SlideShare a Scribd company logo

Owasp night faspay

OWASP Indonesia Chapter
OWASP Indonesia Chapter

https://www.meetup.com/meetup-group-XxqLdaeY/

Technology
1 of 15
Download to read offline
F i r s t S t e p T o W e b A p p l i c a t i o n ( I S O 2 7 0 0 1 v s P C I D S S v s 1 0 T e n O W A S P ) Connecting Payment
LET’S BEGIN NOW! Connecting Payment | faspay.co.id 2
Connecting Payment | faspay.co.id 3 2011 – Now - Faspay System Development
INTRODUCTION S E C T I O N 1
WE MUST KNOW WHAT THE IMPORTANT THINGS. ISO 27001 PCI DSS / PA DSS Peraturan Bank Indonesia Nomor 18/40/PBI/2016 PP 11 Tahun 2008 (ITE) / PP 82 2012 Penyelengaraan Sistem dan Transaksi Elektronik / Permen No 4 TH 2016 Sistem ManajemenInformasi OWASP
Definisi : Keamanan informasi merupakan perlindungan informasi dari berbagai ancaman agar menjamin kelanjutan proses bisnis, mengurangi risiko bisnis, dan meningkatkan return of investment (ROI) serta peluang bisnis (Chaeikar, etc., 2012). Meliputi aspek : Confidentiality Aspek yang menjamin kerahasiaan informasi atau data dan memastikan informasi hanya dapat diakses oleh pihak yang berwenang. Integrity Aspek yang menjamin data tidak dapat dirubah tanpa ada ijin pihak yang berwenang, menjaga kelengkapan informasi dan menjaga dari kerusakan atau ancaman lain yang bisa menyebabkan perubahan pada informasi atau data asli. Availability Aspek yang menjamin bahwa data akan tersedia pada saat dibutuhkan dan menjamin user dapat mengakses informasi tanpa adanya gangguan. Keamanan Informasi 6
Connecting Payment | faspay.co.id 7
Connecting Payment | faspay.co.id 8 A.5 Information Security policies (is related to requirement 12 of PCI-DSS) A.6 Organization of information security (is related to requirement 12 of PCI-DSS) A.7 Human resource security (is related to requirement 12 of PCI-DSS) A.8 Asset management (is related to requirement 12 of PCI-DSS) A.9 Access control (is related to requirement 7 of PCI-DSS) A.10 Cryptography (is related to requirement 4 of PCI-DSS) A.11 Physical and environmental security (is related to requirement 9 of PCI-DSS) A.12 Operations security (is related to requirements 1, 5, 10, and 11 of PCI-DSS) A.13 Communications security (is related to requirement 4 of PCI-DSS) A.14 System acquisition, development and maintenance (is related to requirement 6 of PCI-DSS) A.15 Supplier relationships A.16 Information security incident management A.17 Information security aspects of business continuity management A.18 Compliance
S ynergy S E C T I O N 2
Connecting Payment | faspay.co.id 10 PCI compliance password requirements as mandated by the Payment Card Industry Data Security Standards (PCI DSS) are clearly stated within Requirement 8 A2:2017-Broken Authentication Related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently. A.9 Access Control Password management systems shall be interactive and shall ensure quality passwords.
11 • Require a minimum length of at least seven characters. • Contain both numeric and alphabetic characters. • Users to change passwords at least every 90 day. • Password parameters are set to require that new passwords cannot be the same as the four previously used passwords. • First-time passwords for new users, and reset passwords for existing users, are set to a unique value for each user and changed after first use • User accounts are temporarily locked-out after not more than six invalid access attempts. • Once a user account is locked out, it remains locked for a minimum of 30 minutes or until a system administrator resets the account. • System/session idle time out features have been set to 15 minutes or less. • Passwords are protected with strong cryptography during transmission and storage. PCI COMPLIANCE PASSWORD REQUIREMENTS Connecting Payment | faspay.co.id
12 • https://www.owasp.org/index.php/Authentication_Cheat_Sh eet OWASP Connecting Payment | faspay.co.id
DE S IGN S E C T I O N 3
Connecting Payment | faspay.co.id 14 user user_access Authenticate Check Access 1. User Login 2. User Access Encrypted (PK)username password (PK)username AppsId Apps Menu Authenticate : Function Length & Complexcity Function ExpiryPassword Function EncryptedPassword (Salt)
THANK YOU! Do You Have Any Questions?

Recommended

Approach pci- dss
Approach pci- dssApproach pci- dss
Approach pci- dss
Vikrant Burbure
 
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATIONPCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
himalya sharma
 
Taming the compliance beast in cloud
Taming the compliance beast in cloudTaming the compliance beast in cloud
Taming the compliance beast in cloud
Saumya Vishnoi
 
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATIONPCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
himalya sharma
 
Hardware Security Modules: Critical to Information Risk Management
Hardware Security Modules: Critical to Information Risk ManagementHardware Security Modules: Critical to Information Risk Management
Hardware Security Modules: Critical to Information Risk Management
SafeNet
 
Pindad iso27000 2016 smki
Pindad iso27000 2016 smkiPindad iso27000 2016 smki
Pindad iso27000 2016 smki
Sarwono Sutikno, Dr.Eng.,CISA,CISSP,CISM,CSX-F
 
PCI DSS Essential Guide
PCI DSS Essential GuidePCI DSS Essential Guide
PCI DSS Essential Guide
Kim Jensen
 
Tecnologías para el Cumplimiento. Alexandre Bento. SafeNet
Tecnologías para el Cumplimiento. Alexandre Bento. SafeNetTecnologías para el Cumplimiento. Alexandre Bento. SafeNet
Tecnologías para el Cumplimiento. Alexandre Bento. SafeNet
Internet Security Auditors
 

Recommended

Approach pci- dss
Approach pci- dssApproach pci- dss
Approach pci- dss
Vikrant Burbure
 
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATIONPCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
himalya sharma
 
Taming the compliance beast in cloud
Taming the compliance beast in cloudTaming the compliance beast in cloud
Taming the compliance beast in cloud
Saumya Vishnoi
 
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATIONPCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
himalya sharma
 
Hardware Security Modules: Critical to Information Risk Management
Hardware Security Modules: Critical to Information Risk ManagementHardware Security Modules: Critical to Information Risk Management
Hardware Security Modules: Critical to Information Risk Management
SafeNet
 
Pindad iso27000 2016 smki
Pindad iso27000 2016 smkiPindad iso27000 2016 smki
Pindad iso27000 2016 smki
Sarwono Sutikno, Dr.Eng.,CISA,CISSP,CISM,CSX-F
 
PCI DSS Essential Guide
PCI DSS Essential GuidePCI DSS Essential Guide
PCI DSS Essential Guide
Kim Jensen
 
Tecnologías para el Cumplimiento. Alexandre Bento. SafeNet
Tecnologías para el Cumplimiento. Alexandre Bento. SafeNetTecnologías para el Cumplimiento. Alexandre Bento. SafeNet
Tecnologías para el Cumplimiento. Alexandre Bento. SafeNet
Internet Security Auditors
 
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden WilliamsPCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams
Anton Chuvakin
 
Mcafee CASB/DLP + Seclore Rights Management Solutions
Mcafee CASB/DLP + Seclore Rights Management Solutions Mcafee CASB/DLP + Seclore Rights Management Solutions
Mcafee CASB/DLP + Seclore Rights Management Solutions
Seclore
 
PCI-DSS explained
PCI-DSS explainedPCI-DSS explained
PCI-DSS explained
Edwin_Bos
 
VIOS Flyer Erasure Services
VIOS Flyer Erasure ServicesVIOS Flyer Erasure Services
VIOS Flyer Erasure Services
ztbalado
 
Bloombase store safe 1pager mf solution brief template 2017
Bloombase store safe 1pager mf solution brief template 2017Bloombase store safe 1pager mf solution brief template 2017
Bloombase store safe 1pager mf solution brief template 2017
Bloombase
 
IRDAI Compliance & Data-Centric Security | Seclore
IRDAI Compliance & Data-Centric Security | SecloreIRDAI Compliance & Data-Centric Security | Seclore
IRDAI Compliance & Data-Centric Security | Seclore
Seclore
 
PCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowPCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to Know
AlienVault
 
2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf
2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf
2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf
ControlCase
 
Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016
InfinIT - Innovationsnetværket for it
 
Tizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptTizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.ppt
webhostingguy
 
Tizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptTizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.ppt
webhostingguy
 
TOP SAILPOINT INTERVIEW QUESTION
TOP SAILPOINT INTERVIEW QUESTIONTOP SAILPOINT INTERVIEW QUESTION
TOP SAILPOINT INTERVIEW QUESTION
Infosec Train
 
】=
】=】=
】=
Ying Sun
 
PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)
Kimberly Simon MBA
 
Bengt Berg, Cybercom Security, Polen
Bengt Berg, Cybercom Security, PolenBengt Berg, Cybercom Security, Polen
Bengt Berg, Cybercom Security, Polen
Cybercom Group
 
PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step Guide
AlienVault
 
Making Compliance Business as Usual
Making Compliance Business as UsualMaking Compliance Business as Usual
Making Compliance Business as Usual
ControlCase
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA Perspective
Mark Akins
 
Data Works Berlin 2018 - Worldpay - PCI Compliance
Data Works Berlin 2018 - Worldpay - PCI ComplianceData Works Berlin 2018 - Worldpay - PCI Compliance
Data Works Berlin 2018 - Worldpay - PCI Compliance
David Walker
 
Not Just a necessary evil, it’s good for business: implementing PCI DSS contr...
Not Just a necessary evil, it’s good for business: implementing PCI DSS contr...Not Just a necessary evil, it’s good for business: implementing PCI DSS contr...
Not Just a necessary evil, it’s good for business: implementing PCI DSS contr...
DataWorks Summit
 
New york oracle users group 2013 spring general meeting ulf mattsson
New york oracle users group 2013 spring general meeting ulf mattssonNew york oracle users group 2013 spring general meeting ulf mattsson
New york oracle users group 2013 spring general meeting ulf mattsson
Ulf Mattsson
 
Maintaining Data Privacy with Ashish Kirtikar
Maintaining Data Privacy with Ashish KirtikarMaintaining Data Privacy with Ashish Kirtikar
Maintaining Data Privacy with Ashish Kirtikar
ControlCase
 

More Related Content

What's hot

PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden WilliamsPCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams
Anton Chuvakin
 
PCI-DSS explained
PCI-DSS explainedPCI-DSS explained
PCI-DSS explained
Edwin_Bos
 
VIOS Flyer Erasure Services
VIOS Flyer Erasure ServicesVIOS Flyer Erasure Services
VIOS Flyer Erasure Services
ztbalado
 
PCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowPCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to Know
AlienVault
 

What's hot (7)

PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden WilliamsPCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams
 
Mcafee CASB/DLP + Seclore Rights Management Solutions
Mcafee CASB/DLP + Seclore Rights Management Solutions Mcafee CASB/DLP + Seclore Rights Management Solutions
Mcafee CASB/DLP + Seclore Rights Management Solutions
 
PCI-DSS explained
PCI-DSS explainedPCI-DSS explained
PCI-DSS explained
 
VIOS Flyer Erasure Services
VIOS Flyer Erasure ServicesVIOS Flyer Erasure Services
VIOS Flyer Erasure Services
 
Bloombase store safe 1pager mf solution brief template 2017
Bloombase store safe 1pager mf solution brief template 2017Bloombase store safe 1pager mf solution brief template 2017
Bloombase store safe 1pager mf solution brief template 2017
 
IRDAI Compliance & Data-Centric Security | Seclore
IRDAI Compliance & Data-Centric Security | SecloreIRDAI Compliance & Data-Centric Security | Seclore
IRDAI Compliance & Data-Centric Security | Seclore
 
PCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowPCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to Know
 

Similar to Owasp night faspay

Tizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptTizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.ppt
webhostingguy
 
Tizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptTizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.ppt
webhostingguy
 
Bengt Berg, Cybercom Security, Polen
Bengt Berg, Cybercom Security, PolenBengt Berg, Cybercom Security, Polen
Bengt Berg, Cybercom Security, Polen
Cybercom Group
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA Perspective
Mark Akins
 
Not Just a necessary evil, it’s good for business: implementing PCI DSS contr...
Not Just a necessary evil, it’s good for business: implementing PCI DSS contr...Not Just a necessary evil, it’s good for business: implementing PCI DSS contr...
Not Just a necessary evil, it’s good for business: implementing PCI DSS contr...
DataWorks Summit
 
Generic_Sample_INFOSECPolicy_and_Procedures
Generic_Sample_INFOSECPolicy_and_ProceduresGeneric_Sample_INFOSECPolicy_and_Procedures
Generic_Sample_INFOSECPolicy_and_Procedures
Samuel Loomis
 

Similar to Owasp night faspay (20)

2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf
2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf
2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf
 
Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016
 
Tizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptTizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.ppt
 
Tizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptTizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.ppt
 
TOP SAILPOINT INTERVIEW QUESTION
TOP SAILPOINT INTERVIEW QUESTIONTOP SAILPOINT INTERVIEW QUESTION
TOP SAILPOINT INTERVIEW QUESTION
 
】=
】=】=
】=
 
PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)
 
Bengt Berg, Cybercom Security, Polen
Bengt Berg, Cybercom Security, PolenBengt Berg, Cybercom Security, Polen
Bengt Berg, Cybercom Security, Polen
 
PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step Guide
 
Making Compliance Business as Usual
Making Compliance Business as UsualMaking Compliance Business as Usual
Making Compliance Business as Usual
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA Perspective
 
Data Works Berlin 2018 - Worldpay - PCI Compliance
Data Works Berlin 2018 - Worldpay - PCI ComplianceData Works Berlin 2018 - Worldpay - PCI Compliance
Data Works Berlin 2018 - Worldpay - PCI Compliance
 
Not Just a necessary evil, it’s good for business: implementing PCI DSS contr...
Not Just a necessary evil, it’s good for business: implementing PCI DSS contr...Not Just a necessary evil, it’s good for business: implementing PCI DSS contr...
Not Just a necessary evil, it’s good for business: implementing PCI DSS contr...
 
New york oracle users group 2013 spring general meeting ulf mattsson
New york oracle users group 2013 spring general meeting ulf mattssonNew york oracle users group 2013 spring general meeting ulf mattsson
New york oracle users group 2013 spring general meeting ulf mattsson
 
Maintaining Data Privacy with Ashish Kirtikar
Maintaining Data Privacy with Ashish KirtikarMaintaining Data Privacy with Ashish Kirtikar
Maintaining Data Privacy with Ashish Kirtikar
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as Usual
 
GDPR Part 2: Quest Relevance
GDPR Part 2: Quest RelevanceGDPR Part 2: Quest Relevance
GDPR Part 2: Quest Relevance
 
PCI and Remote Vendors
PCI and Remote VendorsPCI and Remote Vendors
PCI and Remote Vendors
 
PCI DSS & PA DSS Version 3.0
PCI DSS & PA DSS Version 3.0PCI DSS & PA DSS Version 3.0
PCI DSS & PA DSS Version 3.0
 
Generic_Sample_INFOSECPolicy_and_Procedures
Generic_Sample_INFOSECPolicy_and_ProceduresGeneric_Sample_INFOSECPolicy_and_Procedures
Generic_Sample_INFOSECPolicy_and_Procedures
 

Recently uploaded

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 

Recently uploaded (20)

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 

Owasp night faspay

  • 1. F i r s t S t e p T o W e b A p p l i c a t i o n ( I S O 2 7 0 0 1 v s P C I D S S v s 1 0 T e n O W A S P ) Connecting Payment
  • 2. LET’S BEGIN NOW! Connecting Payment | faspay.co.id 2
  • 3. Connecting Payment | faspay.co.id 3 2011 – Now - Faspay System Development
  • 4. INTRODUCTION S E C T I O N 1
  • 5. WE MUST KNOW WHAT THE IMPORTANT THINGS. ISO 27001 PCI DSS / PA DSS Peraturan Bank Indonesia Nomor 18/40/PBI/2016 PP 11 Tahun 2008 (ITE) / PP 82 2012 Penyelengaraan Sistem dan Transaksi Elektronik / Permen No 4 TH 2016 Sistem ManajemenInformasi OWASP
  • 6. Definisi : Keamanan informasi merupakan perlindungan informasi dari berbagai ancaman agar menjamin kelanjutan proses bisnis, mengurangi risiko bisnis, dan meningkatkan return of investment (ROI) serta peluang bisnis (Chaeikar, etc., 2012). Meliputi aspek : Confidentiality Aspek yang menjamin kerahasiaan informasi atau data dan memastikan informasi hanya dapat diakses oleh pihak yang berwenang. Integrity Aspek yang menjamin data tidak dapat dirubah tanpa ada ijin pihak yang berwenang, menjaga kelengkapan informasi dan menjaga dari kerusakan atau ancaman lain yang bisa menyebabkan perubahan pada informasi atau data asli. Availability Aspek yang menjamin bahwa data akan tersedia pada saat dibutuhkan dan menjamin user dapat mengakses informasi tanpa adanya gangguan. Keamanan Informasi 6
  • 7. Connecting Payment | faspay.co.id 7
  • 8. Connecting Payment | faspay.co.id 8 A.5 Information Security policies (is related to requirement 12 of PCI-DSS) A.6 Organization of information security (is related to requirement 12 of PCI-DSS) A.7 Human resource security (is related to requirement 12 of PCI-DSS) A.8 Asset management (is related to requirement 12 of PCI-DSS) A.9 Access control (is related to requirement 7 of PCI-DSS) A.10 Cryptography (is related to requirement 4 of PCI-DSS) A.11 Physical and environmental security (is related to requirement 9 of PCI-DSS) A.12 Operations security (is related to requirements 1, 5, 10, and 11 of PCI-DSS) A.13 Communications security (is related to requirement 4 of PCI-DSS) A.14 System acquisition, development and maintenance (is related to requirement 6 of PCI-DSS) A.15 Supplier relationships A.16 Information security incident management A.17 Information security aspects of business continuity management A.18 Compliance
  • 9. S ynergy S E C T I O N 2
  • 10. Connecting Payment | faspay.co.id 10 PCI compliance password requirements as mandated by the Payment Card Industry Data Security Standards (PCI DSS) are clearly stated within Requirement 8 A2:2017-Broken Authentication Related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently. A.9 Access Control Password management systems shall be interactive and shall ensure quality passwords.
  • 11. 11 • Require a minimum length of at least seven characters. • Contain both numeric and alphabetic characters. • Users to change passwords at least every 90 day. • Password parameters are set to require that new passwords cannot be the same as the four previously used passwords. • First-time passwords for new users, and reset passwords for existing users, are set to a unique value for each user and changed after first use • User accounts are temporarily locked-out after not more than six invalid access attempts. • Once a user account is locked out, it remains locked for a minimum of 30 minutes or until a system administrator resets the account. • System/session idle time out features have been set to 15 minutes or less. • Passwords are protected with strong cryptography during transmission and storage. PCI COMPLIANCE PASSWORD REQUIREMENTS Connecting Payment | faspay.co.id
  • 13. DE S IGN S E C T I O N 3
  • 14. Connecting Payment | faspay.co.id 14 user user_access Authenticate Check Access 1. User Login 2. User Access Encrypted (PK)username password (PK)username AppsId Apps Menu Authenticate : Function Length & Complexcity Function ExpiryPassword Function EncryptedPassword (Salt)
  • 15. THANK YOU! Do You Have Any Questions?