Web Application Security for the Payment Card Industry
1. Web Application
Security for the
Payment Card Industry
Abhay Bhargav
Principal Consultant and
CTO - The we45 Group
Tuesday, April 20, 2010
2. Who am I?
Application Security and Compliance Specialist
Performed over 50 security assessments across 18
countries.
Co-author of Secure Java for Web Application
Development
Spoken at several events including the OWASP AppSec
NYC 2008
Trainer and Workshop Lead for Security Training
Workshops
My blog: http://citadelnotes.blogspot.com
Tuesday, April 20, 2010
4. Web Applications - A
Growing Force
The growing footprint of Internet
and Intranet Applications
Unprecedented Adoption of E-
Commerce all over the world
Worldwide Internet Usage -
24.7% and growing at 362%
Increasing influence of the
Internet in the interchange of
the commercial information
Tuesday, April 20, 2010
5. Web Applications - Trouble
in Paradise
Networks and OS Attacks are
too much work
Sensitive Information is a mere
browser attack away!
Application Developers are far
from the promised land
Power of Free Expression -
Internet - The Double Edged
Sword
Tuesday, April 20, 2010
6. Who’s watching? and what
does it mean?
Regulations are the driving force for
security in Web Applications
PCI-DSS and PA-DSS
US State Laws modeled on Card
Security
Fines, Penalties and Lawsuits - The
Whole Nine Yards
Reputation drives Motivation
Forensics - The beginning of a long
and arduous relationship
Tuesday, April 20, 2010
7. Some hard truths
Your users need to be protected
against YOUR users
All data you handle is YOUR
problem
Security breach can have a
serious bearing on YOUR
finances and reputation
Having the best OS Security and
Network Security is just NOT
enough
Ignorance != Innocence
Tuesday, April 20, 2010
8. What is the cure?
Authentication and
Authorization
Application Crypto
Logging and Log Management
Secure Coding Practices
SDLC
Other Best Practices
Tuesday, April 20, 2010
9. Authentication and Authorization
- A foot in the door
Flawed authentication systems
- One of the top causes for
Web Application attacks
Lack of Clarity for Role Based
Access Control - Access
Control Matrix
Authorization issues
Client Side Syndrome -
Over-reliance on Javascript
Improper Authorization
system - server side
Tuesday, April 20, 2010
10. Authentication and
Authorization - 2
Password Management
Password Storage
Hardcoding
Password encryption = null
Password Transmission
Sessions
The Guessing Game
Session Handlers
Tuesday, April 20, 2010
11. Application Crypto -
Scrambled Eggs
Store if you must, Protect
if you store
Crypto - Something that
can go horribly wrong
No “Home-Grown”
Crypto
Key Management - An
oft-forgotten aspect of
cryptography
Tuesday, April 20, 2010
12. Application Logs - Are you
watching closely?
Logs are not unnecessary
overhead. They could save
your life
Logs should capture pertinent
details
Sensitive Information should
not be logged
Exceptions and Errors should
be logged
Administrative users are not
above the law‘g’
Tuesday, April 20, 2010
13. Secure Coding Practices -
Makes Perfect
Input Validation - Trust user input at your
own peril.
Regular Expressions
Parameterized SQL Queries
Javascript Validation is not enough
Direct Object Reference - Do not expose
sensitive files directly
File Execution - Malicious File Execution
usually = Complete System Compromise
Custom Error Pages - Nipping attacks at
the bud
Tuesday, April 20, 2010
14. SDLC + Security = Strong
Application
Integration of Risk Management into
the SDLC
Identifying Critical Information
Assets
Threat and Impact Analysis
Vulnerability Assessment
Development of Security Controls -
Detailed Security Requirements
Developer Training and Awareness
Management Representation and
Drive
Tuesday, April 20, 2010
15. SDLC - 2
Code Reviews for security should be incorporated into
the SDLC
Vulnerability Assessments + Penetration Testing - The
Blind parent syndrome
Change Management
Tuesday, April 20, 2010
16. Other Measures
Deployment is not something
you can forget.
Involving Information Security
Continuous Monitoring -
Vulnerabilities in the underlying
elements
Going back to the drawing
board if necessary
Tuesday, April 20, 2010
17. Thank you!!!
Questions??
My blog: http://citadelnotes.blogspot.com
Keep in touch: http://www.linkedin.com/in/
abhaybhargav
Email: abhay@we45.com, abhaybhargav@gmail.com
Tuesday, April 20, 2010