• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Iasi code camp 12 october 2013   ana tudosa - challenges in implementing and certifying an online payment application
 

Iasi code camp 12 october 2013 ana tudosa - challenges in implementing and certifying an online payment application

on

  • 464 views

 

Statistics

Views

Total Views
464
Views on SlideShare
464
Embed Views
0

Actions

Likes
0
Downloads
6
Comments
0

0 Embeds 0

No embeds

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Iasi code camp 12 october 2013   ana tudosa - challenges in implementing and certifying an online payment application Iasi code camp 12 october 2013 ana tudosa - challenges in implementing and certifying an online payment application Presentation Transcript

    • Challenges in implementing and certifying an online payment application October 2013 Ana Tudosa Java Senior Developer
    • Why Do We Care About Security? AN INTRODUCTION HERE HELP!!!!  Challenges in implementing and certifying an online payment application
    • How Hard Is It To Compromise? The majority of the attacks are very easy to execute 78% of the attacks required Low or Very Low difficulty to execute Source: Verizon Data breach investigation report 2013 Challenges in implementing and certifying an online payment application
    • Some Hacker Profiling Variety and origin of external attackers Source: Verizon Data breach investigation report 2013 Challenges in implementing and certifying an online payment application
    • Some Hacker Profiling Variety of internal attackers  Hey developers are pretty honest comparing to upper management and system administrators  Source: Verizon Data breach investigation report 2013 Challenges in implementing and certifying an online payment application
    • What is Being Compromised? Most commonly applications Source: Post Breach Boom, Ponemon Institute 2013 Challenges in implementing and certifying an online payment application
    • How Did It Occur? SQL injection is the most common form of successful attack Source: Post Breach Boom, Ponemon Institute 2013 Challenges in implementing and certifying an online payment application
    • Types of Breaches In order to protect your application you need to understand WHO, WHY and HOW  APT  Opportunistic breach  Hacktivist breach  Self-inflicted breach Challenges in implementing and certifying an online payment application
    • Night Dragon Source: Global energy cyber attacks, “Night Dragon”, McAfee, 2011 Challenges in implementing and certifying an online payment application
    • The Hacktivist Breach Challenges in implementing and certifying an online payment application
    • Cost Of a Data Breach $395,262.00 $565,020.00 Detection and Escalation Notification $3,030,814.00 $1,412,548.00 Ex-Post Response Lost Business Source: Cost of A Data Breach: Global Analysis Ponemon Institute 2013 Challenges in implementing and certifying an online payment application
    • What is PCI-DSS? Payment Card Industry Data Security Standard Enforced by all the credit card companies around the globe Created the PCI Council Its purpose is to protect the customer’s data The merchant is most often the weakest link Why? Challenges in implementing and certifying an online payment application
    • WHO Needs It? MANUFACTURERS PCI PTS PIN Transaction Security SOFTWARE DEVELOPERS PCI PA-DSS Payment Application Vendors MERCHANT & PROCESSORS PCI DSS Data Security Standard PCI SECURITY STANDARDS & COMPLIANCE Ecosystem of payment devices, applications, infrastructure and users Challenges in implementing and certifying an online payment application
    • What Does It Mean To Adhere To The Standard Realize that it refers to the entire organization:         IT infrastructure & management How you store data (in particular CC data) Security procedures How you limit access to CC data How you log everything How strong is your application (security wise) What is the level of physical security Tons of documents you need to produce PCI does not allow different styles of compliancy 100% compliant, less is not acceptable Challenges in implementing and certifying an online payment application
    • PCI data elements Cardholder data  PAN – primary account number  Expiration date  Card holder name Sensitive authentication data  Track data  CAV/ CVV /CVC / CID  PIN Challenges in implementing and certifying an online payment application
    • OWASP Whenever you get some sort of feedback from either QA or security audit you will be referred to OWASP Open Web Application Security Project Not-for-profit organization Focused on providing application security Technology agnostic They produce the “Top ten most critical web application security risks” Not the only one, there are others like Microsoft SDL Challenges in implementing and certifying an online payment application
    • OWASP top 10 A1: Injection A2: Broken authentication and session management A3: Cross site scripting (XSS) A4: Insecure direct object references A5: Security misconfiguration A6: Sensitive data exposure A7: Missing function level access control A8: Cross-site request forgery (CSRF) A9: Using unknown vulnerable components A10: Unvalidated redirects and forwards Source: OWASP TOP 10 , 2013 Challenges in implementing and certifying an online payment application
    • JSF Components We implemented our own set of JSF components The requirements were :  Single way to present the UI  Highly customizable It came in handy when implementing protection against top 10 security threats  Escaping, URL encoding, validation, challenge codes Challenges in implementing and certifying an online payment application
    • A2: Broken authentication and session management Method: Application functions related to authentication and session management are often not implemented correctly. Risk:  Compromise passwords, keys, session tokens  Assume other user’s identities  Unauthorized access to application Challenges in implementing and certifying an online payment application
    • A2: Broken authentication and session management Solution          Session cookies - secured and httponly No session ID in URLs Session timeouts and maximum session TTL Create new session after login Challenge codes Use password hashing (with salt) Use strong encryption algorithms for sensitive data Login from an encrypted page Don’t re-invent the wheel (use existing session management) Challenges in implementing and certifying an online payment application
    • A2: Example: Tunisian Arab Spring Challenges in implementing and certifying an online payment application
    • A5: Security misconfiguration Method: Exploit incorrect secure configuration such as AS/DB servers defaults Risk:  Unauthorized access to some system data or functionality.  Occasionally, such flaws result in a complete system compromise.  Very generic, it can be anything Challenges in implementing and certifying an online payment application
    • A5: Security misconfiguration Solution:  AS hardening  Implementing new AS services for extended cryptographic capabilities  Keep dependencies up to date  Periodic scans/audits  A strong application architecture - tokenization Challenges in implementing and certifying an online payment application
    • A5: Application Architecture : Tokenization 1001101010 Facade Tokenization Module Facade Tokenization 1001101010 Encryption Engine Clearing Datasets in Memory Connectors Challenges in implementing and certifying an online payment application
    • A5: Application Architecture Un-Trusted Users Application Server Payment Application (core) Un-Trusted Web Server Payment Application (web) Firewall App Tier DMZ DB Tier Database Internal Network Users Challenges in implementing and certifying an online payment application
    • A6: Sensitive data exposure Method: Exploit poorly protected sensitive data This used to be old A7&A9  A7: Insecure Cryptographic Storage  A9: Insufficient Transport Layer Protection Risk:  Information Leakage  Unauthorized access to sensitive data in transit  Network sniffing Challenges in implementing and certifying an online payment application
    • A6: Sensitive data exposure Solution:  Use existing strong encryption algorithms  Generate keys offline and store private keys with extreme care  Ensure that properly secured  Always use SSL 3.0/TLS 1.2 for sensitive data in transit  Protect communication between web servers and data bases  Use certificates where applicable even in internal networks Challenges in implementing and certifying an online payment application
    • And The Result https://www.pcisecuritystandards.org/appro ved_companies_providers/validated_payme nt_applications.php?agree=true Challenges in implementing and certifying an online payment application
    • Please fill in the evaluation form Contact: ana.tudosa@mindcti.com Challenges in implementing and certifying an online payment application