SlideShare a Scribd company logo

Security@ecommerce

Download as PPT, PDF
Om Vikram Thapa
Om Vikram Thapa

Security @ ecommerce sites are essential as hell, we are living in a a world with ethical and illegal hackers. This presentation will give you insights what we should do to prevent our ecommerce sites from external attacks.

Technology
1 of 15
“security@ecommerce”
Where We Are? Recent Attacks on e-commerce sites shows the vulnerability when the intruder was able to make unauthorized calls to see and manipulate the data. • Transaction system calls are open publicly. • Some of Web API calls are still on HTTP. • Same username/password are used across multiple clients/channels. • Most of internal applications are open publicly.
Top 10 OWASP Security Guidelines A1 Injection A2 Broken Auth and Session Mgmt A3 Cross site scripting - XSS A4 Insecure Direct Object References A5 Security Misconfigura tion A6 – Sensitive Data Exposure A7 – Missing Function Level Access Control A8 – CSRF A9 – Using components with known vulnerabilities A10 – Unvalidated Redirects and Forwards
A1 - Injection How ? • SQL Injection, LDAP query Impact • Unintended commands are executed. • Data can be accessed without proper authentication.
A2 – Broken Auth & Session Mgmt. How ? • Authentication and Session management not implemented properly. Impact • Assume user identities and gain access. • Get hold of password, token, session keys.
A3 – Cross Site Scripting How ? • Application takes un-trusted data and sends it to a web browser without proper validation or escaping. Impact • Hijack user sessions. • Redirect users to malicious sites.
A4 – Insecure Direct Object References How ? • Developer exposes references to files, XML objects, DB keys. Impact • Attackers can manipulate these references to access unauthorized data.
A5 – Security Misconfiguration How ? • Web Servers and DB servers do not implement adequate security policies Impact • Unable to trace the origin of a command. • Cannot have good control to
A6 – Security Data ExposureHow ? • Hashing and Encryption techniques not adequate while storing Payment info such as passwords, CC etc .. • Payment info transmitted over plain text. Impact • Intruder can get access to Payment info and there by cause brand damage.
A7 – Missing Function Level Access Control How ? • Function level access absent on the server at the time of request. • Attackers forge request. Impact • Unauthorized access.
A8 – Cross Site Request Forgery How ? • Authentication tokens or cookies are used to forge HTTP requests from victims browser. Impact • The forged requests come as legitimate and there by compromising the application.
A9 – Components With Vulnerabilities How ? • Frameworks and components run on full privileges. Impact • Any issue on these will in turn cause issues on the main application.
A10 – Unvalidated Requests and Forwards How ? • No validation in place while redirecting to other pages and applications. Impact • Phishing attacks will redirect to applications through which sensitive information can be captured.
Next Steps... Proactive approach. Its Better to beef-up rather than repent on later. Security should be constantly reviewed and during code reviews emphasis needs to provided.
Security@ecommerce

Recommended

Ch19 E Commerce Security
Ch19 E Commerce SecurityCh19 E Commerce Security
Ch19 E Commerce Security
phanleson
 
Ecommerce Security
Ecommerce SecurityEcommerce Security
Ecommerce Security
Rebecca Jones
 
Ecommerce security
Ecommerce securityEcommerce security
Ecommerce security
politegcuf
 
Ecommerce security
Ecommerce securityEcommerce security
Ecommerce security
elmira282
 
E commerce security
E commerce securityE commerce security
E commerce security
Shakti Singh
 
protection & security of e-commerce ...
protection & security of e-commerce ...protection & security of e-commerce ...
protection & security of e-commerce ...
Rishav Gupta
 
E security and payment 2013-1
E security and payment 2013-1E security and payment 2013-1
E security and payment 2013-1
Abdelfatah hegazy
 
Security issues in E-commerce
Security issues in E-commerceSecurity issues in E-commerce
Security issues in E-commerce
nikitaTahilyani1
 

Recommended

Ch19 E Commerce Security
Ch19 E Commerce SecurityCh19 E Commerce Security
Ch19 E Commerce Security
phanleson
 
Ecommerce Security
Ecommerce SecurityEcommerce Security
Ecommerce Security
Rebecca Jones
 
Ecommerce security
Ecommerce securityEcommerce security
Ecommerce security
politegcuf
 
Ecommerce security
Ecommerce securityEcommerce security
Ecommerce security
elmira282
 
E commerce security
E commerce securityE commerce security
E commerce security
Shakti Singh
 
protection & security of e-commerce ...
protection & security of e-commerce ...protection & security of e-commerce ...
protection & security of e-commerce ...
Rishav Gupta
 
E security and payment 2013-1
E security and payment 2013-1E security and payment 2013-1
E security and payment 2013-1
Abdelfatah hegazy
 
Security issues in E-commerce
Security issues in E-commerceSecurity issues in E-commerce
Security issues in E-commerce
nikitaTahilyani1
 
E-Commerce Security: A Primer
E-Commerce Security: A PrimerE-Commerce Security: A Primer
E-Commerce Security: A Primer
John ILIADIS
 
e commerce security and fraud protection
e commerce security and fraud protectione commerce security and fraud protection
e commerce security and fraud protection
tumetr1
 
Privacy and Security Issues in E-Commerce
Privacy and Security Issues in E-Commerce Privacy and Security Issues in E-Commerce
Privacy and Security Issues in E-Commerce
Titas Ahmed
 
Security in E-commerce
Security in E-commerceSecurity in E-commerce
Security in E-commerce
m8817
 
6 e commerce security
6 e commerce security6 e commerce security
6 e commerce security
Naveed Ahmed Siddiqui
 
Security environment
Security environmentSecurity environment
Security environment
Jay Choudhary
 
Security issues in e business
Security issues in e businessSecurity issues in e business
Security issues in e business
Rahul Kumar
 
E-Commerce Chap 5: E-COMMERCE SECURITY AND PAYMENT SYSTEMS (D3 B 2018)
E-Commerce Chap 5: E-COMMERCE SECURITY AND PAYMENT SYSTEMS (D3 B 2018)E-Commerce Chap 5: E-COMMERCE SECURITY AND PAYMENT SYSTEMS (D3 B 2018)
E-Commerce Chap 5: E-COMMERCE SECURITY AND PAYMENT SYSTEMS (D3 B 2018)
Shandy Aditya
 
04-1 E-commerce Security slides
04-1 E-commerce Security slides04-1 E-commerce Security slides
04-1 E-commerce Security slides
monchai sopitka
 
E-Commerce security
E-Commerce security E-Commerce security
E-Commerce security
Tawhid Rahman
 
E-Banking Web Security
E-Banking Web SecurityE-Banking Web Security
E-Banking Web Security
Dragos Lungu
 
Web security for e-commerce
Web security for e-commerceWeb security for e-commerce
Web security for e-commerce
Nishant Pahad
 
Introduction to Information Security
Introduction to Information SecurityIntroduction to Information Security
Introduction to Information Security
Dumindu Pahalawatta
 
Security issue in e commerce
Security issue in e commerceSecurity issue in e commerce
Security issue in e commerce
Bosco Technical Training Society, Don Bosco Technical School (Aff. GGSIP University, New Delhi)
 
Threats of E-Commerce in Database
Threats of E-Commerce in DatabaseThreats of E-Commerce in Database
Threats of E-Commerce in Database
Mentalist Akram
 
Security In Internet Banking
Security In Internet BankingSecurity In Internet Banking
Security In Internet Banking
Chiheb Chebbi
 
Banking and Modern Payments System Security Analysis
Banking and Modern Payments System Security AnalysisBanking and Modern Payments System Security Analysis
Banking and Modern Payments System Security Analysis
CSCJournals
 
Securing Your Remote Access Desktop Connection
Securing Your Remote Access Desktop ConnectionSecuring Your Remote Access Desktop Connection
Securing Your Remote Access Desktop Connection
SecurityMetrics
 
E-commerce Security
E-commerce SecurityE-commerce Security
E-commerce Security
Lindsey Landolfi
 
How Can I Reduce The Risk Of A Cyber-Attack?
How Can I Reduce The Risk Of A Cyber-Attack?How Can I Reduce The Risk Of A Cyber-Attack?
How Can I Reduce The Risk Of A Cyber-Attack?
Osei Fortune
 
opening keynote on the state of eCommerce
opening keynote on the state of eCommerceopening keynote on the state of eCommerce
opening keynote on the state of eCommerce
webhostingguy
 
Andry startupasia
Andry startupasiaAndry startupasia
Andry startupasia
vkk91
 

More Related Content

What's hot

Security in E-commerce
Security in E-commerceSecurity in E-commerce
Security in E-commerce
m8817
 
Security environment
Security environmentSecurity environment
Security environment
Jay Choudhary
 
04-1 E-commerce Security slides
04-1 E-commerce Security slides04-1 E-commerce Security slides
04-1 E-commerce Security slides
monchai sopitka
 
E-Banking Web Security
E-Banking Web SecurityE-Banking Web Security
E-Banking Web Security
Dragos Lungu
 
Banking and Modern Payments System Security Analysis
Banking and Modern Payments System Security AnalysisBanking and Modern Payments System Security Analysis
Banking and Modern Payments System Security Analysis
CSCJournals
 

What's hot (20)

E-Commerce Security: A Primer
E-Commerce Security: A PrimerE-Commerce Security: A Primer
E-Commerce Security: A Primer
 
e commerce security and fraud protection
e commerce security and fraud protectione commerce security and fraud protection
e commerce security and fraud protection
 
Privacy and Security Issues in E-Commerce
Privacy and Security Issues in E-Commerce Privacy and Security Issues in E-Commerce
Privacy and Security Issues in E-Commerce
 
Security in E-commerce
Security in E-commerceSecurity in E-commerce
Security in E-commerce
 
6 e commerce security
6 e commerce security6 e commerce security
6 e commerce security
 
Security environment
Security environmentSecurity environment
Security environment
 
Security issues in e business
Security issues in e businessSecurity issues in e business
Security issues in e business
 
E-Commerce Chap 5: E-COMMERCE SECURITY AND PAYMENT SYSTEMS (D3 B 2018)
E-Commerce Chap 5: E-COMMERCE SECURITY AND PAYMENT SYSTEMS (D3 B 2018)E-Commerce Chap 5: E-COMMERCE SECURITY AND PAYMENT SYSTEMS (D3 B 2018)
E-Commerce Chap 5: E-COMMERCE SECURITY AND PAYMENT SYSTEMS (D3 B 2018)
 
04-1 E-commerce Security slides
04-1 E-commerce Security slides04-1 E-commerce Security slides
04-1 E-commerce Security slides
 
E-Commerce security
E-Commerce security E-Commerce security
E-Commerce security
 
E-Banking Web Security
E-Banking Web SecurityE-Banking Web Security
E-Banking Web Security
 
Web security for e-commerce
Web security for e-commerceWeb security for e-commerce
Web security for e-commerce
 
Introduction to Information Security
Introduction to Information SecurityIntroduction to Information Security
Introduction to Information Security
 
Security issue in e commerce
Security issue in e commerceSecurity issue in e commerce
Security issue in e commerce
 
Threats of E-Commerce in Database
Threats of E-Commerce in DatabaseThreats of E-Commerce in Database
Threats of E-Commerce in Database
 
Security In Internet Banking
Security In Internet BankingSecurity In Internet Banking
Security In Internet Banking
 
Banking and Modern Payments System Security Analysis
Banking and Modern Payments System Security AnalysisBanking and Modern Payments System Security Analysis
Banking and Modern Payments System Security Analysis
 
Securing Your Remote Access Desktop Connection
Securing Your Remote Access Desktop ConnectionSecuring Your Remote Access Desktop Connection
Securing Your Remote Access Desktop Connection
 
E-commerce Security
E-commerce SecurityE-commerce Security
E-commerce Security
 
How Can I Reduce The Risk Of A Cyber-Attack?
How Can I Reduce The Risk Of A Cyber-Attack?How Can I Reduce The Risk Of A Cyber-Attack?
How Can I Reduce The Risk Of A Cyber-Attack?
 

Viewers also liked

opening keynote on the state of eCommerce
opening keynote on the state of eCommerceopening keynote on the state of eCommerce
opening keynote on the state of eCommerce
webhostingguy
 
Nightingale_Security__Company_Profile_Digital_Brochure_Desktop_071916
Nightingale_Security__Company_Profile_Digital_Brochure_Desktop_071916Nightingale_Security__Company_Profile_Digital_Brochure_Desktop_071916
Nightingale_Security__Company_Profile_Digital_Brochure_Desktop_071916
Pierre Ketels
 
Browser Extensions in Mozilla Firefox & Google Chrome
Browser Extensions in Mozilla Firefox & Google ChromeBrowser Extensions in Mozilla Firefox & Google Chrome
Browser Extensions in Mozilla Firefox & Google Chrome
Kenneth Auchenberg
 
Security for e commerce
Security for e commerceSecurity for e commerce
Security for e commerce
Mohsin Ahmad
 

Viewers also liked (20)

opening keynote on the state of eCommerce
opening keynote on the state of eCommerceopening keynote on the state of eCommerce
opening keynote on the state of eCommerce
 
Andry startupasia
Andry startupasiaAndry startupasia
Andry startupasia
 
Top 5 Digital Trends
Top 5 Digital TrendsTop 5 Digital Trends
Top 5 Digital Trends
 
Nightingale_Security__Company_Profile_Digital_Brochure_Desktop_071916
Nightingale_Security__Company_Profile_Digital_Brochure_Desktop_071916Nightingale_Security__Company_Profile_Digital_Brochure_Desktop_071916
Nightingale_Security__Company_Profile_Digital_Brochure_Desktop_071916
 
Growth Hack - Jakarta Series
Growth Hack - Jakarta SeriesGrowth Hack - Jakarta Series
Growth Hack - Jakarta Series
 
Basics of Digital Marketing 2014
Basics of Digital Marketing 2014Basics of Digital Marketing 2014
Basics of Digital Marketing 2014
 
כנס חווית לקוח מצגת פתיחה
כנס חווית לקוח מצגת פתיחהכנס חווית לקוח מצגת פתיחה
כנס חווית לקוח מצגת פתיחה
 
DSS - ITSEC conf - Arcot - Security for eCommerce - Riga Nov2011
DSS - ITSEC conf - Arcot - Security for eCommerce - Riga Nov2011DSS - ITSEC conf - Arcot - Security for eCommerce - Riga Nov2011
DSS - ITSEC conf - Arcot - Security for eCommerce - Riga Nov2011
 
Browser Extensions in Mozilla Firefox & Google Chrome
Browser Extensions in Mozilla Firefox & Google ChromeBrowser Extensions in Mozilla Firefox & Google Chrome
Browser Extensions in Mozilla Firefox & Google Chrome
 
Cyber Crimes
Cyber CrimesCyber Crimes
Cyber Crimes
 
AnyID and Privacy
AnyID and PrivacyAnyID and Privacy
AnyID and Privacy
 
Web Browsers
Web BrowsersWeb Browsers
Web Browsers
 
Eamonn O Raghallaigh The Major Security Issues In E Commerce
Eamonn O Raghallaigh The Major Security Issues In E CommerceEamonn O Raghallaigh The Major Security Issues In E Commerce
Eamonn O Raghallaigh The Major Security Issues In E Commerce
 
Cyber fraud a threat to E commerce
Cyber fraud a threat to E commerceCyber fraud a threat to E commerce
Cyber fraud a threat to E commerce
 
FT Partners Research: Transaction Security - At the Nexus of E-Commerce, Paym...
FT Partners Research: Transaction Security - At the Nexus of E-Commerce, Paym...FT Partners Research: Transaction Security - At the Nexus of E-Commerce, Paym...
FT Partners Research: Transaction Security - At the Nexus of E-Commerce, Paym...
 
Marketing Plan Bisnis PayTren - Treni Ustadz Yusuf Mansur 2016
Marketing Plan Bisnis PayTren - Treni Ustadz Yusuf Mansur 2016Marketing Plan Bisnis PayTren - Treni Ustadz Yusuf Mansur 2016
Marketing Plan Bisnis PayTren - Treni Ustadz Yusuf Mansur 2016
 
Secure electronic transaction (set)
Secure electronic transaction (set)Secure electronic transaction (set)
Secure electronic transaction (set)
 
Understanding IIS
Understanding IISUnderstanding IIS
Understanding IIS
 
Mobile in Banking and Finance - What Make Sense and What Not
Mobile in Banking and Finance - What Make Sense and What NotMobile in Banking and Finance - What Make Sense and What Not
Mobile in Banking and Finance - What Make Sense and What Not
 
Security for e commerce
Security for e commerceSecurity for e commerce
Security for e commerce
 

Similar to Security@ecommerce

How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
Security Innovation
 
Lesson 6 web based attacks
Lesson 6 web based attacksLesson 6 web based attacks
Lesson 6 web based attacks
Frank Victory
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root Causes
Marco Morana
 
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013 Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013
Lostar
 

Similar to Security@ecommerce (20)

Top 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanTop 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajan
 
Security testautomation
Security testautomationSecurity testautomation
Security testautomation
 
OWASP Top Ten in Practice
OWASP Top Ten in PracticeOWASP Top Ten in Practice
OWASP Top Ten in Practice
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense MechanismsCh 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
Web Application Security with PHP
Web Application Security with PHPWeb Application Security with PHP
Web Application Security with PHP
 
How to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET WebsiteHow to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET Website
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application Security
 
CNIT 129S: Securing Web Applications Ch 1-2
CNIT 129S: Securing Web Applications Ch 1-2CNIT 129S: Securing Web Applications Ch 1-2
CNIT 129S: Securing Web Applications Ch 1-2
 
OWASP Evening #10 Serbia
OWASP Evening #10 SerbiaOWASP Evening #10 Serbia
OWASP Evening #10 Serbia
 
OWASP Evening #10
OWASP Evening #10OWASP Evening #10
OWASP Evening #10
 
Security workshop - Lets get our hands dirty!!
Security workshop - Lets get our hands dirty!!Security workshop - Lets get our hands dirty!!
Security workshop - Lets get our hands dirty!!
 
Lesson 6 web based attacks
Lesson 6 web based attacksLesson 6 web based attacks
Lesson 6 web based attacks
 
Web Security
Web SecurityWeb Security
Web Security
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
 
Owasp top 10 vulnerabilities 2013
Owasp top 10 vulnerabilities 2013Owasp top 10 vulnerabilities 2013
Owasp top 10 vulnerabilities 2013
 
Web security uploadv1
Web security uploadv1Web security uploadv1
Web security uploadv1
 
Secure Coding BSSN Semarang Material.pdf
Secure Coding BSSN Semarang Material.pdfSecure Coding BSSN Semarang Material.pdf
Secure Coding BSSN Semarang Material.pdf
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root Causes
 
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013 Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013
 

More from Om Vikram Thapa

More from Om Vikram Thapa (20)

Next Set of Leaders Series
Next Set of Leaders SeriesNext Set of Leaders Series
Next Set of Leaders Series
 
Integration Testing at go-mmt
Integration Testing at go-mmtIntegration Testing at go-mmt
Integration Testing at go-mmt
 
Understanding payments
Understanding paymentsUnderstanding payments
Understanding payments
 
System Alerting & Monitoring
System Alerting & MonitoringSystem Alerting & Monitoring
System Alerting & Monitoring
 
Serverless computing
Serverless computingServerless computing
Serverless computing
 
Sumologic Community
Sumologic CommunitySumologic Community
Sumologic Community
 
Postman Integration Testing
Postman Integration TestingPostman Integration Testing
Postman Integration Testing
 
Scalibility
ScalibilityScalibility
Scalibility
 
5 Dysfunctions of a team
5 Dysfunctions of a team5 Dysfunctions of a team
5 Dysfunctions of a team
 
AWS Must Know
AWS Must KnowAWS Must Know
AWS Must Know
 
Continuous Feedback
Continuous FeedbackContinuous Feedback
Continuous Feedback
 
Sql views, stored procedure, functions
Sql views, stored procedure, functionsSql views, stored procedure, functions
Sql views, stored procedure, functions
 
Confluence + jira together
Confluence + jira togetherConfluence + jira together
Confluence + jira together
 
Understanding WhatFix
Understanding WhatFixUnderstanding WhatFix
Understanding WhatFix
 
Tech Recruitment Process
Tech Recruitment Process Tech Recruitment Process
Tech Recruitment Process
 
Jira Workshop
Jira WorkshopJira Workshop
Jira Workshop
 
Understanding iis part2
Understanding iis part2Understanding iis part2
Understanding iis part2
 
Understanding iis part1
Understanding iis part1Understanding iis part1
Understanding iis part1
 
.Net framework
.Net framework.Net framework
.Net framework
 
Web application
Web applicationWeb application
Web application
 

Recently uploaded

TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024
Stephen Perrenod
 
A Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyA Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System Strategy
UXDXConf
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
CzechDreamin
 

Recently uploaded (20)

What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024
 
IESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIESVE for Early Stage Design and Planning
IESVE for Early Stage Design and Planning
 
AI mind or machine power point presentation
AI mind or machine power point presentationAI mind or machine power point presentation
AI mind or machine power point presentation
 
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptxWSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
 
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfLinux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
 
TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024
 
A Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyA Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System Strategy
 
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
 
Using IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandUsing IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & Ireland
 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoft
 
Your enemies use GenAI too - staying ahead of fraud with Neo4j
Your enemies use GenAI too - staying ahead of fraud with Neo4jYour enemies use GenAI too - staying ahead of fraud with Neo4j
Your enemies use GenAI too - staying ahead of fraud with Neo4j
 
Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe
 
Overview of Hyperledger Foundation
Overview of Hyperledger FoundationOverview of Hyperledger Foundation
Overview of Hyperledger Foundation
 
AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024
 
PLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsPLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. Startups
 
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfHow Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
 

Security@ecommerce

  • 2. Where We Are? Recent Attacks on e-commerce sites shows the vulnerability when the intruder was able to make unauthorized calls to see and manipulate the data. • Transaction system calls are open publicly. • Some of Web API calls are still on HTTP. • Same username/password are used across multiple clients/channels. • Most of internal applications are open publicly.
  • 3. Top 10 OWASP Security Guidelines A1 Injection A2 Broken Auth and Session Mgmt A3 Cross site scripting - XSS A4 Insecure Direct Object References A5 Security Misconfigura tion A6 – Sensitive Data Exposure A7 – Missing Function Level Access Control A8 – CSRF A9 – Using components with known vulnerabilities A10 – Unvalidated Redirects and Forwards
  • 4. A1 - Injection How ? • SQL Injection, LDAP query Impact • Unintended commands are executed. • Data can be accessed without proper authentication.
  • 5. A2 – Broken Auth & Session Mgmt. How ? • Authentication and Session management not implemented properly. Impact • Assume user identities and gain access. • Get hold of password, token, session keys.
  • 6. A3 – Cross Site Scripting How ? • Application takes un-trusted data and sends it to a web browser without proper validation or escaping. Impact • Hijack user sessions. • Redirect users to malicious sites.
  • 7. A4 – Insecure Direct Object References How ? • Developer exposes references to files, XML objects, DB keys. Impact • Attackers can manipulate these references to access unauthorized data.
  • 8. A5 – Security Misconfiguration How ? • Web Servers and DB servers do not implement adequate security policies Impact • Unable to trace the origin of a command. • Cannot have good control to
  • 9. A6 – Security Data ExposureHow ? • Hashing and Encryption techniques not adequate while storing Payment info such as passwords, CC etc .. • Payment info transmitted over plain text. Impact • Intruder can get access to Payment info and there by cause brand damage.
  • 10. A7 – Missing Function Level Access Control How ? • Function level access absent on the server at the time of request. • Attackers forge request. Impact • Unauthorized access.
  • 11. A8 – Cross Site Request Forgery How ? • Authentication tokens or cookies are used to forge HTTP requests from victims browser. Impact • The forged requests come as legitimate and there by compromising the application.
  • 12. A9 – Components With Vulnerabilities How ? • Frameworks and components run on full privileges. Impact • Any issue on these will in turn cause issues on the main application.
  • 13. A10 – Unvalidated Requests and Forwards How ? • No validation in place while redirecting to other pages and applications. Impact • Phishing attacks will redirect to applications through which sensitive information can be captured.
  • 14. Next Steps... Proactive approach. Its Better to beef-up rather than repent on later. Security should be constantly reviewed and during code reviews emphasis needs to provided.