Web Application Security for the Payment Card Industry


Published on

Abhay Bhargav's talk at the BT-Summit 09 on "Web Application Security for the Payment Card Industry"

Published in: Education
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Web Application Security for the Payment Card Industry

  1. 1. Web Application Security for the Payment Card Industry Abhay Bhargav Principal Consultant and CTO - The we45 Group Tuesday, April 20, 2010
  2. 2. Who am I? Application Security and Compliance Specialist Performed over 50 security assessments across 18 countries. Co-author of Secure Java for Web Application Development Spoken at several events including the OWASP AppSec NYC 2008 Trainer and Workshop Lead for Security Training Workshops My blog: http://citadelnotes.blogspot.com Tuesday, April 20, 2010
  3. 3. Why am I here? Tuesday, April 20, 2010
  4. 4. Web Applications - A Growing Force The growing footprint of Internet and Intranet Applications Unprecedented Adoption of E- Commerce all over the world Worldwide Internet Usage - 24.7% and growing at 362% Increasing influence of the Internet in the interchange of the commercial information Tuesday, April 20, 2010
  5. 5. Web Applications - Trouble in Paradise Networks and OS Attacks are too much work Sensitive Information is a mere browser attack away! Application Developers are far from the promised land Power of Free Expression - Internet - The Double Edged Sword Tuesday, April 20, 2010
  6. 6. Who’s watching? and what does it mean? Regulations are the driving force for security in Web Applications PCI-DSS and PA-DSS US State Laws modeled on Card Security Fines, Penalties and Lawsuits - The Whole Nine Yards Reputation drives Motivation Forensics - The beginning of a long and arduous relationship Tuesday, April 20, 2010
  7. 7. Some hard truths Your users need to be protected against YOUR users All data you handle is YOUR problem Security breach can have a serious bearing on YOUR finances and reputation Having the best OS Security and Network Security is just NOT enough Ignorance != Innocence Tuesday, April 20, 2010
  8. 8. What is the cure? Authentication and Authorization Application Crypto Logging and Log Management Secure Coding Practices SDLC Other Best Practices Tuesday, April 20, 2010
  9. 9. Authentication and Authorization - A foot in the door Flawed authentication systems - One of the top causes for Web Application attacks Lack of Clarity for Role Based Access Control - Access Control Matrix Authorization issues Client Side Syndrome - Over-reliance on Javascript Improper Authorization system - server side Tuesday, April 20, 2010
  10. 10. Authentication and Authorization - 2 Password Management Password Storage Hardcoding Password encryption = null Password Transmission Sessions The Guessing Game Session Handlers Tuesday, April 20, 2010
  11. 11. Application Crypto - Scrambled Eggs Store if you must, Protect if you store Crypto - Something that can go horribly wrong No “Home-Grown” Crypto Key Management - An oft-forgotten aspect of cryptography Tuesday, April 20, 2010
  12. 12. Application Logs - Are you watching closely? Logs are not unnecessary overhead. They could save your life Logs should capture pertinent details Sensitive Information should not be logged Exceptions and Errors should be logged Administrative users are not above the law‘g’ Tuesday, April 20, 2010
  13. 13. Secure Coding Practices - Makes Perfect Input Validation - Trust user input at your own peril. Regular Expressions Parameterized SQL Queries Javascript Validation is not enough Direct Object Reference - Do not expose sensitive files directly File Execution - Malicious File Execution usually = Complete System Compromise Custom Error Pages - Nipping attacks at the bud Tuesday, April 20, 2010
  14. 14. SDLC + Security = Strong Application Integration of Risk Management into the SDLC Identifying Critical Information Assets Threat and Impact Analysis Vulnerability Assessment Development of Security Controls - Detailed Security Requirements Developer Training and Awareness Management Representation and Drive Tuesday, April 20, 2010
  15. 15. SDLC - 2 Code Reviews for security should be incorporated into the SDLC Vulnerability Assessments + Penetration Testing - The Blind parent syndrome Change Management Tuesday, April 20, 2010
  16. 16. Other Measures Deployment is not something you can forget. Involving Information Security Continuous Monitoring - Vulnerabilities in the underlying elements Going back to the drawing board if necessary Tuesday, April 20, 2010
  17. 17. Thank you!!! Questions?? My blog: http://citadelnotes.blogspot.com Keep in touch: http://www.linkedin.com/in/ abhaybhargav Email: abhay@we45.com, abhaybhargav@gmail.com Tuesday, April 20, 2010