The document discusses an OWASP meetup on application security topics. It summarizes key areas like the top 10 security risks, cyber laws in India and internationally, governing bodies in India, and how application security maps to compliance standards like HIPAA and PCI DSS. It also provides an overview of Rapid7 solutions that can help test and remediate vulnerabilities related to firewalls, passwords, encryption, and application security best practices.
1. OWASP Nagpur Meet #04
Shrikant B Ardhapurkar, Founder Crypto Forensic Technology
MS ( Information Security & Cyber Laws, Indian Institute of Information
Technology Allahabad India)
www.cryptoforensic.in Mail:shrikant@cryptoforensic.in
Call:7773900082
2. About OWASP
• The Open Web Application Security Project (OWASP)
A1. Cross-Site Scripting (XSS)
A2. Injections Flaws
A3. Malicious File Execution
A4. Insecure Direct Object Reference
A5. Cross Site Request Forgery (CSRF)
A6. Information Leakage & Improper Error Handling
A7. Broken Authentication & Session Management
A8. Insecure Cryptographic Storage
A9. Insecure Communications
A10. Failure to Restrict URL Access
www.cryptoforensic.in Mail:shrikant@cryptoforensic.in
Call:7773900082
3. About Cyber Laws in International/National
• The EU General Data Protection Regulation (GDPR) is the most
important change in data privacy regulation in 20 years
• Laws
• Policy
• Compliance
• Guide Line
• Standards
www.cryptoforensic.in Mail:shrikant@cryptoforensic.in
Call:7773900082
4. Laws
• Information Technology Act 2000/2008
• Data Protection Act
Policy:
• Cyber Security Policy
• Information Technology Policy
•Compliance
• HIPPA
• GDPR
www.cryptoforensic.in Mail:shrikant@cryptoforensic.in
Call:7773900082
5. Governing Bodies in India.
• CERT ( Computer Emergencies Response Team –IN)
• RBI ( Reserve Bank of India)
• MeitY.
• STQC.
• Controller of Certifying Authorities (CCA).
www.cryptoforensic.in Mail:shrikant@cryptoforensic.in
Call:7773900082
6. Scope of OWSAP:- Audit.
www.cryptoforensic.in Mail:shrikant@cryptoforensic.in
Call:7773900082
7. Why Cyber Laws in VAPT
• Business is accordance with Law.
• Controls based on Local Law
HIPAA Compliance
Security Rule
Privacy Rule
Breach Notification Rule
www.cryptoforensic.in Mail:shrikant@cryptoforensic.in
Call:7773900082
9. PCI DSS
• The Payment Card Industry Data Security Standard (PCI DSS) was
created to protect credit cardholder data. The PCI DSS encompasses
twelve requirements for security management, policies, procedures,
network architecture, software design, and other critical protective
measures.
www.cryptoforensic.in Mail:shrikant@cryptoforensic.in
Call:7773900082
10. PCI DSS Clause
• Install and maintain a firewall configuration to protect cardholder data
• Do not use vendor-supplied defaults for system passwords and other
security parameters
• Protect stored cardholder data
• Encrypt transmission of cardholder data across open, public networks
• Protect all systems against malware and regularly update anti-virus
software or programs
• Develop and maintain secure systems and applications
• Restrict access to cardholder data by business need-to-know
• Identify and authenticate access to system components
• Total approx. 12
www.cryptoforensic.in Mail:shrikant@cryptoforensic.in
Call:7773900082
11. Requirement 1: Install and maintain a firewall
configuration to protect cardholder data
• Rapid7 solutions enable any necessary testing and monitoring of both host-
based firewalls and those separating the cardholder data environment
(CDE), untrusted networks, and outside world.
• Rapid7 Global Services will evaluate and document the gaps in your firewall
coverage and configurations to make recommendations for improving your
firewall deployment, management, and testing moving forward.
• InsightVM
• Metasploit
• InsightIDR
• Global Service
www.cryptoforensic.in Mail:shrikant@cryptoforensic.in
Call:7773900082
12. Do not use vendor-supplied defaults for system
passwords and other security parameters
• Rapid7 solutions automatically scan vendor-supplied systems and
web applications for default passwords, insecure configuration
settings, unnecessary services, and communications over insecure
channels.
Rapid7 Global Services will evaluate existing policies, build a system
inventory, and test all system configurations and encryption controls
for infrastructure either within the organization or at Shared Hosting
Providers.
www.cryptoforensic.in Mail:shrikant@cryptoforensic.in
Call:7773900082
13. Develop and maintain secure systems and
applications
• Rapid7 solutions simulate attacks on custom applications across environments
and monitor for violations of access policies, such as any new users accessing
production systems.
Rapid7 Global Services perform penetration tests and evaluate application
security policies in use to identify security gaps in the software development
lifecycle.
• Solutions:
• InsightVM
• Metasploit
• AppSpider
• InsightIDR
• Global Services
www.cryptoforensic.in Mail:shrikant@cryptoforensic.in
Call:7773900082
14. Some Miscellaneous Section from IT Act
• Section 43.
• Section 66
• Section 67 (F).
www.cryptoforensic.in Mail:shrikant@cryptoforensic.in
Call:7773900082
15. Conclusion
• Techno Legal Expert.
• Team building(Legal, Technical, Analysis, Forensic, Researcher)
• Strong support from Govt. and Annexure Bodies
• Strong in Reporting and Presentation.
• Involve huge investment.
• We are building the Nation, Go Ahead to Serve the Nation.
www.cryptoforensic.in Mail:shrikant@cryptoforensic.in
Call:7773900082