• Save
Web Application Security for the Payment Card Industry
Upcoming SlideShare
Loading in...5
×
 

Web Application Security for the Payment Card Industry

on

  • 1,494 views

Abhay Bhargav's talk at the BT-Summit 09 on "Web Application Security for the Payment Card Industry"

Abhay Bhargav's talk at the BT-Summit 09 on "Web Application Security for the Payment Card Industry"

Statistics

Views

Total Views
1,494
Views on SlideShare
1,221
Embed Views
273

Actions

Likes
0
Downloads
0
Comments
0

16 Embeds 273

http://citadelnotes.blogspot.com 92
http://www.abhaybhargav.com 67
http://citadelnotes.blogspot.in 60
http://secure-java.com 22
http://www.secure-java.com 14
http://www.slideshare.net 6
http://citadelnotes.blogspot.ae 2
http://www.citadelnotes.blogspot.com 2
http://citadelnotes.blogspot.pt 1
http://webcache.googleusercontent.com 1
http://citadelnotes.blogspot.ca 1
http://citadelnotes.blogspot.sg 1
http://feeds2.feedburner.com 1
http://citadelnotes.blogspot.co.uk 1
http://citadelnotes.blogspot.com.au 1
http://www.we45.com 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Web Application Security for the Payment Card Industry Web Application Security for the Payment Card Industry Presentation Transcript

  • Web Application Security for the Payment Card Industry Abhay Bhargav Principal Consultant and CTO - The we45 Group Tuesday, April 20, 2010
  • Who am I? Application Security and Compliance Specialist Performed over 50 security assessments across 18 countries. Co-author of Secure Java for Web Application Development Spoken at several events including the OWASP AppSec NYC 2008 Trainer and Workshop Lead for Security Training Workshops My blog: http://citadelnotes.blogspot.com Tuesday, April 20, 2010
  • Why am I here? Tuesday, April 20, 2010
  • Web Applications - A Growing Force The growing footprint of Internet and Intranet Applications Unprecedented Adoption of E- Commerce all over the world Worldwide Internet Usage - 24.7% and growing at 362% Increasing influence of the Internet in the interchange of the commercial information Tuesday, April 20, 2010
  • Web Applications - Trouble in Paradise Networks and OS Attacks are too much work Sensitive Information is a mere browser attack away! Application Developers are far from the promised land Power of Free Expression - Internet - The Double Edged Sword Tuesday, April 20, 2010
  • Who’s watching? and what does it mean? Regulations are the driving force for security in Web Applications PCI-DSS and PA-DSS US State Laws modeled on Card Security Fines, Penalties and Lawsuits - The Whole Nine Yards Reputation drives Motivation Forensics - The beginning of a long and arduous relationship Tuesday, April 20, 2010
  • Some hard truths Your users need to be protected against YOUR users All data you handle is YOUR problem Security breach can have a serious bearing on YOUR finances and reputation Having the best OS Security and Network Security is just NOT enough Ignorance != Innocence Tuesday, April 20, 2010
  • What is the cure? Authentication and Authorization Application Crypto Logging and Log Management Secure Coding Practices SDLC Other Best Practices Tuesday, April 20, 2010
  • Authentication and Authorization - A foot in the door Flawed authentication systems - One of the top causes for Web Application attacks Lack of Clarity for Role Based Access Control - Access Control Matrix Authorization issues Client Side Syndrome - Over-reliance on Javascript Improper Authorization system - server side Tuesday, April 20, 2010
  • Authentication and Authorization - 2 Password Management Password Storage Hardcoding Password encryption = null Password Transmission Sessions The Guessing Game Session Handlers Tuesday, April 20, 2010
  • Application Crypto - Scrambled Eggs Store if you must, Protect if you store Crypto - Something that can go horribly wrong No “Home-Grown” Crypto Key Management - An oft-forgotten aspect of cryptography Tuesday, April 20, 2010
  • Application Logs - Are you watching closely? Logs are not unnecessary overhead. They could save your life Logs should capture pertinent details Sensitive Information should not be logged Exceptions and Errors should be logged Administrative users are not above the law‘g’ Tuesday, April 20, 2010
  • Secure Coding Practices - Makes Perfect Input Validation - Trust user input at your own peril. Regular Expressions Parameterized SQL Queries Javascript Validation is not enough Direct Object Reference - Do not expose sensitive files directly File Execution - Malicious File Execution usually = Complete System Compromise Custom Error Pages - Nipping attacks at the bud Tuesday, April 20, 2010
  • SDLC + Security = Strong Application Integration of Risk Management into the SDLC Identifying Critical Information Assets Threat and Impact Analysis Vulnerability Assessment Development of Security Controls - Detailed Security Requirements Developer Training and Awareness Management Representation and Drive Tuesday, April 20, 2010
  • SDLC - 2 Code Reviews for security should be incorporated into the SDLC Vulnerability Assessments + Penetration Testing - The Blind parent syndrome Change Management Tuesday, April 20, 2010
  • Other Measures Deployment is not something you can forget. Involving Information Security Continuous Monitoring - Vulnerabilities in the underlying elements Going back to the drawing board if necessary Tuesday, April 20, 2010
  • Thank you!!! Questions?? My blog: http://citadelnotes.blogspot.com Keep in touch: http://www.linkedin.com/in/ abhaybhargav Email: abhay@we45.com, abhaybhargav@gmail.com Tuesday, April 20, 2010