SlideShare una empresa de Scribd logo

Web Application Security for the Payment Card Industry

Abhay Bhargav
Abhay Bhargav

Abhay Bhargav's talk at the BT-Summit 09 on "Web Application Security for the Payment Card Industry"

Educación
1 de 17
Web Application Security for the Payment Card Industry Abhay Bhargav Principal Consultant and CTO - The we45 Group Tuesday, April 20, 2010
Who am I? Application Security and Compliance Specialist Performed over 50 security assessments across 18 countries. Co-author of Secure Java for Web Application Development Spoken at several events including the OWASP AppSec NYC 2008 Trainer and Workshop Lead for Security Training Workshops My blog: http://citadelnotes.blogspot.com Tuesday, April 20, 2010
Why am I here? Tuesday, April 20, 2010
Web Applications - A Growing Force The growing footprint of Internet and Intranet Applications Unprecedented Adoption of E- Commerce all over the world Worldwide Internet Usage - 24.7% and growing at 362% Increasing influence of the Internet in the interchange of the commercial information Tuesday, April 20, 2010
Web Applications - Trouble in Paradise Networks and OS Attacks are too much work Sensitive Information is a mere browser attack away! Application Developers are far from the promised land Power of Free Expression - Internet - The Double Edged Sword Tuesday, April 20, 2010
Who’s watching? and what does it mean? Regulations are the driving force for security in Web Applications PCI-DSS and PA-DSS US State Laws modeled on Card Security Fines, Penalties and Lawsuits - The Whole Nine Yards Reputation drives Motivation Forensics - The beginning of a long and arduous relationship Tuesday, April 20, 2010
Some hard truths Your users need to be protected against YOUR users All data you handle is YOUR problem Security breach can have a serious bearing on YOUR finances and reputation Having the best OS Security and Network Security is just NOT enough Ignorance != Innocence Tuesday, April 20, 2010
What is the cure? Authentication and Authorization Application Crypto Logging and Log Management Secure Coding Practices SDLC Other Best Practices Tuesday, April 20, 2010
Authentication and Authorization - A foot in the door Flawed authentication systems - One of the top causes for Web Application attacks Lack of Clarity for Role Based Access Control - Access Control Matrix Authorization issues Client Side Syndrome - Over-reliance on Javascript Improper Authorization system - server side Tuesday, April 20, 2010
Authentication and Authorization - 2 Password Management Password Storage Hardcoding Password encryption = null Password Transmission Sessions The Guessing Game Session Handlers Tuesday, April 20, 2010
Application Crypto - Scrambled Eggs Store if you must, Protect if you store Crypto - Something that can go horribly wrong No “Home-Grown” Crypto Key Management - An oft-forgotten aspect of cryptography Tuesday, April 20, 2010
Application Logs - Are you watching closely? Logs are not unnecessary overhead. They could save your life Logs should capture pertinent details Sensitive Information should not be logged Exceptions and Errors should be logged Administrative users are not above the law‘g’ Tuesday, April 20, 2010
Secure Coding Practices - Makes Perfect Input Validation - Trust user input at your own peril. Regular Expressions Parameterized SQL Queries Javascript Validation is not enough Direct Object Reference - Do not expose sensitive files directly File Execution - Malicious File Execution usually = Complete System Compromise Custom Error Pages - Nipping attacks at the bud Tuesday, April 20, 2010
SDLC + Security = Strong Application Integration of Risk Management into the SDLC Identifying Critical Information Assets Threat and Impact Analysis Vulnerability Assessment Development of Security Controls - Detailed Security Requirements Developer Training and Awareness Management Representation and Drive Tuesday, April 20, 2010
SDLC - 2 Code Reviews for security should be incorporated into the SDLC Vulnerability Assessments + Penetration Testing - The Blind parent syndrome Change Management Tuesday, April 20, 2010
Other Measures Deployment is not something you can forget. Involving Information Security Continuous Monitoring - Vulnerabilities in the underlying elements Going back to the drawing board if necessary Tuesday, April 20, 2010
Thank you!!! Questions?? My blog: http://citadelnotes.blogspot.com Keep in touch: http://www.linkedin.com/in/ abhaybhargav Email: abhay@we45.com, abhaybhargav@gmail.com Tuesday, April 20, 2010

Recomendados

Integración de Recursos educativos Web 2.0 personales
Integración de Recursos educativos Web 2.0 personalesIntegración de Recursos educativos Web 2.0 personales
Integración de Recursos educativos Web 2.0 personales
Selene Contreras
 
Autismoa
AutismoaAutismoa
Autismoa
oia
 
Ed 1 2012_anatel
Ed 1 2012_anatelEd 1 2012_anatel
Ed 1 2012_anatel
Agassis Rodrigues
 
Delito cibernético
Delito cibernéticoDelito cibernético
Delito cibernético
Yaquelina Bermejo
 
Top 25 Presentation
Top 25 PresentationTop 25 Presentation
Top 25 Presentation
The University of Tennessee
 
Kommentar zum Immobilienaktienmarkt: Europäische Immobilienaktien legen zu
Kommentar zum Immobilienaktienmarkt: Europäische Immobilienaktien legen zuKommentar zum Immobilienaktienmarkt: Europäische Immobilienaktien legen zu
Kommentar zum Immobilienaktienmarkt: Europäische Immobilienaktien legen zu
Ellwanger & Geiger Privatbankiers
 
NABE 2015 Presentation Keeley Sorokti
NABE 2015 Presentation Keeley SoroktiNABE 2015 Presentation Keeley Sorokti
NABE 2015 Presentation Keeley Sorokti
Keeley Sorokti
 
Frozen Food Markets in China By Asia Market Information & Development Company
Frozen Food Markets in China By Asia Market Information & Development CompanyFrozen Food Markets in China By Asia Market Information & Development Company
Frozen Food Markets in China By Asia Market Information & Development Company
MarketResearch.com
 

Recomendados

Integración de Recursos educativos Web 2.0 personales
Integración de Recursos educativos Web 2.0 personalesIntegración de Recursos educativos Web 2.0 personales
Integración de Recursos educativos Web 2.0 personales
Selene Contreras
 
Autismoa
AutismoaAutismoa
Autismoa
oia
 
Ed 1 2012_anatel
Ed 1 2012_anatelEd 1 2012_anatel
Ed 1 2012_anatel
Agassis Rodrigues
 
Delito cibernético
Delito cibernéticoDelito cibernético
Delito cibernético
Yaquelina Bermejo
 
Top 25 Presentation
Top 25 PresentationTop 25 Presentation
Top 25 Presentation
The University of Tennessee
 
Kommentar zum Immobilienaktienmarkt: Europäische Immobilienaktien legen zu
Kommentar zum Immobilienaktienmarkt: Europäische Immobilienaktien legen zuKommentar zum Immobilienaktienmarkt: Europäische Immobilienaktien legen zu
Kommentar zum Immobilienaktienmarkt: Europäische Immobilienaktien legen zu
Ellwanger & Geiger Privatbankiers
 
NABE 2015 Presentation Keeley Sorokti
NABE 2015 Presentation Keeley SoroktiNABE 2015 Presentation Keeley Sorokti
NABE 2015 Presentation Keeley Sorokti
Keeley Sorokti
 
Frozen Food Markets in China By Asia Market Information & Development Company
Frozen Food Markets in China By Asia Market Information & Development CompanyFrozen Food Markets in China By Asia Market Information & Development Company
Frozen Food Markets in China By Asia Market Information & Development Company
MarketResearch.com
 
Ita2009 1dia
Ita2009 1diaIta2009 1dia
Ita2009 1dia
Thommas Kevin
 
Categorias de estetica
Categorias de esteticaCategorias de estetica
Categorias de estetica
Paulina Islas
 
Introduction to Threat Modeling
Introduction to Threat ModelingIntroduction to Threat Modeling
Introduction to Threat Modeling
slicklash
 
we45 - SecDevOps Concept Presentation
we45 - SecDevOps Concept Presentationwe45 - SecDevOps Concept Presentation
we45 - SecDevOps Concept Presentation
Abhay Bhargav
 
#JavaOne What's in an object?
#JavaOne What's in an object?#JavaOne What's in an object?
#JavaOne What's in an object?
Charlie Gracie
 
IBM Storage for Hybrid Cloud (4Q 2016)
IBM Storage for Hybrid Cloud (4Q 2016)IBM Storage for Hybrid Cloud (4Q 2016)
IBM Storage for Hybrid Cloud (4Q 2016)
Elan Freedberg
 
Remindo a terra consagrando a nação
Remindo a terra consagrando a naçãoRemindo a terra consagrando a nação
Remindo a terra consagrando a nação
Alex Santos
 
Data Mining with SpagoBI suite
Data Mining with SpagoBI suiteData Mining with SpagoBI suite
Data Mining with SpagoBI suite
SpagoWorld
 
Digital locker
Digital lockerDigital locker
Digital locker
Abhinav Kp
 
IIA1: Industrial Control Systems 101 (Predix Transform 2016)
IIA1: Industrial Control Systems 101 (Predix Transform 2016)IIA1: Industrial Control Systems 101 (Predix Transform 2016)
IIA1: Industrial Control Systems 101 (Predix Transform 2016)
Predix
 
22º Encontro - Sacramentos de Cura e Serviços
22º Encontro - Sacramentos de Cura e Serviços22º Encontro - Sacramentos de Cura e Serviços
22º Encontro - Sacramentos de Cura e Serviços
Catequese Anjos dos Céus
 
Protoplast fusion
Protoplast fusionProtoplast fusion
Protoplast fusion
neetunand118
 
Insight Platforms Accelerate Digital Transformation
Insight Platforms Accelerate Digital TransformationInsight Platforms Accelerate Digital Transformation
Insight Platforms Accelerate Digital Transformation
MapR Technologies
 
IBM Cloud Object Storage System (powered by Cleversafe) and its Applications
IBM Cloud Object Storage System (powered by Cleversafe) and its ApplicationsIBM Cloud Object Storage System (powered by Cleversafe) and its Applications
IBM Cloud Object Storage System (powered by Cleversafe) and its Applications
Tony Pearson
 
Benefícios do Discipulado Um a Um
Benefícios do Discipulado Um a UmBenefícios do Discipulado Um a Um
Benefícios do Discipulado Um a Um
Roberto Trindade
 
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
Abhay Bhargav
 
Threat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 Presentation
Threat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 PresentationThreat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 Presentation
Threat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 Presentation
Abhay Bhargav
 
Merging Security with DevOps - An AppSec Perspective
Merging Security with DevOps - An AppSec PerspectiveMerging Security with DevOps - An AppSec Perspective
Merging Security with DevOps - An AppSec Perspective
Abhay Bhargav
 
we45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Pythonwe45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Python
Abhay Bhargav
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavOWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
Abhay Bhargav
 
we45 - Infrastructure Penetration Testing with LeanBeast Case Study
we45 - Infrastructure Penetration Testing with LeanBeast Case Studywe45 - Infrastructure Penetration Testing with LeanBeast Case Study
we45 - Infrastructure Penetration Testing with LeanBeast Case Study
Abhay Bhargav
 
we45 SecDevOps Presentation - ISACA Chennai
we45 SecDevOps Presentation - ISACA Chennaiwe45 SecDevOps Presentation - ISACA Chennai
we45 SecDevOps Presentation - ISACA Chennai
Abhay Bhargav
 

Más contenido relacionado

Destacado

Categorias de estetica
Categorias de esteticaCategorias de estetica
Categorias de estetica
Paulina Islas
 
Insight Platforms Accelerate Digital Transformation
Insight Platforms Accelerate Digital TransformationInsight Platforms Accelerate Digital Transformation
Insight Platforms Accelerate Digital Transformation
MapR Technologies
 

Destacado (15)

Ita2009 1dia
Ita2009 1diaIta2009 1dia
Ita2009 1dia
 
Categorias de estetica
Categorias de esteticaCategorias de estetica
Categorias de estetica
 
Introduction to Threat Modeling
Introduction to Threat ModelingIntroduction to Threat Modeling
Introduction to Threat Modeling
 
we45 - SecDevOps Concept Presentation
we45 - SecDevOps Concept Presentationwe45 - SecDevOps Concept Presentation
we45 - SecDevOps Concept Presentation
 
#JavaOne What's in an object?
#JavaOne What's in an object?#JavaOne What's in an object?
#JavaOne What's in an object?
 
IBM Storage for Hybrid Cloud (4Q 2016)
IBM Storage for Hybrid Cloud (4Q 2016)IBM Storage for Hybrid Cloud (4Q 2016)
IBM Storage for Hybrid Cloud (4Q 2016)
 
Remindo a terra consagrando a nação
Remindo a terra consagrando a naçãoRemindo a terra consagrando a nação
Remindo a terra consagrando a nação
 
Data Mining with SpagoBI suite
Data Mining with SpagoBI suiteData Mining with SpagoBI suite
Data Mining with SpagoBI suite
 
Digital locker
Digital lockerDigital locker
Digital locker
 
IIA1: Industrial Control Systems 101 (Predix Transform 2016)
IIA1: Industrial Control Systems 101 (Predix Transform 2016)IIA1: Industrial Control Systems 101 (Predix Transform 2016)
IIA1: Industrial Control Systems 101 (Predix Transform 2016)
 
22º Encontro - Sacramentos de Cura e Serviços
22º Encontro - Sacramentos de Cura e Serviços22º Encontro - Sacramentos de Cura e Serviços
22º Encontro - Sacramentos de Cura e Serviços
 
Protoplast fusion
Protoplast fusionProtoplast fusion
Protoplast fusion
 
Insight Platforms Accelerate Digital Transformation
Insight Platforms Accelerate Digital TransformationInsight Platforms Accelerate Digital Transformation
Insight Platforms Accelerate Digital Transformation
 
IBM Cloud Object Storage System (powered by Cleversafe) and its Applications
IBM Cloud Object Storage System (powered by Cleversafe) and its ApplicationsIBM Cloud Object Storage System (powered by Cleversafe) and its Applications
IBM Cloud Object Storage System (powered by Cleversafe) and its Applications
 
Benefícios do Discipulado Um a Um
Benefícios do Discipulado Um a UmBenefícios do Discipulado Um a Um
Benefícios do Discipulado Um a Um
 

Más de Abhay Bhargav

An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
Abhay Bhargav
 
Threat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 Presentation
Threat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 PresentationThreat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 Presentation
Threat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 Presentation
Abhay Bhargav
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavOWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
Abhay Bhargav
 
we45 - Infrastructure Penetration Testing with LeanBeast Case Study
we45 - Infrastructure Penetration Testing with LeanBeast Case Studywe45 - Infrastructure Penetration Testing with LeanBeast Case Study
we45 - Infrastructure Penetration Testing with LeanBeast Case Study
Abhay Bhargav
 

Más de Abhay Bhargav (7)

An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
 
Threat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 Presentation
Threat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 PresentationThreat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 Presentation
Threat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 Presentation
 
Merging Security with DevOps - An AppSec Perspective
Merging Security with DevOps - An AppSec PerspectiveMerging Security with DevOps - An AppSec Perspective
Merging Security with DevOps - An AppSec Perspective
 
we45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Pythonwe45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Python
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavOWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
 
we45 - Infrastructure Penetration Testing with LeanBeast Case Study
we45 - Infrastructure Penetration Testing with LeanBeast Case Studywe45 - Infrastructure Penetration Testing with LeanBeast Case Study
we45 - Infrastructure Penetration Testing with LeanBeast Case Study
 
we45 SecDevOps Presentation - ISACA Chennai
we45 SecDevOps Presentation - ISACA Chennaiwe45 SecDevOps Presentation - ISACA Chennai
we45 SecDevOps Presentation - ISACA Chennai
 

Último

1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
QucHHunhnh
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
QucHHunhnh
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
kauryashika82
 

Último (20)

1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptx
 
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.
 
ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot Graph
 
Food Chain and Food Web (Ecosystem) EVS, B. Pharmacy 1st Year, Sem-II
Food Chain and Food Web (Ecosystem) EVS, B. Pharmacy 1st Year, Sem-IIFood Chain and Food Web (Ecosystem) EVS, B. Pharmacy 1st Year, Sem-II
Food Chain and Food Web (Ecosystem) EVS, B. Pharmacy 1st Year, Sem-II
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SD
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
 
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
 
Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxUnit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptx
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.
 
Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.ppt
 
psychiatric nursing HISTORY COLLECTION .docx
psychiatric nursing HISTORY COLLECTION .docxpsychiatric nursing HISTORY COLLECTION .docx
psychiatric nursing HISTORY COLLECTION .docx
 

Web Application Security for the Payment Card Industry

  • 1. Web Application Security for the Payment Card Industry Abhay Bhargav Principal Consultant and CTO - The we45 Group Tuesday, April 20, 2010
  • 2. Who am I? Application Security and Compliance Specialist Performed over 50 security assessments across 18 countries. Co-author of Secure Java for Web Application Development Spoken at several events including the OWASP AppSec NYC 2008 Trainer and Workshop Lead for Security Training Workshops My blog: http://citadelnotes.blogspot.com Tuesday, April 20, 2010
  • 3. Why am I here? Tuesday, April 20, 2010
  • 4. Web Applications - A Growing Force The growing footprint of Internet and Intranet Applications Unprecedented Adoption of E- Commerce all over the world Worldwide Internet Usage - 24.7% and growing at 362% Increasing influence of the Internet in the interchange of the commercial information Tuesday, April 20, 2010
  • 5. Web Applications - Trouble in Paradise Networks and OS Attacks are too much work Sensitive Information is a mere browser attack away! Application Developers are far from the promised land Power of Free Expression - Internet - The Double Edged Sword Tuesday, April 20, 2010
  • 6. Who’s watching? and what does it mean? Regulations are the driving force for security in Web Applications PCI-DSS and PA-DSS US State Laws modeled on Card Security Fines, Penalties and Lawsuits - The Whole Nine Yards Reputation drives Motivation Forensics - The beginning of a long and arduous relationship Tuesday, April 20, 2010
  • 7. Some hard truths Your users need to be protected against YOUR users All data you handle is YOUR problem Security breach can have a serious bearing on YOUR finances and reputation Having the best OS Security and Network Security is just NOT enough Ignorance != Innocence Tuesday, April 20, 2010
  • 8. What is the cure? Authentication and Authorization Application Crypto Logging and Log Management Secure Coding Practices SDLC Other Best Practices Tuesday, April 20, 2010
  • 9. Authentication and Authorization - A foot in the door Flawed authentication systems - One of the top causes for Web Application attacks Lack of Clarity for Role Based Access Control - Access Control Matrix Authorization issues Client Side Syndrome - Over-reliance on Javascript Improper Authorization system - server side Tuesday, April 20, 2010
  • 10. Authentication and Authorization - 2 Password Management Password Storage Hardcoding Password encryption = null Password Transmission Sessions The Guessing Game Session Handlers Tuesday, April 20, 2010
  • 11. Application Crypto - Scrambled Eggs Store if you must, Protect if you store Crypto - Something that can go horribly wrong No “Home-Grown” Crypto Key Management - An oft-forgotten aspect of cryptography Tuesday, April 20, 2010
  • 12. Application Logs - Are you watching closely? Logs are not unnecessary overhead. They could save your life Logs should capture pertinent details Sensitive Information should not be logged Exceptions and Errors should be logged Administrative users are not above the law‘g’ Tuesday, April 20, 2010
  • 13. Secure Coding Practices - Makes Perfect Input Validation - Trust user input at your own peril. Regular Expressions Parameterized SQL Queries Javascript Validation is not enough Direct Object Reference - Do not expose sensitive files directly File Execution - Malicious File Execution usually = Complete System Compromise Custom Error Pages - Nipping attacks at the bud Tuesday, April 20, 2010
  • 14. SDLC + Security = Strong Application Integration of Risk Management into the SDLC Identifying Critical Information Assets Threat and Impact Analysis Vulnerability Assessment Development of Security Controls - Detailed Security Requirements Developer Training and Awareness Management Representation and Drive Tuesday, April 20, 2010
  • 15. SDLC - 2 Code Reviews for security should be incorporated into the SDLC Vulnerability Assessments + Penetration Testing - The Blind parent syndrome Change Management Tuesday, April 20, 2010
  • 16. Other Measures Deployment is not something you can forget. Involving Information Security Continuous Monitoring - Vulnerabilities in the underlying elements Going back to the drawing board if necessary Tuesday, April 20, 2010
  • 17. Thank you!!! Questions?? My blog: http://citadelnotes.blogspot.com Keep in touch: http://www.linkedin.com/in/ abhaybhargav Email: abhay@we45.com, abhaybhargav@gmail.com Tuesday, April 20, 2010