Unleash Your Potential - Namagunga Girls Coding Club
Iasi code camp 12 october 2013 ana tudosa - challenges in implementing and certifying an online payment application
1. Challenges in implementing and certifying an
online payment application
October 2013
Ana Tudosa
Java Senior Developer
2. Why Do We Care About Security?
AN INTRODUCTION HERE
HELP!!!!
Challenges in implementing and certifying an online payment application
3. How Hard Is It To Compromise?
The majority of the attacks are very easy to
execute
78% of the attacks required Low or Very Low
difficulty to execute
Source: Verizon Data breach investigation report 2013
Challenges in implementing and certifying an online payment application
4. Some Hacker Profiling
Variety and origin of external attackers
Source: Verizon Data breach investigation report 2013
Challenges in implementing and certifying an online payment application
5. Some Hacker Profiling
Variety of internal attackers
Hey developers are pretty honest comparing to upper
management and system administrators
Source: Verizon Data breach investigation report 2013
Challenges in implementing and certifying an online payment application
6. What is Being Compromised?
Most commonly applications
Source: Post Breach Boom, Ponemon Institute 2013
Challenges in implementing and certifying an online payment application
7. How Did It Occur?
SQL injection is the most common form of
successful attack
Source: Post Breach Boom, Ponemon Institute 2013
Challenges in implementing and certifying an online payment application
8. Types of Breaches
In order to protect your application you
need to understand WHO, WHY and HOW
APT
Opportunistic breach
Hacktivist breach
Self-inflicted breach
Challenges in implementing and certifying an online payment application
9. Night Dragon
Source: Global energy cyber attacks, “Night Dragon”, McAfee, 2011
Challenges in implementing and certifying an online payment application
11. Cost Of a Data Breach
$395,262.00
$565,020.00
Detection and Escalation
Notification
$3,030,814.00
$1,412,548.00
Ex-Post Response
Lost Business
Source: Cost of A Data Breach: Global Analysis Ponemon Institute 2013
Challenges in implementing and certifying an online payment application
12. What is PCI-DSS?
Payment Card Industry Data
Security Standard
Enforced by all the credit card
companies around the globe
Created the PCI Council
Its purpose is to protect the
customer’s data
The merchant is most often the
weakest link
Why?
Challenges in implementing and certifying an online payment application
13. WHO Needs It?
MANUFACTURERS
PCI PTS
PIN Transaction
Security
SOFTWARE
DEVELOPERS
PCI PA-DSS
Payment Application
Vendors
MERCHANT &
PROCESSORS
PCI DSS
Data Security
Standard
PCI SECURITY
STANDARDS
& COMPLIANCE
Ecosystem of payment devices, applications, infrastructure and users
Challenges in implementing and certifying an online payment application
14. What Does It Mean To Adhere To The Standard
Realize that it refers to the entire organization:
IT infrastructure & management
How you store data (in particular CC data)
Security procedures
How you limit access to CC data
How you log everything
How strong is your application (security wise)
What is the level of physical security
Tons of documents you need to produce
PCI does not allow different styles of compliancy
100% compliant, less is not acceptable
Challenges in implementing and certifying an online payment application
15. PCI data elements
Cardholder data
PAN – primary account number
Expiration date
Card holder name
Sensitive authentication data
Track data
CAV/ CVV /CVC / CID
PIN
Challenges in implementing and certifying an online payment application
16. OWASP
Whenever you get some sort of feedback from either
QA or security audit you will be referred to OWASP
Open Web Application Security Project
Not-for-profit organization
Focused on providing application security
Technology agnostic
They produce the “Top ten most critical web
application security risks”
Not the only one, there are others like Microsoft SDL
Challenges in implementing and certifying an online payment application
17. OWASP top 10
A1: Injection
A2: Broken authentication and session
management
A3: Cross site scripting (XSS)
A4: Insecure direct object references
A5: Security misconfiguration
A6: Sensitive data exposure
A7: Missing function level access control
A8: Cross-site request forgery (CSRF)
A9: Using unknown vulnerable components
A10: Unvalidated redirects and forwards
Source: OWASP TOP 10 , 2013
Challenges in implementing and certifying an online payment application
18. JSF Components
We implemented our own set of JSF
components
The requirements were :
Single way to present the UI
Highly customizable
It came in handy when implementing
protection against top 10 security threats
Escaping, URL encoding, validation, challenge codes
Challenges in implementing and certifying an online payment application
19. A2: Broken authentication and session management
Method: Application functions related to
authentication and session management are
often not implemented correctly.
Risk:
Compromise passwords, keys, session tokens
Assume other user’s identities
Unauthorized access to application
Challenges in implementing and certifying an online payment application
20. A2: Broken authentication and session management
Solution
Session cookies - secured and httponly
No session ID in URLs
Session timeouts and maximum session TTL
Create new session after login
Challenge codes
Use password hashing (with salt)
Use strong encryption algorithms for sensitive data
Login from an encrypted page
Don’t re-invent the wheel (use existing session
management)
Challenges in implementing and certifying an online payment application
21. A2: Example: Tunisian Arab Spring
Challenges in implementing and certifying an online payment application
22. A5: Security misconfiguration
Method: Exploit incorrect secure
configuration such as AS/DB servers defaults
Risk:
Unauthorized access to some system data or
functionality.
Occasionally, such flaws result in a complete
system compromise.
Very generic, it can be anything
Challenges in implementing and certifying an online payment application
23. A5: Security misconfiguration
Solution:
AS hardening
Implementing new AS services for extended
cryptographic capabilities
Keep dependencies up to date
Periodic scans/audits
A strong application architecture - tokenization
Challenges in implementing and certifying an online payment application
24. A5: Application Architecture : Tokenization
1001101010
Facade
Tokenization Module
Facade
Tokenization
1001101010
Encryption Engine
Clearing
Datasets in Memory
Connectors
Challenges in implementing and certifying an online payment application
25. A5: Application Architecture
Un-Trusted Users
Application Server
Payment Application (core)
Un-Trusted
Web Server
Payment Application (web)
Firewall
App Tier
DMZ
DB Tier
Database
Internal Network
Users
Challenges in implementing and certifying an online payment application
26. A6: Sensitive data exposure
Method: Exploit poorly protected sensitive
data
This used to be old A7&A9
A7: Insecure Cryptographic Storage
A9: Insufficient Transport Layer Protection
Risk:
Information Leakage
Unauthorized access to sensitive data in transit
Network sniffing
Challenges in implementing and certifying an online payment application
27. A6: Sensitive data exposure
Solution:
Use existing strong encryption algorithms
Generate keys offline and store private keys with
extreme care
Ensure that properly secured
Always use SSL 3.0/TLS 1.2 for sensitive data in
transit
Protect communication between web servers and
data bases
Use certificates where applicable even in internal
networks
Challenges in implementing and certifying an online payment application