SlideShare a Scribd company logo
1 of 29
Download to read offline
Where the money is. – Security of CBS.

   Advisor for your information security.



Version:                 1.0
Autor:                   Ulrich Fleck
Verantwortlich:          Ulrich Fleck
Datum:                   27.5.2012
Vertraulichkeitsstufe:   Public
Agenda




              • About SEC Consult
              • About the study
              • Threats and Drivers for Application Security in CBS
              • Maturity of Application Security in CBS
              • Security Crash Test of selected CBS products
              • Resume
              • Discussion




             Title: Where the money is– CBS Security
             Version/Date:      1.0 / 27.5.2012             © 2012 SEC Consult
             Responsable:       Ulrich Fleck           Unternehmensberatung GmbH –
2            Confidentiality Class: Public                   All rights reserved
SEC Consult– Who we are

• Leading international application
  security consultancy
• Founded 2002
• Headquarters near Vienna,                               Canada
                                                                        Germany
                                                                                    Lithuania


  Austria                                                                Austria    Central and Easter Europe

• Delivery Centers in Austria,
  Germany, Lithuania and Singapore
• Strong customer base in Central                                                                                Singapore

  and Eastern Europe
• Increasing customer base of clients
  with global business (esp. out of
  Top-10 US and European software
  vendors)
• 45+ application security experts
• Industry focus banks, software                                                                          SEC Consult Headquarter

  vendors, government                                                                                     SEC Consult Office
                                                                                                          Other SEC Consult Clients

                Title: Where the money is– CBS Security
                Version/Date:      1.0 / 27.5.2012             © 2012 SEC Consult
                Responsable:       Ulrich Fleck           Unternehmensberatung GmbH –
                Confidentiality Class: Public                   All rights reserved
Our Key Question




          What is the promise and
               the reality of
          applications security for
          core banking systems???
            Title: Where the money is– CBS Security
            Version/Date:      1.0 / 27.5.2012             © 2012 SEC Consult
            Responsable:       Ulrich Fleck           Unternehmensberatung GmbH –
4           Confidentiality Class: Public                   All rights reserved
Part 2 – Security Crash Test at
    Part 1 – Answers provided
                                                                  vendor
    • We created a questionnaire with some                        • As the answers to the questionnaire
      50 questions about security especially                        are just a subjective picture of the
      with regards to core banking systems                          vendors themselves we wanted to test
    • This questionnaire was provided to a                          perform real life security crash tests
      preselected set of vendors together                           ad the vendors
      with the offer to participate in our                        • Therefore we offered all vendors an
      study                                                         application security check conducted
    • We recommended that the IT security                           by SEC Consult consultants
      responsible person should answers or                        • We asked for access to the respective
      at least quality assure the questions                         test system and ensured that those
      and answers                                                   test results will be only published high
    • The methodology for the survey part                           level in this study and detailed reports
      was based common known security                               about the test case results are handed
      standards, best practices and                                 over solely to the respective vendor
      guidelines and the experience of
      Capgemini and SEC Consult




                 Title: Where the money is– CBS Security
                 Version/Date:      1.0 / 27.5.2012             © 2012 SEC Consult
                 Responsable:       Ulrich Fleck           Unternehmensberatung GmbH –
5                Confidentiality Class: Public                   All rights reserved
Part 2 – Security Crash Test at
    Part 1 – Answers provided                                     vendor
                                                                  • As the answers to the–questionnaire
                                                                     Alternative Part 2 Security Crash
    • We created a questionnaire with some                          are just a selected banks of the
                                                                     tests at subjective picture
      50 questions about security especially                        vendors themselves we wanted quite
                                                                     • Some of the vendors where to test
      with regards to core banking systems                          perform real life security crash tests
                                                                       interested and seriously considering a
    • This questionnaire was provided to a                          ad “Part 2” participation – however none
                                                                       the vendors
      preselected set of vendors together                         • Therefore we agree all vendors an
                                                                       did finally offered
      with the offer to participate in our                           • Therefore we had to consider an
                                                                    application security check conducted
      study                                                            alternative solution
                                                                    by SEC Consult consultants
    • We recommended that the IT security                            • asked for access to the respective
                                                                  • WeFortunately three interested banks,
      responsible person should answers or                          test system big interest in thisthose
                                                                       showing and ensured that study,
      at least quality assure the questions                         test results the opportunity to perform
                                                                       gave us will be only published high
      and answers                                                   level in this crash tests detailed reports
                                                                       security study and on there system
                                                                       (three CBS in scope of this study)
                                                                    about the test case results are handed
    • The methodology for the survey part
      was based common known security                                • The applied methodology was based
                                                                    over solely to the respective vendor
      standards, best practices and                                    on common known security standards
      guidelines and the experience of                                 for applications security, best practices
      Capgemini and SEC Consult                                        in security tests with a black-box
                                                                       approach and the experience of SEC
                                                                       Consult



                 Title: Where the money is– CBS Security
                 Version/Date:      1.0 / 27.5.2012             © 2012 SEC Consult
                 Responsable:       Ulrich Fleck           Unternehmensberatung GmbH –
6                Confidentiality Class: Public                   All rights reserved
CBS Vendors of this Study




Major vendors relevant for the international and European market.

            Title: Where the money is– CBS Security
            Version/Date:      1.0 / 27.5.2012             © 2012 SEC Consult
            Responsable:       Ulrich Fleck           Unternehmensberatung GmbH –
7           Confidentiality Class: Public                   All rights reserved
Title: Where the money is– CBS Security
    Version/Date:      1.0 / 27.5.2012             © 2012 SEC Consult
    Responsable:       Ulrich Fleck           Unternehmensberatung GmbH –
8   Confidentiality Class: Public                   All rights reserved
Attack surface for core banking systems (simplified)

                                           Presentation Layer
                                                                  …
                                           Business Logic Tier
                                                                  …
                                              Database Layer
                                                         …


                                    …             Databases


                                                       Network
                                                                        … potential entry points for attacker

             Title: Where the money is– CBS Security
             Version/Date:      1.0 / 27.5.2012                   © 2012 SEC Consult
             Responsable:       Ulrich Fleck                 Unternehmensberatung GmbH –
9            Confidentiality Class: Public                         All rights reserved
What did the vendors say?
• Information security of vendor organization
    • Most of the vendors have an Information Security Management System (ISMS) in place



• Software development organization
   • Roles and responsibilities in the development process documented in accordance to
      security policies
   • 90-100% of the (core) development staff on applications security



• Methods for secure software development
   • The enforcement of methods for secure software development Microsoft SDL,
     OpenSAMM, BSIMM, CMM-SSE is in progress at some vendors



     Threat modeling and security requirement
     • Most of the vendors have up to date threat model for each CBS module available
                 Title: Where the money is– CBS Security
                 Version/Date:      1.0 / 27.5.2012             © 2012 SEC Consult
                 Responsable:       Ulrich Fleck           Unternehmensberatung GmbH –
10               Confidentiality Class: Public                   All rights reserved
What did the vendors say?

     Security Incident Response
     • Most of the vendors have Software Security Incident Response Process

• (Technical) standards and best practices for application security
    • Technical) application security best practices and standards for web technologies like
      OWASP, ÖNORM A 7700 (Security requirements for web applications), etc. are already
      important for vendors
    • Data privacy standards for applications like EuroPriSe are not in the focus yet
    • No certifications conducted on application security




                 Title: Where the money is– CBS Security
                 Version/Date:      1.0 / 27.5.2012             © 2012 SEC Consult
                 Responsable:       Ulrich Fleck           Unternehmensberatung GmbH –
11               Confidentiality Class: Public                   All rights reserved
What did the vendors say about complexity?




         Title: Where the money is– CBS Security
         Version/Date:      1.0 / 27.5.2012             © 2012 SEC Consult
         Responsable:       Ulrich Fleck           Unternehmensberatung GmbH –
12       Confidentiality Class: Public                   All rights reserved
What did the vendors say? – Internal QA

• Identified Security Vulnerabilities from 1.1.2008 till 30.6.2010 by internal
  QA/testers before the software was released
    • Many vendors don’t provide an answer
    • Range from “none” to hundreds

• Identified Security Vulnerabilities from 1.1.2008 till 30.6.2010 security
  vulnerabilities in already released software modules (“zero-day vulnerabilities”)
    • Many vendors don’t provide an answer
    • Range from “none” to hundreds




               Title: Where the money is– CBS Security
               Version/Date:      1.0 / 27.5.2012             © 2012 SEC Consult
               Responsable:       Ulrich Fleck           Unternehmensberatung GmbH –
13             Confidentiality Class: Public                   All rights reserved
Test coverage for application Security




     Significant differences in the test coverage for different test
                   approaches between the vendors.
             Title: Where the money is– CBS Security
             Version/Date:      1.0 / 27.5.2012             © 2012 SEC Consult
             Responsable:       Ulrich Fleck           Unternehmensberatung GmbH –
14           Confidentiality Class: Public                   All rights reserved
How do you define the maturity level of state of the art
 (application) security for your CBS product?


30+ years with no known security issues.
     strong & impenetrable security foundation
                                   Highly sophisticated
                                               CMMi Level 4.

                                                       High

                             Mature.                  Mature.         Mature.

 All vendors position themselves to achieve (at least) state-of-the-
 art application security. This is a clear and consistent commitment
                     and promise to the market.
            Title: Where the money is– CBS Security
            Version/Date:      1.0 / 27.5.2012                  © 2012 SEC Consult
            Responsable:       Ulrich Fleck                Unternehmensberatung GmbH –
15          Confidentiality Class: Public                        All rights reserved
Crashtest for 3 CBS (out of 8)
                                                   Test set-up:
                                                   • Non of the eight vendor accepted offer for a
                                                     free of charge security crash test
                                                   • 3 major European banks stepped in with 3
                                                     product of this study – Thanks!!!
                                                   • Crash-Test with black-box approach and limited
                                                     effort budget (approx. 15 person days for each
                                                     product)
                                                   • Access to CBS with one low privilege user
                                                     account (standard user)

                                                   Test objective for a crash test:
                                                   • Check for toxic (=seriously insecure) software
                                                   • Identify application security vulnerabilities in
                                                                                 Source: http://www.spiegel.de/fotostrecke/fotostrecke-22584-3.html

                                                     CBS to break the confidentiality, availability or
                                                     integrity of CBS



         Title: Where the money is– CBS Security
         Version/Date:      1.0 / 27.5.2012                   © 2012 SEC Consult
         Responsable:       Ulrich Fleck                 Unternehmensberatung GmbH –
16       Confidentiality Class: Public                         All rights reserved
Why attack the CBS from a standard working
 place?
                                                                  The attacker has several choices to
                                                                  get access to a standard working
                                                                  place:
                                                                  •One active Trojan Hoarse malware
                                       Core Banking               •Access by cleaning personal,
                                          System
                                                                  maintenance, contractors, volunteers,
                                                                  etc
                                                                  •Drive-by infection from website(s)
                                                                  •…
         Browser

                                                                  Then the attacker starts to look for
                                                                  vulnerabilities to access the Core
                                                                  Banking System in depth…
     Standard Working Place for CBS


  For the test we used a low privilege user and tried to expand the
 privileges and to access sensible data of the Core Banking System.

             Title: Where the money is– CBS Security
             Version/Date:      1.0 / 27.5.2012             © 2012 SEC Consult
             Responsable:       Ulrich Fleck           Unternehmensberatung GmbH –
17           Confidentiality Class: Public                   All rights reserved
Hundreds to thousends CBS szandard working
 places to choose from




  For the test we used a low privilege user and tried to expand the
 privileges and to access sensible data of the Core Banking System.
            Title: Where the money is– CBS Security
            Version/Date:      1.0 / 27.5.2012             © 2012 SEC Consult
            Responsable:       Ulrich Fleck           Unternehmensberatung GmbH –
18          Confidentiality Class: Public                   All rights reserved
Standard Blackbox Approach




                                                       Tasks:
                                                       • Use selective special tools and scripts for
                         s
                       ck


                                                         exploiting security vulnerabilities based on
                    ta



                                                         vulnerability classes
                 At




                                                       • Check compliance to state of the art standards
     Presentation Layer
                                                         for application security (A7700, OWASP, …)
                                                       • Adapt or write new exploit code if necessary
     Business Logic Tier                               • Validate vulnerabilities
                                                       • Develop proof of concept material (screen
      Database Layer                                     shots, dumps, passwords, etc.)
                                                       • Assess risk and define recommendation
          Databas
             e

           Network

                    Title: Where the money is– CBS Security
                    Version/Date:      1.0 / 27.5.2012                © 2012 SEC Consult
                    Responsable:       Ulrich Fleck              Unternehmensberatung GmbH –
19                  Confidentiality Class: Public                      All rights reserved
CBS – Cross site scripting
•    The problem:
•    A Cross Site Scripting security vulnerability is used to steal the identity information of a CBS user. First
     the attacker writes an email to this user with a malicious link, including hidden script code (very short
     software program). The user receives the email and clicks on that link. The malicious script runs in (the
     context of) the web browser of the attacked user.

•    Vulnerability class:
       • Web application security Input- and Output Validation

•    Impact for bank:
       • Account theft
       • Remotely control the web browser
       • Record all activities of the user
       • Initiate changes in transactions (e.g. target account numbers of a transaction on the fly).

       Secure software development:
       • Architecture/Design:                                   Failed
       • Programming:                                           Failed
       • Test and Quality Assurance:                            Failed


                      Title: Where the money is– CBS Security
                      Version/Date:      1.0 / 27.5.2012                      © 2012 SEC Consult
                      Responsable:       Ulrich Fleck                    Unternehmensberatung GmbH –
20                    Confidentiality Class: Public                            All rights reserved
CBS – Weak encryption
• The problem:
• First the attacker traces the data traffic between the CBS client and the CBS server. Due to
  the weak encryption security vulnerability of the CBS the attacker can bypass the login
  mechanism.

• Vulnerability class:
   • Design flaw in client- server communication (hash is being build on the client)

• Impact for bank:
   • Account theft
   • Privilege escalation
   • Perform a misuse of the account of the user

     Secure software development:
     • Architecture/Design:        Failed
     • Programming:                Failed
     • Test and Quality Assurance: Failed
                 Title: Where the money is– CBS Security
                 Version/Date:      1.0 / 27.5.2012             © 2012 SEC Consult
                 Responsable:       Ulrich Fleck           Unternehmensberatung GmbH –
21               Confidentiality Class: Public                   All rights reserved
CBS – Privilege escalation – missing authorization
•    The problem:
•    By enumerating several request parameters arbitrary accounts can be overtaken and misused by non
     privileged users.

•    Vulnerability class:
       • Design flaw based on missing authorization

•    Impact for bank:
       • Account theft
       • Privilege escalation
       • The attacker becomes a more powerful user
       • Access to administrative functionality
       • The attacker can misuse the CBS by performing high privilege transactions and functions

       Secure software development:
       • Architecture/Design:                                  Failed
       • Programming:                                          Failed
       • Test and Quality Assurance:                           Failed



                     Title: Where the money is– CBS Security
                     Version/Date:      1.0 / 27.5.2012                      © 2012 SEC Consult
                     Responsable:       Ulrich Fleck                    Unternehmensberatung GmbH –
22                   Confidentiality Class: Public                            All rights reserved
CBS – SQL Injection

• The problem:
• Nothing to add here  should be an extinct vulnerability class

• Vulnerability class:
   • Web application security input–validation & design flaw

• Impact for bank:
   • Extracts valuable (data theft) data of the database
   • Manipulate data in the database
   • Account theft
   • Privilege escalation

     Secure software development:
     • Architecture/Design:        Failed
     • Programming:                Failed
     • Test and Quality Assurance: Failed
                 Title: Where the money is– CBS Security
                 Version/Date:      1.0 / 27.5.2012             © 2012 SEC Consult
                 Responsable:       Ulrich Fleck           Unternehmensberatung GmbH –
23               Confidentiality Class: Public                   All rights reserved
CBS – Direct OS Command execution

•    The problem:
•    Several flaws led to access to the underlying operating system for non privileged users.

•    Vulnerability class:
       • Web application security input–validation & design flaw

•    Vulnerability class:
       • Control over the operating system of the server of the CBS.
       • The CBS system can be shut down or wiped or manipulated with wrong data by the attacker.
       • Data of the server can be copied to a repository of the attacker.
       • Additionally, this vulnerability can be used to attack other systems of the bank
       • Account theft and privilege escalation
       • Total compromise of system, data backends etc.

       Secure software development:
       • Architecture/Design:                                  Failed
       • Programming:                                          Failed
       • Test and Quality Assurance:                           Failed

                     Title: Where the money is– CBS Security
                     Version/Date:      1.0 / 27.5.2012                      © 2012 SEC Consult
                     Responsable:       Ulrich Fleck                    Unternehmensberatung GmbH –
24                   Confidentiality Class: Public                            All rights reserved
Summarizing
                                 !
                           L ED                                 3 of 3 tested CBS fail application security standard:
                       I                                !
                     FA                                D        •e.g. Open Web Application Security Project (OWASP),
                                             I      LE          WASC, BSI ISi-Reihe (Germany), ÖNORM A 7700 (Austria),
                E   D!                     FA                   etc.)
            L
     F   AI



                                                                3 of 3 tested CBS are not state of the art in
                                                                application security

                          CMMi Level 4.

                             High

                Mature.     Mature.       Mature.

                                                                3 of 3 tested CBS have deficiencies in secure
                                                                software development
                                                                •Architecture/Design:                Failed
                                                                •Programming:                        Failed
                                                                •Test and Quality Assurance: Failed
                                 Title: Where the money is– CBS Security
                                 Version/Date:      1.0 / 27.5.2012              © 2012 SEC Consult
                                 Responsable:       Ulrich Fleck            Unternehmensberatung GmbH –
25                               Confidentiality Class: Public                    All rights reserved
Business Impact for Banks


                                                • The found vulnerabilities in 3 of 3 tested CBS
                                                  • enable unauthorized access
            Attacks


     Presentation Layer
                                                  • disable segregation of duties
     Business Logic Tier
                                                  • circumvent the effectiveness of auditing and
                                                    logging
      Database Layer                              • circumvent the effectiveness of strict access
                                                    control and enable privilege escalation
          Databas
             e
                                                and therefore can cause violations of compliance
           Network                                requirements such as Basel II, SAS70, ISO 27001,
                                                  national Data privacy protection laws, notational
                                                  banking specific laws, etc.)




                      Title: Where the money is– CBS Security
                      Version/Date:      1.0 / 27.5.2012             © 2012 SEC Consult
                      Responsable:       Ulrich Fleck           Unternehmensberatung GmbH –
26                    Confidentiality Class: Public                   All rights reserved
What to do if you are a bank?
     Demand state-the-art-application security for CBS
     • Vendor contracts with mandatory state-of-the-art applications security
       requirements
     • Define penalties for not achieving state-of-the-art applications security requirements
     • Cost sharing for unsuccessful application security tests

     Prove the vendor claims and promises by testing application security of CBS
     • Application security tests (Security Quality Gates)

     Establish additional multi-lines of defense
     • Measures to at least temporary mitigate some risks of an insecure CBS on other levels
        of defense (infrastructure, organizational, awareness of users, etc.)




                   The best point in time to detect toxic (=seriously
                        insecure) software is when you buy it.

               Title: Where the money is– CBS Security
               Version/Date:      1.0 / 27.5.2012             © 2012 SEC Consult
               Responsable:       Ulrich Fleck           Unternehmensberatung GmbH –
27             Confidentiality Class: Public                   All rights reserved
Software Vendors already using SEC Consult.




           Title: SEC Consult Software Security Assurance
           Services                                              © 2011 SEC Consult
           Version/Date:         1.1/May 2011               Unternehmensberatung GmbH –
           Responsible:          U. Fleck                         All rights reserved
How to reach us/me?




                   Austria                                            Ulrich Fleck

        Mooslackengasse 17                                        Director
          A-1190 Vienna                               Sales and Business Development
              Austria
                                                                 +43 676 840 301 719
      Tel: +43-(0)1-890 30 43-0
     Fax: +43-(0)1-890 30 43-15                           Email: u.fleck@sec-consult.com
     Email: office@sec-consult.com
        www.sec-consult.com




          Title: Where the money is– CBS Security
          Version/Date:      1.0 / 27.5.2012             © 2012 SEC Consult
          Responsable:       Ulrich Fleck           Unternehmensberatung GmbH –
29        Confidentiality Class: Public                   All rights reserved

More Related Content

Viewers also liked

Zenith tv shot semana18
Zenith tv shot semana18Zenith tv shot semana18
Zenith tv shot semana18Zenith España
 
17 latour, bruno_-_reagregando_o_social_uma_introdução_a_teoria_do_ator-rede
17 latour, bruno_-_reagregando_o_social_uma_introdução_a_teoria_do_ator-rede17 latour, bruno_-_reagregando_o_social_uma_introdução_a_teoria_do_ator-rede
17 latour, bruno_-_reagregando_o_social_uma_introdução_a_teoria_do_ator-redeMilena Silvester
 
Pueblo que se dobla pero no se truencha
Pueblo que se dobla pero no se truenchaPueblo que se dobla pero no se truencha
Pueblo que se dobla pero no se truenchaOmar Abreu Del Valle
 
Océano morador de las aguas profundas de la psiquis humana signed
Océano morador de las aguas profundas de la psiquis humana signedOcéano morador de las aguas profundas de la psiquis humana signed
Océano morador de las aguas profundas de la psiquis humana signedE. J. Ríos
 
How Direct Marketing Applies in a Multichannel Marketing World
How Direct Marketing Applies in a  Multichannel Marketing WorldHow Direct Marketing Applies in a  Multichannel Marketing World
How Direct Marketing Applies in a Multichannel Marketing Worldamdia
 
Ensayo Diseñadores Gráficos Venezolanos e internacionales.
Ensayo Diseñadores Gráficos Venezolanos e internacionales.Ensayo Diseñadores Gráficos Venezolanos e internacionales.
Ensayo Diseñadores Gráficos Venezolanos e internacionales.Mariasabel MarinAnes
 
Publicidad de Emplazamiento
Publicidad de EmplazamientoPublicidad de Emplazamiento
Publicidad de EmplazamientoMindProject
 
Tuneup utilities
Tuneup utilitiesTuneup utilities
Tuneup utilitiesJoselinH
 
Lean sigma cambio acelerado qce_jf
Lean sigma  cambio acelerado qce_jfLean sigma  cambio acelerado qce_jf
Lean sigma cambio acelerado qce_jfJorge Flores
 
Proyecto ultimo corregido
Proyecto ultimo corregidoProyecto ultimo corregido
Proyecto ultimo corregidojulian duque
 
HACIA UNA FORMACIÓN CIENTÍFICA EN Y PARA LA CIVILIDAD: LA ARGUMENTACIÓN EN EL...
HACIA UNA FORMACIÓN CIENTÍFICA EN Y PARA LA CIVILIDAD: LA ARGUMENTACIÓN EN EL...HACIA UNA FORMACIÓN CIENTÍFICA EN Y PARA LA CIVILIDAD: LA ARGUMENTACIÓN EN EL...
HACIA UNA FORMACIÓN CIENTÍFICA EN Y PARA LA CIVILIDAD: LA ARGUMENTACIÓN EN EL...James Stevan
 
ECODISEÑO EMPRENDIMIENTOAnexo 41 laboratorio de emprendimiento c3+d mxp.lab
ECODISEÑO EMPRENDIMIENTOAnexo  41 laboratorio de emprendimiento c3+d mxp.labECODISEÑO EMPRENDIMIENTOAnexo  41 laboratorio de emprendimiento c3+d mxp.lab
ECODISEÑO EMPRENDIMIENTOAnexo 41 laboratorio de emprendimiento c3+d mxp.labAMA.RILLO (MXP.LAB)
 
Construcción industrializada con elementos prefabricados de hormigón
Construcción industrializada con elementos prefabricados de hormigónConstrucción industrializada con elementos prefabricados de hormigón
Construcción industrializada con elementos prefabricados de hormigónANDECE
 

Viewers also liked (19)

Zenith tv shot semana18
Zenith tv shot semana18Zenith tv shot semana18
Zenith tv shot semana18
 
Gmo form 2013
Gmo form 2013Gmo form 2013
Gmo form 2013
 
17 latour, bruno_-_reagregando_o_social_uma_introdução_a_teoria_do_ator-rede
17 latour, bruno_-_reagregando_o_social_uma_introdução_a_teoria_do_ator-rede17 latour, bruno_-_reagregando_o_social_uma_introdução_a_teoria_do_ator-rede
17 latour, bruno_-_reagregando_o_social_uma_introdução_a_teoria_do_ator-rede
 
Pueblo que se dobla pero no se truencha
Pueblo que se dobla pero no se truenchaPueblo que se dobla pero no se truencha
Pueblo que se dobla pero no se truencha
 
Océano morador de las aguas profundas de la psiquis humana signed
Océano morador de las aguas profundas de la psiquis humana signedOcéano morador de las aguas profundas de la psiquis humana signed
Océano morador de las aguas profundas de la psiquis humana signed
 
Ito_Clower
Ito_ClowerIto_Clower
Ito_Clower
 
Curso de lider coach
Curso de lider coachCurso de lider coach
Curso de lider coach
 
How Direct Marketing Applies in a Multichannel Marketing World
How Direct Marketing Applies in a  Multichannel Marketing WorldHow Direct Marketing Applies in a  Multichannel Marketing World
How Direct Marketing Applies in a Multichannel Marketing World
 
Geoener 2014.presentación geoter
Geoener 2014.presentación geoterGeoener 2014.presentación geoter
Geoener 2014.presentación geoter
 
Ensayo Diseñadores Gráficos Venezolanos e internacionales.
Ensayo Diseñadores Gráficos Venezolanos e internacionales.Ensayo Diseñadores Gráficos Venezolanos e internacionales.
Ensayo Diseñadores Gráficos Venezolanos e internacionales.
 
Publicidad de Emplazamiento
Publicidad de EmplazamientoPublicidad de Emplazamiento
Publicidad de Emplazamiento
 
Tuneup utilities
Tuneup utilitiesTuneup utilities
Tuneup utilities
 
Lesson 1
Lesson 1Lesson 1
Lesson 1
 
Aves magacinedicion5
Aves magacinedicion5Aves magacinedicion5
Aves magacinedicion5
 
Lean sigma cambio acelerado qce_jf
Lean sigma  cambio acelerado qce_jfLean sigma  cambio acelerado qce_jf
Lean sigma cambio acelerado qce_jf
 
Proyecto ultimo corregido
Proyecto ultimo corregidoProyecto ultimo corregido
Proyecto ultimo corregido
 
HACIA UNA FORMACIÓN CIENTÍFICA EN Y PARA LA CIVILIDAD: LA ARGUMENTACIÓN EN EL...
HACIA UNA FORMACIÓN CIENTÍFICA EN Y PARA LA CIVILIDAD: LA ARGUMENTACIÓN EN EL...HACIA UNA FORMACIÓN CIENTÍFICA EN Y PARA LA CIVILIDAD: LA ARGUMENTACIÓN EN EL...
HACIA UNA FORMACIÓN CIENTÍFICA EN Y PARA LA CIVILIDAD: LA ARGUMENTACIÓN EN EL...
 
ECODISEÑO EMPRENDIMIENTOAnexo 41 laboratorio de emprendimiento c3+d mxp.lab
ECODISEÑO EMPRENDIMIENTOAnexo  41 laboratorio de emprendimiento c3+d mxp.labECODISEÑO EMPRENDIMIENTOAnexo  41 laboratorio de emprendimiento c3+d mxp.lab
ECODISEÑO EMPRENDIMIENTOAnexo 41 laboratorio de emprendimiento c3+d mxp.lab
 
Construcción industrializada con elementos prefabricados de hormigón
Construcción industrializada con elementos prefabricados de hormigónConstrucción industrializada con elementos prefabricados de hormigón
Construcción industrializada con elementos prefabricados de hormigón
 

Similar to Where the money is – Security of CBS.

The Savvy Security Leader: Using Guerrilla Tactics to ID Security Program Res...
The Savvy Security Leader: Using Guerrilla Tactics to ID Security Program Res...The Savvy Security Leader: Using Guerrilla Tactics to ID Security Program Res...
The Savvy Security Leader: Using Guerrilla Tactics to ID Security Program Res...Denim Group
 
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_designNCC Group
 
Solution Architecture And Solution Security
Solution Architecture And Solution SecuritySolution Architecture And Solution Security
Solution Architecture And Solution SecurityAlan McSweeney
 
Applicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit ProgramApplicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit ProgramMichael Davis
 
Assessing IBM i Security Risks: A Conversation with Dan Riehl
Assessing IBM i Security Risks: A Conversation with Dan RiehlAssessing IBM i Security Risks: A Conversation with Dan Riehl
Assessing IBM i Security Risks: A Conversation with Dan RiehlPrecisely
 
Riscure Assurance for Premium Content at a glance
Riscure Assurance for Premium Content at a glanceRiscure Assurance for Premium Content at a glance
Riscure Assurance for Premium Content at a glanceRiscure
 
Security and DevOps Overview
Security and DevOps OverviewSecurity and DevOps Overview
Security and DevOps OverviewAdrian Sanabria
 
What Suppliers Don't Tell You About Security?
What Suppliers Don't Tell You About Security?What Suppliers Don't Tell You About Security?
What Suppliers Don't Tell You About Security?PECB
 
5 Ways to Reduce 3rd Party Developer Risk
5 Ways to Reduce 3rd Party Developer Risk5 Ways to Reduce 3rd Party Developer Risk
5 Ways to Reduce 3rd Party Developer RiskSecurity Innovation
 
Top 5 myths of it security in the light of current events tisa pro talk 4 2554
Top 5 myths of it security in the light of current events tisa pro talk 4 2554Top 5 myths of it security in the light of current events tisa pro talk 4 2554
Top 5 myths of it security in the light of current events tisa pro talk 4 2554TISA
 
Reduce Third Party Developer Risks
Reduce Third Party Developer RisksReduce Third Party Developer Risks
Reduce Third Party Developer RisksKevo Meehan
 
Beyond security testing
Beyond security testingBeyond security testing
Beyond security testingCu Nguyen
 
Null application security in an agile world
Null application security in an agile worldNull application security in an agile world
Null application security in an agile worldStefan Streichsbier
 
Cyber51 Company Presentation Public
Cyber51 Company Presentation PublicCyber51 Company Presentation Public
Cyber51 Company Presentation Publicmartinvoelk
 
Power System Cybersecurity: Barriers and Challenges
Power System Cybersecurity: Barriers and Challenges Power System Cybersecurity: Barriers and Challenges
Power System Cybersecurity: Barriers and Challenges Nathan Wallace, PhD, PE
 
The Future of Software Security Assurance
The Future of Software Security AssuranceThe Future of Software Security Assurance
The Future of Software Security AssuranceRafal Los
 
Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...Kevin Fealey
 
Edward Bonver Security Testing.ppt
Edward Bonver Security Testing.pptEdward Bonver Security Testing.ppt
Edward Bonver Security Testing.pptyadihef254
 

Similar to Where the money is – Security of CBS. (20)

Apts and other stuff
Apts and other stuffApts and other stuff
Apts and other stuff
 
The Savvy Security Leader: Using Guerrilla Tactics to ID Security Program Res...
The Savvy Security Leader: Using Guerrilla Tactics to ID Security Program Res...The Savvy Security Leader: Using Guerrilla Tactics to ID Security Program Res...
The Savvy Security Leader: Using Guerrilla Tactics to ID Security Program Res...
 
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
 
Solution Architecture And Solution Security
Solution Architecture And Solution SecuritySolution Architecture And Solution Security
Solution Architecture And Solution Security
 
Applicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit ProgramApplicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit Program
 
Assessing IBM i Security Risks: A Conversation with Dan Riehl
Assessing IBM i Security Risks: A Conversation with Dan RiehlAssessing IBM i Security Risks: A Conversation with Dan Riehl
Assessing IBM i Security Risks: A Conversation with Dan Riehl
 
Riscure Assurance for Premium Content at a glance
Riscure Assurance for Premium Content at a glanceRiscure Assurance for Premium Content at a glance
Riscure Assurance for Premium Content at a glance
 
Security and DevOps Overview
Security and DevOps OverviewSecurity and DevOps Overview
Security and DevOps Overview
 
What Suppliers Don't Tell You About Security?
What Suppliers Don't Tell You About Security?What Suppliers Don't Tell You About Security?
What Suppliers Don't Tell You About Security?
 
5 Ways to Reduce 3rd Party Developer Risk
5 Ways to Reduce 3rd Party Developer Risk5 Ways to Reduce 3rd Party Developer Risk
5 Ways to Reduce 3rd Party Developer Risk
 
Top 5 myths of it security in the light of current events tisa pro talk 4 2554
Top 5 myths of it security in the light of current events tisa pro talk 4 2554Top 5 myths of it security in the light of current events tisa pro talk 4 2554
Top 5 myths of it security in the light of current events tisa pro talk 4 2554
 
Reduce Third Party Developer Risks
Reduce Third Party Developer RisksReduce Third Party Developer Risks
Reduce Third Party Developer Risks
 
Beyond security testing
Beyond security testingBeyond security testing
Beyond security testing
 
Null application security in an agile world
Null application security in an agile worldNull application security in an agile world
Null application security in an agile world
 
Risks vs real life
Risks vs real lifeRisks vs real life
Risks vs real life
 
Cyber51 Company Presentation Public
Cyber51 Company Presentation PublicCyber51 Company Presentation Public
Cyber51 Company Presentation Public
 
Power System Cybersecurity: Barriers and Challenges
Power System Cybersecurity: Barriers and Challenges Power System Cybersecurity: Barriers and Challenges
Power System Cybersecurity: Barriers and Challenges
 
The Future of Software Security Assurance
The Future of Software Security AssuranceThe Future of Software Security Assurance
The Future of Software Security Assurance
 
Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...
 
Edward Bonver Security Testing.ppt
Edward Bonver Security Testing.pptEdward Bonver Security Testing.ppt
Edward Bonver Security Testing.ppt
 

More from Positive Hack Days

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesPositive Hack Days
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerPositive Hack Days
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesPositive Hack Days
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikPositive Hack Days
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQubePositive Hack Days
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityPositive Hack Days
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Positive Hack Days
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для ApproofPositive Hack Days
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Positive Hack Days
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложенийPositive Hack Days
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложенийPositive Hack Days
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application SecurityPositive Hack Days
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летPositive Hack Days
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиPositive Hack Days
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОPositive Hack Days
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке СиPositive Hack Days
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CorePositive Hack Days
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опытPositive Hack Days
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterPositive Hack Days
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиPositive Hack Days
 

More from Positive Hack Days (20)

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release Notes
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows Docker
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive Technologies
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + Qlik
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQube
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps Community
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для Approof
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложений
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложений
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application Security
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 лет
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на грабли
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПО
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке Си
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET Core
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опыт
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services Center
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атаки
 

Recently uploaded

Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarPrecisely
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxUdaiappa Ramachandran
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 

Recently uploaded (20)

Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptx
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 

Where the money is – Security of CBS.

  • 1. Where the money is. – Security of CBS. Advisor for your information security. Version: 1.0 Autor: Ulrich Fleck Verantwortlich: Ulrich Fleck Datum: 27.5.2012 Vertraulichkeitsstufe: Public
  • 2. Agenda • About SEC Consult • About the study • Threats and Drivers for Application Security in CBS • Maturity of Application Security in CBS • Security Crash Test of selected CBS products • Resume • Discussion Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH – 2 Confidentiality Class: Public All rights reserved
  • 3. SEC Consult– Who we are • Leading international application security consultancy • Founded 2002 • Headquarters near Vienna, Canada Germany Lithuania Austria Austria Central and Easter Europe • Delivery Centers in Austria, Germany, Lithuania and Singapore • Strong customer base in Central Singapore and Eastern Europe • Increasing customer base of clients with global business (esp. out of Top-10 US and European software vendors) • 45+ application security experts • Industry focus banks, software SEC Consult Headquarter vendors, government SEC Consult Office Other SEC Consult Clients Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH – Confidentiality Class: Public All rights reserved
  • 4. Our Key Question What is the promise and the reality of applications security for core banking systems??? Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH – 4 Confidentiality Class: Public All rights reserved
  • 5. Part 2 – Security Crash Test at Part 1 – Answers provided vendor • We created a questionnaire with some • As the answers to the questionnaire 50 questions about security especially are just a subjective picture of the with regards to core banking systems vendors themselves we wanted to test • This questionnaire was provided to a perform real life security crash tests preselected set of vendors together ad the vendors with the offer to participate in our • Therefore we offered all vendors an study application security check conducted • We recommended that the IT security by SEC Consult consultants responsible person should answers or • We asked for access to the respective at least quality assure the questions test system and ensured that those and answers test results will be only published high • The methodology for the survey part level in this study and detailed reports was based common known security about the test case results are handed standards, best practices and over solely to the respective vendor guidelines and the experience of Capgemini and SEC Consult Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH – 5 Confidentiality Class: Public All rights reserved
  • 6. Part 2 – Security Crash Test at Part 1 – Answers provided vendor • As the answers to the–questionnaire Alternative Part 2 Security Crash • We created a questionnaire with some are just a selected banks of the tests at subjective picture 50 questions about security especially vendors themselves we wanted quite • Some of the vendors where to test with regards to core banking systems perform real life security crash tests interested and seriously considering a • This questionnaire was provided to a ad “Part 2” participation – however none the vendors preselected set of vendors together • Therefore we agree all vendors an did finally offered with the offer to participate in our • Therefore we had to consider an application security check conducted study alternative solution by SEC Consult consultants • We recommended that the IT security • asked for access to the respective • WeFortunately three interested banks, responsible person should answers or test system big interest in thisthose showing and ensured that study, at least quality assure the questions test results the opportunity to perform gave us will be only published high and answers level in this crash tests detailed reports security study and on there system (three CBS in scope of this study) about the test case results are handed • The methodology for the survey part was based common known security • The applied methodology was based over solely to the respective vendor standards, best practices and on common known security standards guidelines and the experience of for applications security, best practices Capgemini and SEC Consult in security tests with a black-box approach and the experience of SEC Consult Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH – 6 Confidentiality Class: Public All rights reserved
  • 7. CBS Vendors of this Study Major vendors relevant for the international and European market. Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH – 7 Confidentiality Class: Public All rights reserved
  • 8. Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH – 8 Confidentiality Class: Public All rights reserved
  • 9. Attack surface for core banking systems (simplified) Presentation Layer … Business Logic Tier … Database Layer … … Databases Network … potential entry points for attacker Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH – 9 Confidentiality Class: Public All rights reserved
  • 10. What did the vendors say? • Information security of vendor organization • Most of the vendors have an Information Security Management System (ISMS) in place • Software development organization • Roles and responsibilities in the development process documented in accordance to security policies • 90-100% of the (core) development staff on applications security • Methods for secure software development • The enforcement of methods for secure software development Microsoft SDL, OpenSAMM, BSIMM, CMM-SSE is in progress at some vendors Threat modeling and security requirement • Most of the vendors have up to date threat model for each CBS module available Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH – 10 Confidentiality Class: Public All rights reserved
  • 11. What did the vendors say? Security Incident Response • Most of the vendors have Software Security Incident Response Process • (Technical) standards and best practices for application security • Technical) application security best practices and standards for web technologies like OWASP, ÖNORM A 7700 (Security requirements for web applications), etc. are already important for vendors • Data privacy standards for applications like EuroPriSe are not in the focus yet • No certifications conducted on application security Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH – 11 Confidentiality Class: Public All rights reserved
  • 12. What did the vendors say about complexity? Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH – 12 Confidentiality Class: Public All rights reserved
  • 13. What did the vendors say? – Internal QA • Identified Security Vulnerabilities from 1.1.2008 till 30.6.2010 by internal QA/testers before the software was released • Many vendors don’t provide an answer • Range from “none” to hundreds • Identified Security Vulnerabilities from 1.1.2008 till 30.6.2010 security vulnerabilities in already released software modules (“zero-day vulnerabilities”) • Many vendors don’t provide an answer • Range from “none” to hundreds Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH – 13 Confidentiality Class: Public All rights reserved
  • 14. Test coverage for application Security Significant differences in the test coverage for different test approaches between the vendors. Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH – 14 Confidentiality Class: Public All rights reserved
  • 15. How do you define the maturity level of state of the art (application) security for your CBS product? 30+ years with no known security issues. strong & impenetrable security foundation Highly sophisticated CMMi Level 4. High Mature. Mature. Mature. All vendors position themselves to achieve (at least) state-of-the- art application security. This is a clear and consistent commitment and promise to the market. Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH – 15 Confidentiality Class: Public All rights reserved
  • 16. Crashtest for 3 CBS (out of 8) Test set-up: • Non of the eight vendor accepted offer for a free of charge security crash test • 3 major European banks stepped in with 3 product of this study – Thanks!!! • Crash-Test with black-box approach and limited effort budget (approx. 15 person days for each product) • Access to CBS with one low privilege user account (standard user) Test objective for a crash test: • Check for toxic (=seriously insecure) software • Identify application security vulnerabilities in Source: http://www.spiegel.de/fotostrecke/fotostrecke-22584-3.html CBS to break the confidentiality, availability or integrity of CBS Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH – 16 Confidentiality Class: Public All rights reserved
  • 17. Why attack the CBS from a standard working place? The attacker has several choices to get access to a standard working place: •One active Trojan Hoarse malware Core Banking •Access by cleaning personal, System maintenance, contractors, volunteers, etc •Drive-by infection from website(s) •… Browser Then the attacker starts to look for vulnerabilities to access the Core Banking System in depth… Standard Working Place for CBS For the test we used a low privilege user and tried to expand the privileges and to access sensible data of the Core Banking System. Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH – 17 Confidentiality Class: Public All rights reserved
  • 18. Hundreds to thousends CBS szandard working places to choose from For the test we used a low privilege user and tried to expand the privileges and to access sensible data of the Core Banking System. Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH – 18 Confidentiality Class: Public All rights reserved
  • 19. Standard Blackbox Approach Tasks: • Use selective special tools and scripts for s ck exploiting security vulnerabilities based on ta vulnerability classes At • Check compliance to state of the art standards Presentation Layer for application security (A7700, OWASP, …) • Adapt or write new exploit code if necessary Business Logic Tier • Validate vulnerabilities • Develop proof of concept material (screen Database Layer shots, dumps, passwords, etc.) • Assess risk and define recommendation Databas e Network Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH – 19 Confidentiality Class: Public All rights reserved
  • 20. CBS – Cross site scripting • The problem: • A Cross Site Scripting security vulnerability is used to steal the identity information of a CBS user. First the attacker writes an email to this user with a malicious link, including hidden script code (very short software program). The user receives the email and clicks on that link. The malicious script runs in (the context of) the web browser of the attacked user. • Vulnerability class: • Web application security Input- and Output Validation • Impact for bank: • Account theft • Remotely control the web browser • Record all activities of the user • Initiate changes in transactions (e.g. target account numbers of a transaction on the fly). Secure software development: • Architecture/Design: Failed • Programming: Failed • Test and Quality Assurance: Failed Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH – 20 Confidentiality Class: Public All rights reserved
  • 21. CBS – Weak encryption • The problem: • First the attacker traces the data traffic between the CBS client and the CBS server. Due to the weak encryption security vulnerability of the CBS the attacker can bypass the login mechanism. • Vulnerability class: • Design flaw in client- server communication (hash is being build on the client) • Impact for bank: • Account theft • Privilege escalation • Perform a misuse of the account of the user Secure software development: • Architecture/Design: Failed • Programming: Failed • Test and Quality Assurance: Failed Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH – 21 Confidentiality Class: Public All rights reserved
  • 22. CBS – Privilege escalation – missing authorization • The problem: • By enumerating several request parameters arbitrary accounts can be overtaken and misused by non privileged users. • Vulnerability class: • Design flaw based on missing authorization • Impact for bank: • Account theft • Privilege escalation • The attacker becomes a more powerful user • Access to administrative functionality • The attacker can misuse the CBS by performing high privilege transactions and functions Secure software development: • Architecture/Design: Failed • Programming: Failed • Test and Quality Assurance: Failed Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH – 22 Confidentiality Class: Public All rights reserved
  • 23. CBS – SQL Injection • The problem: • Nothing to add here  should be an extinct vulnerability class • Vulnerability class: • Web application security input–validation & design flaw • Impact for bank: • Extracts valuable (data theft) data of the database • Manipulate data in the database • Account theft • Privilege escalation Secure software development: • Architecture/Design: Failed • Programming: Failed • Test and Quality Assurance: Failed Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH – 23 Confidentiality Class: Public All rights reserved
  • 24. CBS – Direct OS Command execution • The problem: • Several flaws led to access to the underlying operating system for non privileged users. • Vulnerability class: • Web application security input–validation & design flaw • Vulnerability class: • Control over the operating system of the server of the CBS. • The CBS system can be shut down or wiped or manipulated with wrong data by the attacker. • Data of the server can be copied to a repository of the attacker. • Additionally, this vulnerability can be used to attack other systems of the bank • Account theft and privilege escalation • Total compromise of system, data backends etc. Secure software development: • Architecture/Design: Failed • Programming: Failed • Test and Quality Assurance: Failed Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH – 24 Confidentiality Class: Public All rights reserved
  • 25. Summarizing ! L ED 3 of 3 tested CBS fail application security standard: I ! FA D •e.g. Open Web Application Security Project (OWASP), I LE WASC, BSI ISi-Reihe (Germany), ÖNORM A 7700 (Austria), E D! FA etc.) L F AI 3 of 3 tested CBS are not state of the art in application security CMMi Level 4. High Mature. Mature. Mature. 3 of 3 tested CBS have deficiencies in secure software development •Architecture/Design: Failed •Programming: Failed •Test and Quality Assurance: Failed Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH – 25 Confidentiality Class: Public All rights reserved
  • 26. Business Impact for Banks • The found vulnerabilities in 3 of 3 tested CBS • enable unauthorized access Attacks Presentation Layer • disable segregation of duties Business Logic Tier • circumvent the effectiveness of auditing and logging Database Layer • circumvent the effectiveness of strict access control and enable privilege escalation Databas e and therefore can cause violations of compliance Network requirements such as Basel II, SAS70, ISO 27001, national Data privacy protection laws, notational banking specific laws, etc.) Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH – 26 Confidentiality Class: Public All rights reserved
  • 27. What to do if you are a bank? Demand state-the-art-application security for CBS • Vendor contracts with mandatory state-of-the-art applications security requirements • Define penalties for not achieving state-of-the-art applications security requirements • Cost sharing for unsuccessful application security tests Prove the vendor claims and promises by testing application security of CBS • Application security tests (Security Quality Gates) Establish additional multi-lines of defense • Measures to at least temporary mitigate some risks of an insecure CBS on other levels of defense (infrastructure, organizational, awareness of users, etc.) The best point in time to detect toxic (=seriously insecure) software is when you buy it. Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH – 27 Confidentiality Class: Public All rights reserved
  • 28. Software Vendors already using SEC Consult. Title: SEC Consult Software Security Assurance Services © 2011 SEC Consult Version/Date: 1.1/May 2011 Unternehmensberatung GmbH – Responsible: U. Fleck All rights reserved
  • 29. How to reach us/me? Austria Ulrich Fleck Mooslackengasse 17 Director A-1190 Vienna Sales and Business Development Austria +43 676 840 301 719 Tel: +43-(0)1-890 30 43-0 Fax: +43-(0)1-890 30 43-15 Email: u.fleck@sec-consult.com Email: office@sec-consult.com www.sec-consult.com Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH – 29 Confidentiality Class: Public All rights reserved