile application security testing projects you’ve worked on?
Throughout my professional experience, I have conducted security assessments for numerous clients in the healthcare, banking, and manufacturing industries on both a national and international level. While working as a security engineer at Paladion Networks, I was tasked with evaluating applications and awarding PLYNT certification to those who complied with security standards.
During my tenure as an information security architect at HP, I assessed various internal and external-facing applications, as well as printer software and cloud solutions. In my current role as a manager at Stanley Black and Decker, I am spearheading the development and management of security testing initiatives, architecture review, and vulnerability disclosure programs.
How do you ensure that non-technical stakeholders understand the security implications of your findings?
To ensure non-technical stakeholders grasp security implications, I simplify language and avoid technical jargon. Using examples, I illustrate the risks associated with security issues. I explain how security findings impact an organization’s operations and reputation, emphasizing the importance of addressing them.
Additionally, I provide recommendations on how to address security issues and explain the benefits of implementing said recommendations. Finally, I use visuals like graphs, charts, and diagrams to help stakeholders visualize security risks and consequences.
How do you stay updated on the latest trends and threats in web and mobile application security?
To keep up to date with web and mobile application security trends and threats, I conduct continuous research about the latest security exploits and develop effective countermeasures, present at conferences and seminars, contribute to industry publications, collaborate in online forums and discussion groups, and enroll in training and certification programs to maintain my knowledge of the latest security techniques and best practices.
These methods enable me to gain insights into the industry, network with other professionals, exchange knowledge, contribute towards future developments, and stay ahead of emerging threats.
How do you establish trust and credibility with clients when conducting security assessments?
To establish trust and credibility with stakeholders and application teams during security assessments, I maintain clear communication by explaining the assessment process, methodologies, and expected outcomes. I ensure transparency by providing them with regular updates, being upfront about findings and recommendations, and demonstrating technical expertise.
I adhere to confidentiality agreements, maintain professionalism and ethical standards, and provide follow-up support. By using these methods, I establish a trusting relationship with my stakeholders and ensure they feel confident in my ability to conduct a thorough and accurate security assessment.
What do you see as the future trends in web and mobile application security testing?
Based on my study and research, web and mobile application security testing will see increased use of automation to reduce time and effort while improving accuracy. DevSecOps will be more widely adopted, integrating security into software development. There will be a greater focus on API security testing, and cloud security testing will become more important as more applications move to the cloud.
Artificial intelligence and machine learning will be utilized to identify vulnerabilities more accurately and efficiently. These trends suggest that web and mobile application security testing will become more automated, integrated, and focused on emerging technologies such as APIs and cloud services.
