SlideShare a Scribd company logo

Secure Code Warrior - Privacy

Download as PPTX, PDF
Secure Code Warrior
Secure Code Warrior

Application Security Fundamentals - Slidepack on "Privacy" by Secure Code Warrior Limited and licensed under CC BY-ND 4.0

Technology
1 of 9
Data Protection & Privacy Application Security Fundamentals by Secure Code Warrior Limited is licensed under CC BY-ND 4.0
The application should implement security controls to ensure the protection and integrity of its sensitive information. What could happen? An attacker could retrieve sensitive and private information through stolen log files, caching, man-in-the- middle attacks or other means. How to implement it? Only store private information that is absolutely required. Make sure any stored or transmitted information is properly secured using encryption. What’s the concept about?
An internet payment company called “Paybuddy” is taking precautions to protect its customers from credit card theft. Communications to and from the site are protected using TLS, preventing attackers from sniffing the traffic. Credit card numbers are stored encrypted in the database using a strong algorithm. Credit card numbers are never displayed in full, so attackers cannot view the numbers through shoulder surfing. Caching is turned off as well. Data Protection & Privacy Understanding the concept Properly protected data Web application User: John Doe User Credit Card John 69d4a73c196f60c3e453a9832fb4 admin 086569d4a73c196f60c3e453a983 Bart a73c196f60c3e453a9832fb4fz90o bcrypt(creditcard) CC: XXXXXXX420
This time, “Paybuddy” forgot to take precautions to properly protect their customers and their data. An attacker sniffs traffic between the client and the server. He is able to steal sensitive information, such as the user’s credit card number. An attacker that is able to retrieve weakly hashed credit card numbers won’t have difficulties to decrypt them using rainbow tables. An attacker that is shoulder surfing can see a full credit card number in the application, which can be abused to commit fraud. Data Protection & Privacy What could happen with the concept? Unprotected data Web application User: John Doe User Credit Card John a73c196f60c3e453a9832fb4 admin 69d4a73c196f60c3e453a983 Bart a7360c3e453a9832fb4fz90o md5(creditcard) User: John Doe CC: 475629420 CC: 475629420
A software company is very careful in protecting the source code of their new mobile application. The source code repository is stored on encrypted hardware in a secured server room. To protect the source code in production, heavy obfuscation techniques are applied to the application. The source code repository can only be accessed from their internal network. Access to the repository is limited to developers with the right clearance. Data Protection & Privacy Understanding the concept Source code protection 0101011 1010010 1001010 1011011 1001010 Developer X Developer Y Developer Z
The company’s intellectual property is in danger due to a lack of source code protection. The repository is stored on a physically accessible server. Local attackers can copy the code, which is stored in clear text. Without obfuscation, users can decompile the application and retrieve the source. It can be modified and repackaged to be sold by a third party. The repository is publicly accessible and therefore easier to target by attackers. Data Protection & Privacy What could happen with the concept? Source code unprotected 0101011 1010010 1001010 1011011 1001010 Developer X Developer Y
Data Protection & Privacy Understanding the concept User’s privacy respected User: John Doe DoB: 29/02/1973 Sex: M Location: Sydney Religion: Pastafari John’s info DB Admin A certain web application allows users to create a profile. The application stores date of birth, sex, location, and religion. The user’s private information is stored in a database with restricted access. Only the database administrator has access to the database and the information. Additionally, he had to sign a non-disclosure agreement.
A certain web application allows users to create a profile. The application stores date of birth, sex, location, and religion. The user’s private information is stored in a database with restricted access. All developers working on the application can view the user’s private information in the development database. This clearly causes privacy issues. Before a new release, the database contents is copied to a development environment for testing purposes. Data Protection & Privacy What could happen with the concept? Privacy issues User: John Doe DoB: 29/02/1973 Sex: M Location: Sydney Religion: Pastafari John’s info John’s info Developer 1 Developer 2 Development
Data Protection & Privacy Typical controls Only store private information if absolutely needed. Don’t hard-code secret information in source code. Don’t store DB credentials or encryptions keys in plain text. Securely store all sensitive user information. Send traffic over a secure communication channel. Inform users using a privacy policy.

Recommended

E-Banking Web Security
E-Banking Web SecurityE-Banking Web Security
E-Banking Web SecurityDragos Lungu
 
HACKING AND PHISHING
HACKING AND PHISHINGHACKING AND PHISHING
HACKING AND PHISHINGsanthuana sg
 
Phishing
PhishingPhishing
Phishingshivli0769
 
Phising
PhisingPhising
PhisingThuvendranSandraSega
 
Online security and payment system
Online security and payment systemOnline security and payment system
Online security and payment systemGc university faisalabad
 
E security and payment 2013-1
E security and payment 2013-1E security and payment 2013-1
E security and payment 2013-1Abdelfatah hegazy
 
Phishing
PhishingPhishing
PhishingHK Khemnani
 
Cyber - Dark Web, Deep Web and More
Cyber - Dark Web, Deep Web and MoreCyber - Dark Web, Deep Web and More
Cyber - Dark Web, Deep Web and MoreChirag Joshi, CISA, CISM, CRISC
 

Recommended

E-Banking Web Security
E-Banking Web SecurityE-Banking Web Security
E-Banking Web SecurityDragos Lungu
 
HACKING AND PHISHING
HACKING AND PHISHINGHACKING AND PHISHING
HACKING AND PHISHINGsanthuana sg
 
Phishing
PhishingPhishing
Phishingshivli0769
 
Phising
PhisingPhising
PhisingThuvendranSandraSega
 
Online security and payment system
Online security and payment systemOnline security and payment system
Online security and payment systemGc university faisalabad
 
E security and payment 2013-1
E security and payment 2013-1E security and payment 2013-1
E security and payment 2013-1Abdelfatah hegazy
 
Phishing
PhishingPhishing
PhishingHK Khemnani
 
Cyber - Dark Web, Deep Web and More
Cyber - Dark Web, Deep Web and MoreCyber - Dark Web, Deep Web and More
Cyber - Dark Web, Deep Web and MoreChirag Joshi, CISA, CISM, CRISC
 
Privacy and Security Issues in E-Commerce
Privacy and Security Issues in E-Commerce Privacy and Security Issues in E-Commerce
Privacy and Security Issues in E-Commerce Titas Ahmed
 
Privacy-preserving user identity in Identity-as-a-Service
Privacy-preserving user identity in Identity-as-a-ServicePrivacy-preserving user identity in Identity-as-a-Service
Privacy-preserving user identity in Identity-as-a-ServiceHoang Tri Vo
 
Risks of E-commerce
Risks of E-commerceRisks of E-commerce
Risks of E-commerceanshutomar6
 
Security issue in e commerce
Security issue in e commerceSecurity issue in e commerce
Security issue in e commerceBosco Technical Training Society, Don Bosco Technical School (Aff. GGSIP University, New Delhi)
 
Phishing
Phishing Phishing
Phishing Yash Bhatt
 
Security issues in E-commerce
Security issues in E-commerceSecurity issues in E-commerce
Security issues in E-commercenikitaTahilyani1
 
E-commerce Security and Payment
E-commerce Security and PaymentE-commerce Security and Payment
E-commerce Security and PaymentLaguna State Polytechnic University
 
Phishing
PhishingPhishing
Phishingdefquon
 
Eamonn O Raghallaigh The Major Security Issues In E Commerce
Eamonn O Raghallaigh The Major Security Issues In E CommerceEamonn O Raghallaigh The Major Security Issues In E Commerce
Eamonn O Raghallaigh The Major Security Issues In E CommerceEamonnORagh
 
Computer related risks presentation
Computer related risks presentationComputer related risks presentation
Computer related risks presentationleodegras
 
Computer related risks presentation
Computer related risks presentationComputer related risks presentation
Computer related risks presentationleodegras
 
protection & security of e-commerce ...
protection & security of e-commerce ...protection & security of e-commerce ...
protection & security of e-commerce ...Rishav Gupta
 
Iaetsd secure emails an integrity assured email
Iaetsd secure emails an integrity assured emailIaetsd secure emails an integrity assured email
Iaetsd secure emails an integrity assured emailIaetsd Iaetsd
 
What is Phishing and How can you Avoid it?
What is Phishing and How can you Avoid it?What is Phishing and How can you Avoid it?
What is Phishing and How can you Avoid it?Quick Heal Technologies Ltd.
 
Re-using existing PKIs for online Identity Management
Re-using existing PKIs for online Identity ManagementRe-using existing PKIs for online Identity Management
Re-using existing PKIs for online Identity ManagementMartijn Oostdijk
 
E-commerce & Security
E-commerce & SecurityE-commerce & Security
E-commerce & SecurityNetstarterSL
 
6 e commerce security
6 e commerce security6 e commerce security
6 e commerce securityNaveed Ahmed Siddiqui
 
Security issues in e business
Security issues in e businessSecurity issues in e business
Security issues in e businessRahul Kumar
 
E commerce security
E commerce securityE commerce security
E commerce securityShakti Singh
 
Identity theft
Identity theftIdentity theft
Identity theftNick Chandi
 
Secure Code Warrior - XQuery injection
Secure Code Warrior - XQuery injectionSecure Code Warrior - XQuery injection
Secure Code Warrior - XQuery injectionSecure Code Warrior
 
Secure Code Warrior - Issues with origins
Secure Code Warrior - Issues with originsSecure Code Warrior - Issues with origins
Secure Code Warrior - Issues with originsSecure Code Warrior
 

More Related Content

What's hot

Privacy and Security Issues in E-Commerce
Privacy and Security Issues in E-Commerce Privacy and Security Issues in E-Commerce
Privacy and Security Issues in E-Commerce Titas Ahmed
 
Privacy-preserving user identity in Identity-as-a-Service
Privacy-preserving user identity in Identity-as-a-ServicePrivacy-preserving user identity in Identity-as-a-Service
Privacy-preserving user identity in Identity-as-a-ServiceHoang Tri Vo
 
Risks of E-commerce
Risks of E-commerceRisks of E-commerce
Risks of E-commerceanshutomar6
 
Security issues in E-commerce
Security issues in E-commerceSecurity issues in E-commerce
Security issues in E-commercenikitaTahilyani1
 
Phishing
PhishingPhishing
Phishingdefquon
 
Eamonn O Raghallaigh The Major Security Issues In E Commerce
Eamonn O Raghallaigh The Major Security Issues In E CommerceEamonn O Raghallaigh The Major Security Issues In E Commerce
Eamonn O Raghallaigh The Major Security Issues In E CommerceEamonnORagh
 
Computer related risks presentation
Computer related risks presentationComputer related risks presentation
Computer related risks presentationleodegras
 
Computer related risks presentation
Computer related risks presentationComputer related risks presentation
Computer related risks presentationleodegras
 
protection & security of e-commerce ...
protection & security of e-commerce ...protection & security of e-commerce ...
protection & security of e-commerce ...Rishav Gupta
 
Iaetsd secure emails an integrity assured email
Iaetsd secure emails an integrity assured emailIaetsd secure emails an integrity assured email
Iaetsd secure emails an integrity assured emailIaetsd Iaetsd
 
Re-using existing PKIs for online Identity Management
Re-using existing PKIs for online Identity ManagementRe-using existing PKIs for online Identity Management
Re-using existing PKIs for online Identity ManagementMartijn Oostdijk
 
E-commerce & Security
E-commerce & SecurityE-commerce & Security
E-commerce & SecurityNetstarterSL
 
Security issues in e business
Security issues in e businessSecurity issues in e business
Security issues in e businessRahul Kumar
 
E commerce security
E commerce securityE commerce security
E commerce securityShakti Singh
 

What's hot (20)

Privacy and Security Issues in E-Commerce
Privacy and Security Issues in E-Commerce Privacy and Security Issues in E-Commerce
Privacy and Security Issues in E-Commerce
 
Privacy-preserving user identity in Identity-as-a-Service
Privacy-preserving user identity in Identity-as-a-ServicePrivacy-preserving user identity in Identity-as-a-Service
Privacy-preserving user identity in Identity-as-a-Service
 
Risks of E-commerce
Risks of E-commerceRisks of E-commerce
Risks of E-commerce
 
Security issue in e commerce
Security issue in e commerceSecurity issue in e commerce
Security issue in e commerce
 
Phishing
Phishing Phishing
Phishing
 
Security issues in E-commerce
Security issues in E-commerceSecurity issues in E-commerce
Security issues in E-commerce
 
E-commerce Security and Payment
E-commerce Security and PaymentE-commerce Security and Payment
E-commerce Security and Payment
 
Phishing
PhishingPhishing
Phishing
 
Eamonn O Raghallaigh The Major Security Issues In E Commerce
Eamonn O Raghallaigh The Major Security Issues In E CommerceEamonn O Raghallaigh The Major Security Issues In E Commerce
Eamonn O Raghallaigh The Major Security Issues In E Commerce
 
Computer related risks presentation
Computer related risks presentationComputer related risks presentation
Computer related risks presentation
 
Computer related risks presentation
Computer related risks presentationComputer related risks presentation
Computer related risks presentation
 
protection & security of e-commerce ...
protection & security of e-commerce ...protection & security of e-commerce ...
protection & security of e-commerce ...
 
Iaetsd secure emails an integrity assured email
Iaetsd secure emails an integrity assured emailIaetsd secure emails an integrity assured email
Iaetsd secure emails an integrity assured email
 
What is Phishing and How can you Avoid it?
What is Phishing and How can you Avoid it?What is Phishing and How can you Avoid it?
What is Phishing and How can you Avoid it?
 
Re-using existing PKIs for online Identity Management
Re-using existing PKIs for online Identity ManagementRe-using existing PKIs for online Identity Management
Re-using existing PKIs for online Identity Management
 
E-commerce & Security
E-commerce & SecurityE-commerce & Security
E-commerce & Security
 
6 e commerce security
6 e commerce security6 e commerce security
6 e commerce security
 
Security issues in e business
Security issues in e businessSecurity issues in e business
Security issues in e business
 
E commerce security
E commerce securityE commerce security
E commerce security
 
Identity theft
Identity theftIdentity theft
Identity theft
 

Viewers also liked

Secure Code Warrior - XQuery injection
Secure Code Warrior - XQuery injectionSecure Code Warrior - XQuery injection
Secure Code Warrior - XQuery injectionSecure Code Warrior
 
Secure Code Warrior - Issues with origins
Secure Code Warrior - Issues with originsSecure Code Warrior - Issues with origins
Secure Code Warrior - Issues with originsSecure Code Warrior
 
Secure Code Warrior - CRLF injection
Secure Code Warrior - CRLF injectionSecure Code Warrior - CRLF injection
Secure Code Warrior - CRLF injectionSecure Code Warrior
 
Secure Code Warrior - Least privilege
Secure Code Warrior - Least privilegeSecure Code Warrior - Least privilege
Secure Code Warrior - Least privilegeSecure Code Warrior
 
Secure Code Warrior - Client side injection
Secure Code Warrior - Client side injectionSecure Code Warrior - Client side injection
Secure Code Warrior - Client side injectionSecure Code Warrior
 
Secure Code Warrior - Fail securely
Secure Code Warrior - Fail securelySecure Code Warrior - Fail securely
Secure Code Warrior - Fail securelySecure Code Warrior
 
Secure Code Warrior - Trust no input
Secure Code Warrior - Trust no inputSecure Code Warrior - Trust no input
Secure Code Warrior - Trust no inputSecure Code Warrior
 
Secure Code Warrior - Defense in depth
Secure Code Warrior - Defense in depthSecure Code Warrior - Defense in depth
Secure Code Warrior - Defense in depthSecure Code Warrior
 
Secure Code Warrior - Insufficient data encoding
Secure Code Warrior - Insufficient data encodingSecure Code Warrior - Insufficient data encoding
Secure Code Warrior - Insufficient data encodingSecure Code Warrior
 
Secure Code Warrior - Secure by default
Secure Code Warrior - Secure by defaultSecure Code Warrior - Secure by default
Secure Code Warrior - Secure by defaultSecure Code Warrior
 
Secure Code Warrior - Cookies and sessions
Secure Code Warrior - Cookies and sessionsSecure Code Warrior - Cookies and sessions
Secure Code Warrior - Cookies and sessionsSecure Code Warrior
 
Secure Code Warrior - Robust error checking
Secure Code Warrior - Robust error checkingSecure Code Warrior - Robust error checking
Secure Code Warrior - Robust error checkingSecure Code Warrior
 
Secure Code Warrior - Local storage
Secure Code Warrior - Local storageSecure Code Warrior - Local storage
Secure Code Warrior - Local storageSecure Code Warrior
 
Secure Code Warrior - Unrestricted file upload
Secure Code Warrior - Unrestricted file uploadSecure Code Warrior - Unrestricted file upload
Secure Code Warrior - Unrestricted file uploadSecure Code Warrior
 

Viewers also liked (15)

Secure Code Warrior - XQuery injection
Secure Code Warrior - XQuery injectionSecure Code Warrior - XQuery injection
Secure Code Warrior - XQuery injection
 
Secure Code Warrior - Issues with origins
Secure Code Warrior - Issues with originsSecure Code Warrior - Issues with origins
Secure Code Warrior - Issues with origins
 
Secure Code Warrior - CRLF injection
Secure Code Warrior - CRLF injectionSecure Code Warrior - CRLF injection
Secure Code Warrior - CRLF injection
 
Secure Code Warrior - Least privilege
Secure Code Warrior - Least privilegeSecure Code Warrior - Least privilege
Secure Code Warrior - Least privilege
 
Secure Code Warrior - Client side injection
Secure Code Warrior - Client side injectionSecure Code Warrior - Client side injection
Secure Code Warrior - Client side injection
 
Secure Code Warrior - Fail securely
Secure Code Warrior - Fail securelySecure Code Warrior - Fail securely
Secure Code Warrior - Fail securely
 
Secure Code Warrior - Trust no input
Secure Code Warrior - Trust no inputSecure Code Warrior - Trust no input
Secure Code Warrior - Trust no input
 
Secure Code Warrior - Defense in depth
Secure Code Warrior - Defense in depthSecure Code Warrior - Defense in depth
Secure Code Warrior - Defense in depth
 
Secure Code Warrior - Insufficient data encoding
Secure Code Warrior - Insufficient data encodingSecure Code Warrior - Insufficient data encoding
Secure Code Warrior - Insufficient data encoding
 
Secure Code Warrior - Logging
Secure Code Warrior - LoggingSecure Code Warrior - Logging
Secure Code Warrior - Logging
 
Secure Code Warrior - Secure by default
Secure Code Warrior - Secure by defaultSecure Code Warrior - Secure by default
Secure Code Warrior - Secure by default
 
Secure Code Warrior - Cookies and sessions
Secure Code Warrior - Cookies and sessionsSecure Code Warrior - Cookies and sessions
Secure Code Warrior - Cookies and sessions
 
Secure Code Warrior - Robust error checking
Secure Code Warrior - Robust error checkingSecure Code Warrior - Robust error checking
Secure Code Warrior - Robust error checking
 
Secure Code Warrior - Local storage
Secure Code Warrior - Local storageSecure Code Warrior - Local storage
Secure Code Warrior - Local storage
 
Secure Code Warrior - Unrestricted file upload
Secure Code Warrior - Unrestricted file uploadSecure Code Warrior - Unrestricted file upload
Secure Code Warrior - Unrestricted file upload
 

Similar to Secure Code Warrior - Privacy

INFORMATION SECURITY: THREATS AND SOLUTIONS.
INFORMATION SECURITY: THREATS AND SOLUTIONS.INFORMATION SECURITY: THREATS AND SOLUTIONS.
INFORMATION SECURITY: THREATS AND SOLUTIONS.Ni
 
How using Tor Browser + VPN can save you $1000 and more!
How using Tor Browser + VPN can save you $1000 and more!How using Tor Browser + VPN can save you $1000 and more!
How using Tor Browser + VPN can save you $1000 and more!TalhaMTZ
 
Top Cyber Security Interview Questions and Answers 2022.pdf
Top Cyber Security Interview Questions and Answers 2022.pdfTop Cyber Security Interview Questions and Answers 2022.pdf
Top Cyber Security Interview Questions and Answers 2022.pdfCareerera
 
Cryptograpy Exam
Cryptograpy ExamCryptograpy Exam
Cryptograpy ExamLisa Olive
 
Ipsec And Ssl Protocols ( Vpn )
Ipsec And Ssl Protocols ( Vpn )Ipsec And Ssl Protocols ( Vpn )
Ipsec And Ssl Protocols ( Vpn )Monique Jones
 
Mobile App Security: Enterprise Checklist
Mobile App Security: Enterprise ChecklistMobile App Security: Enterprise Checklist
Mobile App Security: Enterprise ChecklistJignesh Solanki
 
Info Session on Cybersecurity & Cybersecurity Study Jams
Info Session on Cybersecurity & Cybersecurity Study JamsInfo Session on Cybersecurity & Cybersecurity Study Jams
Info Session on Cybersecurity & Cybersecurity Study JamsGDSCCVR
 
12 IoT Cyber Security Threats to Avoid - CyberHive.pdf
12 IoT Cyber Security Threats to Avoid - CyberHive.pdf12 IoT Cyber Security Threats to Avoid - CyberHive.pdf
12 IoT Cyber Security Threats to Avoid - CyberHive.pdfonline Marketing
 
What-is-computer-security
What-is-computer-securityWhat-is-computer-security
What-is-computer-securityiamvishal2
 
Blockchain in cyber security
Blockchain in cyber securityBlockchain in cyber security
Blockchain in cyber securityzaarahary
 
Hacking and Cyber Security.
Hacking and Cyber Security.Hacking and Cyber Security.
Hacking and Cyber Security.Kalpesh Doru
 
What i learned at the infosecurity isaca north america expo and conference 2019
What i learned at the infosecurity isaca north america expo and conference 2019What i learned at the infosecurity isaca north america expo and conference 2019
What i learned at the infosecurity isaca north america expo and conference 2019Ulf Mattsson
 

Similar to Secure Code Warrior - Privacy (20)

Cyber Security
Cyber SecurityCyber Security
Cyber Security
 
INFORMATION SECURITY: THREATS AND SOLUTIONS.
INFORMATION SECURITY: THREATS AND SOLUTIONS.INFORMATION SECURITY: THREATS AND SOLUTIONS.
INFORMATION SECURITY: THREATS AND SOLUTIONS.
 
itmsday2.pptx
itmsday2.pptxitmsday2.pptx
itmsday2.pptx
 
Cyber Safety
Cyber Safety Cyber Safety
Cyber Safety
 
How using Tor Browser + VPN can save you $1000 and more!
How using Tor Browser + VPN can save you $1000 and more!How using Tor Browser + VPN can save you $1000 and more!
How using Tor Browser + VPN can save you $1000 and more!
 
Top Cyber Security Interview Questions and Answers 2022.pdf
Top Cyber Security Interview Questions and Answers 2022.pdfTop Cyber Security Interview Questions and Answers 2022.pdf
Top Cyber Security Interview Questions and Answers 2022.pdf
 
Cryptograpy Exam
Cryptograpy ExamCryptograpy Exam
Cryptograpy Exam
 
What Happens to Your Data When a Company Gets Breached
What Happens to Your Data When a Company Gets BreachedWhat Happens to Your Data When a Company Gets Breached
What Happens to Your Data When a Company Gets Breached
 
Dw communication
Dw communicationDw communication
Dw communication
 
Ipsec And Ssl Protocols ( Vpn )
Ipsec And Ssl Protocols ( Vpn )Ipsec And Ssl Protocols ( Vpn )
Ipsec And Ssl Protocols ( Vpn )
 
techalpha07
techalpha07techalpha07
techalpha07
 
Mobile App Security: Enterprise Checklist
Mobile App Security: Enterprise ChecklistMobile App Security: Enterprise Checklist
Mobile App Security: Enterprise Checklist
 
Info Session on Cybersecurity & Cybersecurity Study Jams
Info Session on Cybersecurity & Cybersecurity Study JamsInfo Session on Cybersecurity & Cybersecurity Study Jams
Info Session on Cybersecurity & Cybersecurity Study Jams
 
Internet Security Essay
Internet Security EssayInternet Security Essay
Internet Security Essay
 
12 IoT Cyber Security Threats to Avoid - CyberHive.pdf
12 IoT Cyber Security Threats to Avoid - CyberHive.pdf12 IoT Cyber Security Threats to Avoid - CyberHive.pdf
12 IoT Cyber Security Threats to Avoid - CyberHive.pdf
 
What-is-computer-security
What-is-computer-securityWhat-is-computer-security
What-is-computer-security
 
GuardianGabriel
GuardianGabrielGuardianGabriel
GuardianGabriel
 
Blockchain in cyber security
Blockchain in cyber securityBlockchain in cyber security
Blockchain in cyber security
 
Hacking and Cyber Security.
Hacking and Cyber Security.Hacking and Cyber Security.
Hacking and Cyber Security.
 
What i learned at the infosecurity isaca north america expo and conference 2019
What i learned at the infosecurity isaca north america expo and conference 2019What i learned at the infosecurity isaca north america expo and conference 2019
What i learned at the infosecurity isaca north america expo and conference 2019
 

Recently uploaded

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 

Recently uploaded (20)

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 

Secure Code Warrior - Privacy

  • 1. Data Protection & Privacy Application Security Fundamentals by Secure Code Warrior Limited is licensed under CC BY-ND 4.0
  • 2. The application should implement security controls to ensure the protection and integrity of its sensitive information. What could happen? An attacker could retrieve sensitive and private information through stolen log files, caching, man-in-the- middle attacks or other means. How to implement it? Only store private information that is absolutely required. Make sure any stored or transmitted information is properly secured using encryption. What’s the concept about?
  • 3. An internet payment company called “Paybuddy” is taking precautions to protect its customers from credit card theft. Communications to and from the site are protected using TLS, preventing attackers from sniffing the traffic. Credit card numbers are stored encrypted in the database using a strong algorithm. Credit card numbers are never displayed in full, so attackers cannot view the numbers through shoulder surfing. Caching is turned off as well. Data Protection & Privacy Understanding the concept Properly protected data Web application User: John Doe User Credit Card John 69d4a73c196f60c3e453a9832fb4 admin 086569d4a73c196f60c3e453a983 Bart a73c196f60c3e453a9832fb4fz90o bcrypt(creditcard) CC: XXXXXXX420
  • 4. This time, “Paybuddy” forgot to take precautions to properly protect their customers and their data. An attacker sniffs traffic between the client and the server. He is able to steal sensitive information, such as the user’s credit card number. An attacker that is able to retrieve weakly hashed credit card numbers won’t have difficulties to decrypt them using rainbow tables. An attacker that is shoulder surfing can see a full credit card number in the application, which can be abused to commit fraud. Data Protection & Privacy What could happen with the concept? Unprotected data Web application User: John Doe User Credit Card John a73c196f60c3e453a9832fb4 admin 69d4a73c196f60c3e453a983 Bart a7360c3e453a9832fb4fz90o md5(creditcard) User: John Doe CC: 475629420 CC: 475629420
  • 5. A software company is very careful in protecting the source code of their new mobile application. The source code repository is stored on encrypted hardware in a secured server room. To protect the source code in production, heavy obfuscation techniques are applied to the application. The source code repository can only be accessed from their internal network. Access to the repository is limited to developers with the right clearance. Data Protection & Privacy Understanding the concept Source code protection 0101011 1010010 1001010 1011011 1001010 Developer X Developer Y Developer Z
  • 6. The company’s intellectual property is in danger due to a lack of source code protection. The repository is stored on a physically accessible server. Local attackers can copy the code, which is stored in clear text. Without obfuscation, users can decompile the application and retrieve the source. It can be modified and repackaged to be sold by a third party. The repository is publicly accessible and therefore easier to target by attackers. Data Protection & Privacy What could happen with the concept? Source code unprotected 0101011 1010010 1001010 1011011 1001010 Developer X Developer Y
  • 7. Data Protection & Privacy Understanding the concept User’s privacy respected User: John Doe DoB: 29/02/1973 Sex: M Location: Sydney Religion: Pastafari John’s info DB Admin A certain web application allows users to create a profile. The application stores date of birth, sex, location, and religion. The user’s private information is stored in a database with restricted access. Only the database administrator has access to the database and the information. Additionally, he had to sign a non-disclosure agreement.
  • 8. A certain web application allows users to create a profile. The application stores date of birth, sex, location, and religion. The user’s private information is stored in a database with restricted access. All developers working on the application can view the user’s private information in the development database. This clearly causes privacy issues. Before a new release, the database contents is copied to a development environment for testing purposes. Data Protection & Privacy What could happen with the concept? Privacy issues User: John Doe DoB: 29/02/1973 Sex: M Location: Sydney Religion: Pastafari John’s info John’s info Developer 1 Developer 2 Development
  • 9. Data Protection & Privacy Typical controls Only store private information if absolutely needed. Don’t hard-code secret information in source code. Don’t store DB credentials or encryptions keys in plain text. Securely store all sensitive user information. Send traffic over a secure communication channel. Inform users using a privacy policy.