SlideShare una empresa de Scribd logo

OWASP Nagpur Meet #4

Descargar como PPTX, PDF
OWASP Nagpur
OWASP Nagpur

The document discusses an OWASP meetup on application security topics. It summarizes key areas like the top 10 security risks, cyber laws in India and internationally, governing bodies in India, and how application security maps to compliance standards like HIPAA and PCI DSS. It also provides an overview of Rapid7 solutions that can help test and remediate vulnerabilities related to firewalls, passwords, encryption, and application security best practices.

Derecho
1 de 15
OWASP Nagpur Meet #04 Shrikant B Ardhapurkar, Founder Crypto Forensic Technology MS ( Information Security & Cyber Laws, Indian Institute of Information Technology Allahabad India) www.cryptoforensic.in Mail:shrikant@cryptoforensic.in Call:7773900082
About OWASP • The Open Web Application Security Project (OWASP) A1. Cross-Site Scripting (XSS) A2. Injections Flaws A3. Malicious File Execution A4. Insecure Direct Object Reference A5. Cross Site Request Forgery (CSRF) A6. Information Leakage & Improper Error Handling A7. Broken Authentication & Session Management A8. Insecure Cryptographic Storage A9. Insecure Communications A10. Failure to Restrict URL Access www.cryptoforensic.in Mail:shrikant@cryptoforensic.in Call:7773900082
About Cyber Laws in International/National • The EU General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in 20 years • Laws • Policy • Compliance • Guide Line • Standards www.cryptoforensic.in Mail:shrikant@cryptoforensic.in Call:7773900082
Laws • Information Technology Act 2000/2008 • Data Protection Act Policy: • Cyber Security Policy • Information Technology Policy •Compliance • HIPPA • GDPR www.cryptoforensic.in Mail:shrikant@cryptoforensic.in Call:7773900082
Governing Bodies in India. • CERT ( Computer Emergencies Response Team –IN) • RBI ( Reserve Bank of India) • MeitY. • STQC. • Controller of Certifying Authorities (CCA). www.cryptoforensic.in Mail:shrikant@cryptoforensic.in Call:7773900082
Scope of OWSAP:- Audit. www.cryptoforensic.in Mail:shrikant@cryptoforensic.in Call:7773900082
Why Cyber Laws in VAPT • Business is accordance with Law. • Controls based on Local Law HIPAA Compliance Security Rule Privacy Rule Breach Notification Rule www.cryptoforensic.in Mail:shrikant@cryptoforensic.in Call:7773900082
Mapping Security Rule Privacy Rule Breach Notification Rule A1. Cross-Site Scripting (XSS) A2. Injections Flaws A3. Malicious File Execution A4. Insecure Direct Object Reference A5. Cross Site Request Forgery (CSRF) A6. Information Leakage & Improper Error Handling A7. Broken Authentication & Session Management A8. Insecure Cryptographic Storage A9. Insecure Communications A10. Failure to Restrict URL Access www.cryptoforensic.in Mail:shrikant@cryptoforensic.in Call:7773900082
PCI DSS • The Payment Card Industry Data Security Standard (PCI DSS) was created to protect credit cardholder data. The PCI DSS encompasses twelve requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures. www.cryptoforensic.in Mail:shrikant@cryptoforensic.in Call:7773900082
PCI DSS Clause • Install and maintain a firewall configuration to protect cardholder data • Do not use vendor-supplied defaults for system passwords and other security parameters • Protect stored cardholder data • Encrypt transmission of cardholder data across open, public networks • Protect all systems against malware and regularly update anti-virus software or programs • Develop and maintain secure systems and applications • Restrict access to cardholder data by business need-to-know • Identify and authenticate access to system components • Total approx. 12 www.cryptoforensic.in Mail:shrikant@cryptoforensic.in Call:7773900082
Requirement 1: Install and maintain a firewall configuration to protect cardholder data • Rapid7 solutions enable any necessary testing and monitoring of both host- based firewalls and those separating the cardholder data environment (CDE), untrusted networks, and outside world. • Rapid7 Global Services will evaluate and document the gaps in your firewall coverage and configurations to make recommendations for improving your firewall deployment, management, and testing moving forward. • InsightVM • Metasploit • InsightIDR • Global Service www.cryptoforensic.in Mail:shrikant@cryptoforensic.in Call:7773900082
Do not use vendor-supplied defaults for system passwords and other security parameters • Rapid7 solutions automatically scan vendor-supplied systems and web applications for default passwords, insecure configuration settings, unnecessary services, and communications over insecure channels. Rapid7 Global Services will evaluate existing policies, build a system inventory, and test all system configurations and encryption controls for infrastructure either within the organization or at Shared Hosting Providers. www.cryptoforensic.in Mail:shrikant@cryptoforensic.in Call:7773900082
Develop and maintain secure systems and applications • Rapid7 solutions simulate attacks on custom applications across environments and monitor for violations of access policies, such as any new users accessing production systems. Rapid7 Global Services perform penetration tests and evaluate application security policies in use to identify security gaps in the software development lifecycle. • Solutions: • InsightVM • Metasploit • AppSpider • InsightIDR • Global Services www.cryptoforensic.in Mail:shrikant@cryptoforensic.in Call:7773900082
Some Miscellaneous Section from IT Act • Section 43. • Section 66 • Section 67 (F). www.cryptoforensic.in Mail:shrikant@cryptoforensic.in Call:7773900082
Conclusion • Techno Legal Expert. • Team building(Legal, Technical, Analysis, Forensic, Researcher) • Strong support from Govt. and Annexure Bodies • Strong in Reporting and Presentation. • Involve huge investment. • We are building the Nation, Go Ahead to Serve the Nation. www.cryptoforensic.in Mail:shrikant@cryptoforensic.in Call:7773900082

Recomendados

HIPAA 101 Compliance Threat Landscape & Best Practices
HIPAA 101 Compliance Threat Landscape & Best PracticesHIPAA 101 Compliance Threat Landscape & Best Practices
HIPAA 101 Compliance Threat Landscape & Best Practices
Hostway|HOSTING
 
TA505: A Study of High End Big Game Hunting in 2020
TA505: A Study of High End Big Game Hunting in 2020TA505: A Study of High End Big Game Hunting in 2020
TA505: A Study of High End Big Game Hunting in 2020
MITRE - ATT&CKcon
 
Nagios Conference 2012 - Jared Bird - Providing Value Throughout the Organiza...
Nagios Conference 2012 - Jared Bird - Providing Value Throughout the Organiza...Nagios Conference 2012 - Jared Bird - Providing Value Throughout the Organiza...
Nagios Conference 2012 - Jared Bird - Providing Value Throughout the Organiza...
Nagios
 
Tsc2021 cyber-issues
Tsc2021 cyber-issuesTsc2021 cyber-issues
Tsc2021 cyber-issues
Ernest Staats
 
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITREMITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE - ATT&CKcon
 
You can't detect what you can't see illuminating the entire kill chain
You can't detect what you can't see illuminating the entire kill chainYou can't detect what you can't see illuminating the entire kill chain
You can't detect what you can't see illuminating the entire kill chain
Fidelis Cybersecurity
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside Out
Lancope, Inc.
 
ION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal AuditorsION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal Auditors
mdagrossa
 

Recomendados

HIPAA 101 Compliance Threat Landscape & Best Practices
HIPAA 101 Compliance Threat Landscape & Best PracticesHIPAA 101 Compliance Threat Landscape & Best Practices
HIPAA 101 Compliance Threat Landscape & Best Practices
Hostway|HOSTING
 
TA505: A Study of High End Big Game Hunting in 2020
TA505: A Study of High End Big Game Hunting in 2020TA505: A Study of High End Big Game Hunting in 2020
TA505: A Study of High End Big Game Hunting in 2020
MITRE - ATT&CKcon
 
Nagios Conference 2012 - Jared Bird - Providing Value Throughout the Organiza...
Nagios Conference 2012 - Jared Bird - Providing Value Throughout the Organiza...Nagios Conference 2012 - Jared Bird - Providing Value Throughout the Organiza...
Nagios Conference 2012 - Jared Bird - Providing Value Throughout the Organiza...
Nagios
 
Tsc2021 cyber-issues
Tsc2021 cyber-issuesTsc2021 cyber-issues
Tsc2021 cyber-issues
Ernest Staats
 
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITREMITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE - ATT&CKcon
 
You can't detect what you can't see illuminating the entire kill chain
You can't detect what you can't see illuminating the entire kill chainYou can't detect what you can't see illuminating the entire kill chain
You can't detect what you can't see illuminating the entire kill chain
Fidelis Cybersecurity
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside Out
Lancope, Inc.
 
ION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal AuditorsION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal Auditors
mdagrossa
 
5 Steps to a Zero Trust Network - From Theory to Practice
5 Steps to a Zero Trust Network - From Theory to Practice5 Steps to a Zero Trust Network - From Theory to Practice
5 Steps to a Zero Trust Network - From Theory to Practice
AlgoSec
 
LogSentinel Next-Gen SIEM
LogSentinel Next-Gen SIEMLogSentinel Next-Gen SIEM
LogSentinel Next-Gen SIEM
Denitsa Dimova
 
Isaca new delhi india privacy and big data
Isaca new delhi india privacy and big dataIsaca new delhi india privacy and big data
Isaca new delhi india privacy and big data
Ulf Mattsson
 
NTXISSACSC4 - How Not to Build a Trojan Horse
NTXISSACSC4 - How Not to Build a Trojan HorseNTXISSACSC4 - How Not to Build a Trojan Horse
NTXISSACSC4 - How Not to Build a Trojan Horse
North Texas Chapter of the ISSA
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
Katie Nickels
 
Disección de amenazas en entornos de nube
Disección de amenazas en entornos de nubeDisección de amenazas en entornos de nube
Disección de amenazas en entornos de nube
Cristian Garcia G.
 
Mastering Next Gen SIEM Use Cases (Part 3)
Mastering Next Gen SIEM Use Cases (Part 3)Mastering Next Gen SIEM Use Cases (Part 3)
Mastering Next Gen SIEM Use Cases (Part 3)
DNIF
 
Valerie Thomas - All Your Door Belong to Me - Attacking Physical Access Systems
Valerie Thomas - All Your Door Belong to Me - Attacking Physical Access SystemsValerie Thomas - All Your Door Belong to Me - Attacking Physical Access Systems
Valerie Thomas - All Your Door Belong to Me - Attacking Physical Access Systems
centralohioissa
 
Extending Your Network Cloud Security to AWS
Extending Your Network Cloud Security to AWSExtending Your Network Cloud Security to AWS
Extending Your Network Cloud Security to AWS
Fidelis Cybersecurity
 
Sacon - IoT Forum Fresh Thinking (Arvind Tiwary + Bikash Barai)
Sacon - IoT Forum Fresh Thinking (Arvind Tiwary + Bikash Barai)Sacon - IoT Forum Fresh Thinking (Arvind Tiwary + Bikash Barai)
Sacon - IoT Forum Fresh Thinking (Arvind Tiwary + Bikash Barai)
Priyanka Aash
 
Putting Cyber Attackers on the Defensive
Putting Cyber Attackers on the DefensivePutting Cyber Attackers on the Defensive
Putting Cyber Attackers on the Defensive
Fidelis Cybersecurity
 
Managed Cyber Security Services
Managed Cyber Security ServicesManaged Cyber Security Services
Managed Cyber Security Services
Michael Bowers
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
hcls
 
MITRE ATT&CKcon 2.0: ATT&CK Updates - ICS; Otis Alexander, MITRE
MITRE ATT&CKcon 2.0: ATT&CK Updates - ICS; Otis Alexander, MITREMITRE ATT&CKcon 2.0: ATT&CK Updates - ICS; Otis Alexander, MITRE
MITRE ATT&CKcon 2.0: ATT&CK Updates - ICS; Otis Alexander, MITRE
MITRE - ATT&CKcon
 
See Web Security Trend from OWASP Top 10 - 2017
See Web Security Trend from OWASP Top 10 - 2017See Web Security Trend from OWASP Top 10 - 2017
See Web Security Trend from OWASP Top 10 - 2017
Chia-Lung Hsieh
 
It security
It securityIt security
It security
Lars Krag Kongsgaard
 
Game Changing Cyber Defensive Strategies for 2019
Game Changing Cyber Defensive Strategies for 2019Game Changing Cyber Defensive Strategies for 2019
Game Changing Cyber Defensive Strategies for 2019
Fidelis Cybersecurity
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecture
Priyanka Aash
 
Time to re think our security process
Time to re think our security processTime to re think our security process
Time to re think our security process
Ulf Mattsson
 
Overview of Google’s BeyondCorp Approach to Security
Overview of Google’s BeyondCorp Approach to Security Overview of Google’s BeyondCorp Approach to Security
Overview of Google’s BeyondCorp Approach to Security
Priyanka Aash
 
Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to Compliance
Security Innovation
 
Secure Your Web Applications and Achieve Compliance
Secure Your Web Applications and Achieve Compliance Secure Your Web Applications and Achieve Compliance
Secure Your Web Applications and Achieve Compliance
Avi Networks
 

Más contenido relacionado

La actualidad más candente

5 Steps to a Zero Trust Network - From Theory to Practice
5 Steps to a Zero Trust Network - From Theory to Practice5 Steps to a Zero Trust Network - From Theory to Practice
5 Steps to a Zero Trust Network - From Theory to Practice
AlgoSec
 
LogSentinel Next-Gen SIEM
LogSentinel Next-Gen SIEMLogSentinel Next-Gen SIEM
LogSentinel Next-Gen SIEM
Denitsa Dimova
 
Extending Your Network Cloud Security to AWS
Extending Your Network Cloud Security to AWSExtending Your Network Cloud Security to AWS
Extending Your Network Cloud Security to AWS
Fidelis Cybersecurity
 

La actualidad más candente (20)

5 Steps to a Zero Trust Network - From Theory to Practice
5 Steps to a Zero Trust Network - From Theory to Practice5 Steps to a Zero Trust Network - From Theory to Practice
5 Steps to a Zero Trust Network - From Theory to Practice
 
LogSentinel Next-Gen SIEM
LogSentinel Next-Gen SIEMLogSentinel Next-Gen SIEM
LogSentinel Next-Gen SIEM
 
Isaca new delhi india privacy and big data
Isaca new delhi india privacy and big dataIsaca new delhi india privacy and big data
Isaca new delhi india privacy and big data
 
NTXISSACSC4 - How Not to Build a Trojan Horse
NTXISSACSC4 - How Not to Build a Trojan HorseNTXISSACSC4 - How Not to Build a Trojan Horse
NTXISSACSC4 - How Not to Build a Trojan Horse
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
 
Disección de amenazas en entornos de nube
Disección de amenazas en entornos de nubeDisección de amenazas en entornos de nube
Disección de amenazas en entornos de nube
 
Mastering Next Gen SIEM Use Cases (Part 3)
Mastering Next Gen SIEM Use Cases (Part 3)Mastering Next Gen SIEM Use Cases (Part 3)
Mastering Next Gen SIEM Use Cases (Part 3)
 
Valerie Thomas - All Your Door Belong to Me - Attacking Physical Access Systems
Valerie Thomas - All Your Door Belong to Me - Attacking Physical Access SystemsValerie Thomas - All Your Door Belong to Me - Attacking Physical Access Systems
Valerie Thomas - All Your Door Belong to Me - Attacking Physical Access Systems
 
Extending Your Network Cloud Security to AWS
Extending Your Network Cloud Security to AWSExtending Your Network Cloud Security to AWS
Extending Your Network Cloud Security to AWS
 
Sacon - IoT Forum Fresh Thinking (Arvind Tiwary + Bikash Barai)
Sacon - IoT Forum Fresh Thinking (Arvind Tiwary + Bikash Barai)Sacon - IoT Forum Fresh Thinking (Arvind Tiwary + Bikash Barai)
Sacon - IoT Forum Fresh Thinking (Arvind Tiwary + Bikash Barai)
 
Putting Cyber Attackers on the Defensive
Putting Cyber Attackers on the DefensivePutting Cyber Attackers on the Defensive
Putting Cyber Attackers on the Defensive
 
Managed Cyber Security Services
Managed Cyber Security ServicesManaged Cyber Security Services
Managed Cyber Security Services
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
MITRE ATT&CKcon 2.0: ATT&CK Updates - ICS; Otis Alexander, MITRE
MITRE ATT&CKcon 2.0: ATT&CK Updates - ICS; Otis Alexander, MITREMITRE ATT&CKcon 2.0: ATT&CK Updates - ICS; Otis Alexander, MITRE
MITRE ATT&CKcon 2.0: ATT&CK Updates - ICS; Otis Alexander, MITRE
 
See Web Security Trend from OWASP Top 10 - 2017
See Web Security Trend from OWASP Top 10 - 2017See Web Security Trend from OWASP Top 10 - 2017
See Web Security Trend from OWASP Top 10 - 2017
 
It security
It securityIt security
It security
 
Game Changing Cyber Defensive Strategies for 2019
Game Changing Cyber Defensive Strategies for 2019Game Changing Cyber Defensive Strategies for 2019
Game Changing Cyber Defensive Strategies for 2019
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecture
 
Time to re think our security process
Time to re think our security processTime to re think our security process
Time to re think our security process
 
Overview of Google’s BeyondCorp Approach to Security
Overview of Google’s BeyondCorp Approach to Security Overview of Google’s BeyondCorp Approach to Security
Overview of Google’s BeyondCorp Approach to Security
 

Similar a OWASP Nagpur Meet #4

Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to Compliance
Security Innovation
 
Secure Your Web Applications and Achieve Compliance
Secure Your Web Applications and Achieve Compliance Secure Your Web Applications and Achieve Compliance
Secure Your Web Applications and Achieve Compliance
Avi Networks
 
CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself
Alert Logic
 
Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892
Risk Crew
 
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Ruby Meditation
 

Similar a OWASP Nagpur Meet #4 (20)

Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to Compliance
 
Secure Your Web Applications and Achieve Compliance
Secure Your Web Applications and Achieve Compliance Secure Your Web Applications and Achieve Compliance
Secure Your Web Applications and Achieve Compliance
 
CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself
 
Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892
 
cyber security analyst certification
cyber security analyst certificationcyber security analyst certification
cyber security analyst certification
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
 
Ledingkart Meetup #3: Security Basics for Developers
Ledingkart Meetup #3: Security Basics for DevelopersLedingkart Meetup #3: Security Basics for Developers
Ledingkart Meetup #3: Security Basics for Developers
 
Network security
Network securityNetwork security
Network security
 
Pci dss-for-it-providers
Pci dss-for-it-providersPci dss-for-it-providers
Pci dss-for-it-providers
 
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
 
Security architecture best practices for saas applications
Security architecture best practices for saas applicationsSecurity architecture best practices for saas applications
Security architecture best practices for saas applications
 
Security Architecture Best Practices for SaaS Applications
Security Architecture Best Practices for SaaS ApplicationsSecurity Architecture Best Practices for SaaS Applications
Security Architecture Best Practices for SaaS Applications
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
 
Will Your Cloud Be Compliant? OpenStack Security
Will Your Cloud Be Compliant? OpenStack SecurityWill Your Cloud Be Compliant? OpenStack Security
Will Your Cloud Be Compliant? OpenStack Security
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
 
SQLCAT: Addressing Security and Compliance Issues with SQL Server 2008
SQLCAT: Addressing Security and Compliance Issues with SQL Server 2008SQLCAT: Addressing Security and Compliance Issues with SQL Server 2008
SQLCAT: Addressing Security and Compliance Issues with SQL Server 2008
 
Cisco connect winnipeg 2018 introducing the network intuitive
Cisco connect winnipeg 2018 introducing the network intuitiveCisco connect winnipeg 2018 introducing the network intuitive
Cisco connect winnipeg 2018 introducing the network intuitive
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
 
Integrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOpsIntegrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOps
 
Subscribed 2015: Architecture, Security, Scalability
Subscribed 2015: Architecture, Security, ScalabilitySubscribed 2015: Architecture, Security, Scalability
Subscribed 2015: Architecture, Security, Scalability
 

Más de OWASP Nagpur

Más de OWASP Nagpur (7)

Fortifying Ruby on Rails Web Application Framework Security by Sahil Tembhare
Fortifying Ruby on Rails Web Application Framework Security by Sahil TembhareFortifying Ruby on Rails Web Application Framework Security by Sahil Tembhare
Fortifying Ruby on Rails Web Application Framework Security by Sahil Tembhare
 
Open Source Everything
Open Source EverythingOpen Source Everything
Open Source Everything
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug Bounties
 
OWASP Nagpur - Attacking Web Applications Business Logic for Fun and Profit
OWASP Nagpur - Attacking Web Applications Business Logic for Fun and ProfitOWASP Nagpur - Attacking Web Applications Business Logic for Fun and Profit
OWASP Nagpur - Attacking Web Applications Business Logic for Fun and Profit
 
DevSecOps Introduction Tushar Joshi - Owasp Nagpur Meetup 12 May 2019
DevSecOps Introduction Tushar Joshi - Owasp Nagpur Meetup 12 May 2019DevSecOps Introduction Tushar Joshi - Owasp Nagpur Meetup 12 May 2019
DevSecOps Introduction Tushar Joshi - Owasp Nagpur Meetup 12 May 2019
 
OWASP Nagpur Meet #3 RF Hacking 101
OWASP Nagpur Meet #3 RF Hacking 101OWASP Nagpur Meet #3 RF Hacking 101
OWASP Nagpur Meet #3 RF Hacking 101
 
OWASP Nagpur Meet #3 Android RE
OWASP Nagpur Meet #3 Android REOWASP Nagpur Meet #3 Android RE
OWASP Nagpur Meet #3 Android RE
 

Último

3 Formation of Company.www.seribangash.com.ppt
3 Formation of Company.www.seribangash.com.ppt3 Formation of Company.www.seribangash.com.ppt
3 Formation of Company.www.seribangash.com.ppt
seri bangash
 
一比一原版赫瑞瓦特大学毕业证如何办理
一比一原版赫瑞瓦特大学毕业证如何办理一比一原版赫瑞瓦特大学毕业证如何办理
一比一原版赫瑞瓦特大学毕业证如何办理
Airst S
 
一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理
一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理
一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理
bd2c5966a56d
 
一比一原版赫尔大学毕业证如何办理
一比一原版赫尔大学毕业证如何办理一比一原版赫尔大学毕业证如何办理
一比一原版赫尔大学毕业证如何办理
Airst S
 
ASMA JILANI EXPLAINED CASE PLD 1972 FOR CSS
ASMA JILANI EXPLAINED CASE PLD 1972 FOR CSSASMA JILANI EXPLAINED CASE PLD 1972 FOR CSS
ASMA JILANI EXPLAINED CASE PLD 1972 FOR CSS
CssSpamx
 
一比一原版(Warwick毕业证书)华威大学毕业证如何办理
一比一原版(Warwick毕业证书)华威大学毕业证如何办理一比一原版(Warwick毕业证书)华威大学毕业证如何办理
一比一原版(Warwick毕业证书)华威大学毕业证如何办理
Fir La
 
一比一原版(JCU毕业证书)詹姆斯库克大学毕业证如何办理
一比一原版(JCU毕业证书)詹姆斯库克大学毕业证如何办理一比一原版(JCU毕业证书)詹姆斯库克大学毕业证如何办理
一比一原版(JCU毕业证书)詹姆斯库克大学毕业证如何办理
Airst S
 
Code_Ethics of_Mechanical_Engineering.ppt
Code_Ethics of_Mechanical_Engineering.pptCode_Ethics of_Mechanical_Engineering.ppt
Code_Ethics of_Mechanical_Engineering.ppt
JosephCanama
 
一比一原版(KPU毕业证书)加拿大昆特兰理工大学毕业证如何办理
一比一原版(KPU毕业证书)加拿大昆特兰理工大学毕业证如何办理一比一原版(KPU毕业证书)加拿大昆特兰理工大学毕业证如何办理
一比一原版(KPU毕业证书)加拿大昆特兰理工大学毕业证如何办理
e9733fc35af6
 
一比一原版(UM毕业证书)密苏里大学毕业证如何办理
一比一原版(UM毕业证书)密苏里大学毕业证如何办理一比一原版(UM毕业证书)密苏里大学毕业证如何办理
一比一原版(UM毕业证书)密苏里大学毕业证如何办理
F La
 
一比一原版悉尼科技大学毕业证如何办理
一比一原版悉尼科技大学毕业证如何办理一比一原版悉尼科技大学毕业证如何办理
一比一原版悉尼科技大学毕业证如何办理
e9733fc35af6
 
一比一原版(OhioStateU毕业证书)美国俄亥俄州立大学毕业证如何办理
一比一原版(OhioStateU毕业证书)美国俄亥俄州立大学毕业证如何办理一比一原版(OhioStateU毕业证书)美国俄亥俄州立大学毕业证如何办理
一比一原版(OhioStateU毕业证书)美国俄亥俄州立大学毕业证如何办理
e9733fc35af6
 

Último (20)

3 Formation of Company.www.seribangash.com.ppt
3 Formation of Company.www.seribangash.com.ppt3 Formation of Company.www.seribangash.com.ppt
3 Formation of Company.www.seribangash.com.ppt
 
一比一原版赫瑞瓦特大学毕业证如何办理
一比一原版赫瑞瓦特大学毕业证如何办理一比一原版赫瑞瓦特大学毕业证如何办理
一比一原版赫瑞瓦特大学毕业证如何办理
 
一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理
一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理
一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理
 
Shubh_Burden of proof_Indian Evidence Act.pptx
Shubh_Burden of proof_Indian Evidence Act.pptxShubh_Burden of proof_Indian Evidence Act.pptx
Shubh_Burden of proof_Indian Evidence Act.pptx
 
一比一原版赫尔大学毕业证如何办理
一比一原版赫尔大学毕业证如何办理一比一原版赫尔大学毕业证如何办理
一比一原版赫尔大学毕业证如何办理
 
ASMA JILANI EXPLAINED CASE PLD 1972 FOR CSS
ASMA JILANI EXPLAINED CASE PLD 1972 FOR CSSASMA JILANI EXPLAINED CASE PLD 1972 FOR CSS
ASMA JILANI EXPLAINED CASE PLD 1972 FOR CSS
 
It’s Not Easy Being Green: Ethical Pitfalls for Bankruptcy Novices
It’s Not Easy Being Green: Ethical Pitfalls for Bankruptcy NovicesIt’s Not Easy Being Green: Ethical Pitfalls for Bankruptcy Novices
It’s Not Easy Being Green: Ethical Pitfalls for Bankruptcy Novices
 
Performance of contract-1 law presentation
Performance of contract-1 law presentationPerformance of contract-1 law presentation
Performance of contract-1 law presentation
 
judicial remedies against administrative actions.pptx
judicial remedies against administrative actions.pptxjudicial remedies against administrative actions.pptx
judicial remedies against administrative actions.pptx
 
ARTICLE 370 PDF about the indian constitution.
ARTICLE 370 PDF about the indian constitution.ARTICLE 370 PDF about the indian constitution.
ARTICLE 370 PDF about the indian constitution.
 
一比一原版(Warwick毕业证书)华威大学毕业证如何办理
一比一原版(Warwick毕业证书)华威大学毕业证如何办理一比一原版(Warwick毕业证书)华威大学毕业证如何办理
一比一原版(Warwick毕业证书)华威大学毕业证如何办理
 
Career As Legal Reporters for Law Students
Career As Legal Reporters for Law StudentsCareer As Legal Reporters for Law Students
Career As Legal Reporters for Law Students
 
一比一原版(JCU毕业证书)詹姆斯库克大学毕业证如何办理
一比一原版(JCU毕业证书)詹姆斯库克大学毕业证如何办理一比一原版(JCU毕业证书)詹姆斯库克大学毕业证如何办理
一比一原版(JCU毕业证书)詹姆斯库克大学毕业证如何办理
 
Cyber Laws : National and International Perspective.
Cyber Laws : National and International Perspective.Cyber Laws : National and International Perspective.
Cyber Laws : National and International Perspective.
 
Philippine FIRE CODE REVIEWER for Architecture Board Exam Takers
Philippine FIRE CODE REVIEWER for Architecture Board Exam TakersPhilippine FIRE CODE REVIEWER for Architecture Board Exam Takers
Philippine FIRE CODE REVIEWER for Architecture Board Exam Takers
 
Code_Ethics of_Mechanical_Engineering.ppt
Code_Ethics of_Mechanical_Engineering.pptCode_Ethics of_Mechanical_Engineering.ppt
Code_Ethics of_Mechanical_Engineering.ppt
 
一比一原版(KPU毕业证书)加拿大昆特兰理工大学毕业证如何办理
一比一原版(KPU毕业证书)加拿大昆特兰理工大学毕业证如何办理一比一原版(KPU毕业证书)加拿大昆特兰理工大学毕业证如何办理
一比一原版(KPU毕业证书)加拿大昆特兰理工大学毕业证如何办理
 
一比一原版(UM毕业证书)密苏里大学毕业证如何办理
一比一原版(UM毕业证书)密苏里大学毕业证如何办理一比一原版(UM毕业证书)密苏里大学毕业证如何办理
一比一原版(UM毕业证书)密苏里大学毕业证如何办理
 
一比一原版悉尼科技大学毕业证如何办理
一比一原版悉尼科技大学毕业证如何办理一比一原版悉尼科技大学毕业证如何办理
一比一原版悉尼科技大学毕业证如何办理
 
一比一原版(OhioStateU毕业证书)美国俄亥俄州立大学毕业证如何办理
一比一原版(OhioStateU毕业证书)美国俄亥俄州立大学毕业证如何办理一比一原版(OhioStateU毕业证书)美国俄亥俄州立大学毕业证如何办理
一比一原版(OhioStateU毕业证书)美国俄亥俄州立大学毕业证如何办理
 

OWASP Nagpur Meet #4

  • 1. OWASP Nagpur Meet #04 Shrikant B Ardhapurkar, Founder Crypto Forensic Technology MS ( Information Security & Cyber Laws, Indian Institute of Information Technology Allahabad India) www.cryptoforensic.in Mail:shrikant@cryptoforensic.in Call:7773900082
  • 2. About OWASP • The Open Web Application Security Project (OWASP) A1. Cross-Site Scripting (XSS) A2. Injections Flaws A3. Malicious File Execution A4. Insecure Direct Object Reference A5. Cross Site Request Forgery (CSRF) A6. Information Leakage & Improper Error Handling A7. Broken Authentication & Session Management A8. Insecure Cryptographic Storage A9. Insecure Communications A10. Failure to Restrict URL Access www.cryptoforensic.in Mail:shrikant@cryptoforensic.in Call:7773900082
  • 3. About Cyber Laws in International/National • The EU General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in 20 years • Laws • Policy • Compliance • Guide Line • Standards www.cryptoforensic.in Mail:shrikant@cryptoforensic.in Call:7773900082
  • 4. Laws • Information Technology Act 2000/2008 • Data Protection Act Policy: • Cyber Security Policy • Information Technology Policy •Compliance • HIPPA • GDPR www.cryptoforensic.in Mail:shrikant@cryptoforensic.in Call:7773900082
  • 5. Governing Bodies in India. • CERT ( Computer Emergencies Response Team –IN) • RBI ( Reserve Bank of India) • MeitY. • STQC. • Controller of Certifying Authorities (CCA). www.cryptoforensic.in Mail:shrikant@cryptoforensic.in Call:7773900082
  • 6. Scope of OWSAP:- Audit. www.cryptoforensic.in Mail:shrikant@cryptoforensic.in Call:7773900082
  • 7. Why Cyber Laws in VAPT • Business is accordance with Law. • Controls based on Local Law HIPAA Compliance Security Rule Privacy Rule Breach Notification Rule www.cryptoforensic.in Mail:shrikant@cryptoforensic.in Call:7773900082
  • 8. Mapping Security Rule Privacy Rule Breach Notification Rule A1. Cross-Site Scripting (XSS) A2. Injections Flaws A3. Malicious File Execution A4. Insecure Direct Object Reference A5. Cross Site Request Forgery (CSRF) A6. Information Leakage & Improper Error Handling A7. Broken Authentication & Session Management A8. Insecure Cryptographic Storage A9. Insecure Communications A10. Failure to Restrict URL Access www.cryptoforensic.in Mail:shrikant@cryptoforensic.in Call:7773900082
  • 9. PCI DSS • The Payment Card Industry Data Security Standard (PCI DSS) was created to protect credit cardholder data. The PCI DSS encompasses twelve requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures. www.cryptoforensic.in Mail:shrikant@cryptoforensic.in Call:7773900082
  • 10. PCI DSS Clause • Install and maintain a firewall configuration to protect cardholder data • Do not use vendor-supplied defaults for system passwords and other security parameters • Protect stored cardholder data • Encrypt transmission of cardholder data across open, public networks • Protect all systems against malware and regularly update anti-virus software or programs • Develop and maintain secure systems and applications • Restrict access to cardholder data by business need-to-know • Identify and authenticate access to system components • Total approx. 12 www.cryptoforensic.in Mail:shrikant@cryptoforensic.in Call:7773900082
  • 11. Requirement 1: Install and maintain a firewall configuration to protect cardholder data • Rapid7 solutions enable any necessary testing and monitoring of both host- based firewalls and those separating the cardholder data environment (CDE), untrusted networks, and outside world. • Rapid7 Global Services will evaluate and document the gaps in your firewall coverage and configurations to make recommendations for improving your firewall deployment, management, and testing moving forward. • InsightVM • Metasploit • InsightIDR • Global Service www.cryptoforensic.in Mail:shrikant@cryptoforensic.in Call:7773900082
  • 12. Do not use vendor-supplied defaults for system passwords and other security parameters • Rapid7 solutions automatically scan vendor-supplied systems and web applications for default passwords, insecure configuration settings, unnecessary services, and communications over insecure channels. Rapid7 Global Services will evaluate existing policies, build a system inventory, and test all system configurations and encryption controls for infrastructure either within the organization or at Shared Hosting Providers. www.cryptoforensic.in Mail:shrikant@cryptoforensic.in Call:7773900082
  • 13. Develop and maintain secure systems and applications • Rapid7 solutions simulate attacks on custom applications across environments and monitor for violations of access policies, such as any new users accessing production systems. Rapid7 Global Services perform penetration tests and evaluate application security policies in use to identify security gaps in the software development lifecycle. • Solutions: • InsightVM • Metasploit • AppSpider • InsightIDR • Global Services www.cryptoforensic.in Mail:shrikant@cryptoforensic.in Call:7773900082
  • 14. Some Miscellaneous Section from IT Act • Section 43. • Section 66 • Section 67 (F). www.cryptoforensic.in Mail:shrikant@cryptoforensic.in Call:7773900082
  • 15. Conclusion • Techno Legal Expert. • Team building(Legal, Technical, Analysis, Forensic, Researcher) • Strong support from Govt. and Annexure Bodies • Strong in Reporting and Presentation. • Involve huge investment. • We are building the Nation, Go Ahead to Serve the Nation. www.cryptoforensic.in Mail:shrikant@cryptoforensic.in Call:7773900082