SlideShare a Scribd company logo

Develop, Test & Maintain Secure Systems (While Being PCI Compliant)

Download as PPTX, PDF
Security Innovation
Security Innovation

To ensure critical data can only be accessed by authorized personnel, it is paramount to integrate security best practices during development. It’s equally important to protect deployed systems, especially in CI/CD (continuous integration and deployment) and DevOps environments. Attend this webcast to learn techniques to define, design, develop, test, and maintain secure systems. Particular focus will be paid to software-dependent systems. Topics include: • Identifying and risk-rating common vulnerabilities • Applying practices such as least privilege, input/output sanitation, and system hardening • Implementing test techniques for system components, COTS, and custom software

Technology
1 of 32
1
2 • Securing software in all the challenging places…. • ….while helping clients get smarter Assessment: show me the gaps Standards: set goals and make it easy Education: help me make good decisions Over 3 Million Users Authored 18 Books Named 6x Gartner MQ About Security Innovation
3 Agenda  Identifying and preventing critical vulnerabilities  Restricting Access to Cardholder Data – “need to know”  Test and Threat Mitigation techniques
4 Injection Occurs when an Interpreter confuses input as commands Successful attack can allow an attacker to: Steal data from tables Modify content Steal content from files Gain complete access Chain exploits Gain access to other networked servers There are many types of injections: Command Injection SQL Injection (SQLi) LDAP Could happen when using ANY interpreted language
5 Testing for SQL Injection Two most common initial tests of a SQL application are Adding a single quote ('), which terminates a string in SQL syntax Adding a semicolon (;), which terminates a SQL statement Test each field separately and then in combination if possible. Identify all input fields used to craft SQL queries within the application, including hidden fields of POST requests
6 Testing for Command Injection Identify code capable of passing user supplied data Identify request parameters extracted Create a fuzz list – payloads to fuzz OS command being used Use a fuzzer to determine if payloads cause application to behave differently Confirm possibility of OS command injection
7 How to Test for Command Injection • Approach is similar to testing for SQL Injection, but tools used (fuzzers), might differ from those used during development and are the same used by attackers • Typically, focus is the server-side scripting engine run by the web server, such as ASP or PHP, and the information entered by the tester is processed either as dynamic code or as an included file. • To defend against these attacks, use input validation and secure coding practices.
8 Checking for LDAP Injection Create Fuzz List Payloads to fuzz LDAP query Identify Metacharacters Identify the search filter metacharacters Determine Interaction Determine if feature interacts with an LDAP database and if it uses input to form the query
9 Example: PHP Injection in a JPEG file
10 Protecting Applications from Injection Vulnerabilities • Keep untrusted data separate from commands and queries • Use a safe API and validate your assumptions about the APIs you use • If parametrized API is not available, carefully escape special characters for the context • Use whitelist input validation with appropriate canonicalization • Most web frameworks provide API functions to easily address injection attacks, including character escaping and whitelist validation. Note: You cannot use this technique as a complete defense against an injection attack, because many applications require special characters in their input. For example: User’s last name
11 Cross-Site Scripting (XSS) Attack • Execute malicious script in the user’s browser • Can perform actions on behalf of user within the application and abuse user’s browser • Example: can force browser to request a web page containing exploit code that will execute malicious code on user’s system
12 Preventing XSS • Use a secure framework • Encode data • Understand the context in which your data will be used • Especially important when transmitting data between different components • For data that will be output to another web page use the appropriate encoding on all non-alphanumeric characters • Parts of the same output document may require different encodings, which will vary depending on where the output resides. MicrosoftAnti-XSS Library provides excellent encoding functionality for the .NET platform. Other platforms have their own similar functionality
1313 Restricting Access to Cardholder Data – “need to know”
14 “Need to Know” Access Rights • Ensure critical data can only be accessed by authorized personnel • Define the data to mitigate developer assumptions • Systems and processes must be in place to limit access based on job responsibilities • Access rights are granted to only the least amount of data and privileges needed to perform a job • System components, processes, and software should be tested frequently to ensure security controls reflect a changing environment
15 Principle of Least Privilege • Accomplishes two things: • Reduces the attack surface • Limits capabilities after a successful attack • Common implementation techniques: • Using a limited-user account context • Removing write privileges for the web application’s user • Configuring firewall to only allow HTTP or HTTPS • Setting file permissions that prevent modification of web content files
16 Least Privileged Best Practices • Start with nothing • Segment your application for a role-based approach • Consider granting temporary privilege and revoke upon completion • Have stakeholder buy-in
17 Security Misconfiguration Improperly secured operating systems, web server applications, and databases all contribute to the overall attack surface Most misconfiguration mistakes are common and are the preferred attack vector due to ease of exploitation
18 Defending the Operating System (OS) Keep the system up-to-date with the latest OS, web server, database, and other software patches. (more details to follow) Install only what is necessary for your purpose Strictly limit user accounts and disable/rename default accounts. Establish strong password policies for the OS and all installed applications Set file and directory permissions to the least necessary to run the required applications.
19 Defending the OS (cont’d) Review OS settings that can improve system security. Ensure that proper system auditing and log file management is in place. Avoid installing software development and debugging tools on a production server. Install antivirus and other security software as appropriate Consider using a hardening guide or tool appropriate for your OS Ensure that the server is physically secure.
20 Security Patching Process Document • Platform Application Update Procedures and Anticipated Delays • Non-Technical Procedures • Application Security Bug Bar • Third-Party Code and Services Used by Applications • Alternative Patch Delivery Methods • Escalation Paths • Availability of On-Call Support Resources
2121 Test & Threat Mitigation Techniques
22 Techniques to Identify Vulnerabilities and Mitigate Risk Vulnerability Scanners Penetration Testing Threat Modeling Fuzzing
23 Vulnerability Scanning • Many standards require regular scanning to maintain compliance. • Scanners are pre-programmed to detect known patterns, syntax and vulnerabilities • Scanners are great at finding common vulnerabilities and misconfigurations faster than humans, but are prone to: • False positives - scanners can only flag potential issues, so findings still need to be validated which is time consuming • False negatives – scanners often miss business logic or complex vulnerabilities, leading to a false sense of security
24 Penetration Testing Penetration tests differ from vulnerability scans in that attacks are performed and vulnerabilities are actually exploited Regular penetration tests are often legally required to maintain regulatory compliance Penetration tests are performed by actual security experts who use both custom and off-the-shelf tools and manual techniques. Unlike vulnerability scanners, penetration testers can adapt to custom protocols and business logic. Because penetration testers are human, they cannot scale to the same degree as automated scanners
25 Threat Modeling • Secure software starts by thinking about threats • Threats are NOT vulnerabilities; they live forever • Think about the attacker’s goals • Threat model guides secure coding, test, and deployment efforts Threat Mitigation Vulnerability Attacker Vulnerabilities are unmitigated threats. Here’s our opportunity!
26 Fuzzing • Fuzzing is a testing technique that consists of finding implementation bugs by using malformed input injected into an application in an automated fashion. • The tool that performs this action is called a fuzzer. • The randomized approach used by fuzzers allows them to find vulnerabilities that may be missed by human inspection.
27 Types of Fuzzers Application Fuzzers Generate random inputs for all visible and non-visible input fields Protocol Fuzzers Generate random protocol data inside of network packets. For example, an HTTP fuzzer File Format Fuzzers Generate malformed files and attempt to open/parse the files. For example, a PDF file fuzzer
28 Summary  Becoming PCI compliant and maintaining the compliance is a continual process.  All applications have risk. Our goal is to mitigate the risk to an acceptable level by using the techniques discussed.  All phases of the software development lifecycle must include security tasks to achieve the desired risk mitigation.
29 How Can We Help? Software Security Consulting • Security Testing • SDLC Gap Analysis Computer Based Training • All major roles and technologies • PCI, NIST, OWASP, CWE, ISO, etc PCI Specific Courses • Protecting Stored Cardholder Data • Encrypting Transmission of Cardholder Data • Develop & Maintain Secure Systems and Apps • Regularly Test Security Systems and Processes • Fundamentals of the PCI Secure SLC Standard Cyber Range • Authentic, turn-key, fun • Reports map to courses • Identify champions • Meet PCI Compliance
30 Want More on PCI? Check out the other webinars in our PCI webinar series: • On-Demand: Protect Sensitive Data (and be PCI Compliant too!) https://bit.ly/PCI2020-1 • The PCI Secure Software Life Cycle Standard (SLC) https://bit.ly/PCI2020-3 June 3, 2020 @ 2pm ET
31 Questions?
32 www.securityinnovation.com Thank You!

Recommended

Security testing
Security testingSecurity testing
Security testing
Rihab Chebbah
 
Security Testing
Security TestingSecurity Testing
Security Testing
Kiran Kumar
 
Introduction to Application Security Testing
Introduction to Application Security TestingIntroduction to Application Security Testing
Introduction to Application Security Testing
Mohamed Ridha CHEBBI, CISSP
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Mohammed Danish Amber
 
Primer: The top ten automotive cybersecurity vulnerabilities of 2015
Primer: The top ten automotive cybersecurity vulnerabilities of 2015Primer: The top ten automotive cybersecurity vulnerabilities of 2015
Primer: The top ten automotive cybersecurity vulnerabilities of 2015
Rogue Wave Software
 
Security Testing
Security TestingSecurity Testing
Security Testing
Qualitest
 
Penetration Testing
Penetration Testing Penetration Testing
Penetration Testing
RomSoft SRL
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
Sathyanarayana Panduranga
 

Recommended

Security testing
Security testingSecurity testing
Security testing
Rihab Chebbah
 
Security Testing
Security TestingSecurity Testing
Security Testing
Kiran Kumar
 
Introduction to Application Security Testing
Introduction to Application Security TestingIntroduction to Application Security Testing
Introduction to Application Security Testing
Mohamed Ridha CHEBBI, CISSP
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Mohammed Danish Amber
 
Primer: The top ten automotive cybersecurity vulnerabilities of 2015
Primer: The top ten automotive cybersecurity vulnerabilities of 2015Primer: The top ten automotive cybersecurity vulnerabilities of 2015
Primer: The top ten automotive cybersecurity vulnerabilities of 2015
Rogue Wave Software
 
Security Testing
Security TestingSecurity Testing
Security Testing
Qualitest
 
Penetration Testing
Penetration Testing Penetration Testing
Penetration Testing
RomSoft SRL
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
Sathyanarayana Panduranga
 
we45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Studywe45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Study
we45
 
Security testing
Security testingSecurity testing
Security testing
Tabăra de Testare
 
Finacle - Secure Coding Practices
Finacle - Secure Coding PracticesFinacle - Secure Coding Practices
Finacle - Secure Coding Practices
Infosys Finacle
 
Security testing fundamentals
Security testing fundamentalsSecurity testing fundamentals
Security testing fundamentals
Cygnet Infotech
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodology
Rashad Aliyev
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
Abu Sadat Mohammed Yasin
 
Platform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterPlatform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building Better
Equal Experts
 
Security Testing for Web Application
Security Testing for Web ApplicationSecurity Testing for Web Application
Security Testing for Web Application
Precise Testing Solution
 
5 Important Secure Coding Practices
5 Important Secure Coding Practices5 Important Secure Coding Practices
5 Important Secure Coding Practices
Thomas Kurian Ambattu,CRISC,ISLA-2011 (ISC)²
 
OWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideOWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference Guide
Ludovic Petit
 
Web Application Security 101 - 03 Web Security Toolkit
Web Application Security 101 - 03 Web Security ToolkitWeb Application Security 101 - 03 Web Security Toolkit
Web Application Security 101 - 03 Web Security Toolkit
Websecurify
 
Confidentiality policies UNIT 2 (CSS)
Confidentiality policies UNIT 2 (CSS)Confidentiality policies UNIT 2 (CSS)
Confidentiality policies UNIT 2 (CSS)
SURBHI SAROHA
 
Introduction to Security Testing
Introduction to Security TestingIntroduction to Security Testing
Introduction to Security Testing
vodQA
 
Web application security part 01
Web application security part 01Web application security part 01
Web application security part 01
G Prachi
 
"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman
Rinaldi Rampen
 
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTING
Er Vivek Rana
 
Testingfor Sw Security
Testingfor Sw SecurityTestingfor Sw Security
Testingfor Sw Security
ankitmehta21
 
Networking and penetration testing
Networking and penetration testingNetworking and penetration testing
Networking and penetration testing
Mohit Belwal
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
Rick Wanner
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?
btpsec
 
chap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systemschap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systems
KashfUlHuda1
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessment
Ravikumar Paghdal
 

More Related Content

What's hot

we45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Studywe45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Study
we45
 
Security testing
Security testingSecurity testing
Security testing
Tabăra de Testare
 
Finacle - Secure Coding Practices
Finacle - Secure Coding PracticesFinacle - Secure Coding Practices
Finacle - Secure Coding Practices
Infosys Finacle
 
Security testing fundamentals
Security testing fundamentalsSecurity testing fundamentals
Security testing fundamentals
Cygnet Infotech
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodology
Rashad Aliyev
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
Abu Sadat Mohammed Yasin
 
Platform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterPlatform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building Better
Equal Experts
 
Security Testing for Web Application
Security Testing for Web ApplicationSecurity Testing for Web Application
Security Testing for Web Application
Precise Testing Solution
 
5 Important Secure Coding Practices
5 Important Secure Coding Practices5 Important Secure Coding Practices
5 Important Secure Coding Practices
Thomas Kurian Ambattu,CRISC,ISLA-2011 (ISC)²
 
OWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideOWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference Guide
Ludovic Petit
 
Web Application Security 101 - 03 Web Security Toolkit
Web Application Security 101 - 03 Web Security ToolkitWeb Application Security 101 - 03 Web Security Toolkit
Web Application Security 101 - 03 Web Security Toolkit
Websecurify
 
Confidentiality policies UNIT 2 (CSS)
Confidentiality policies UNIT 2 (CSS)Confidentiality policies UNIT 2 (CSS)
Confidentiality policies UNIT 2 (CSS)
SURBHI SAROHA
 
Introduction to Security Testing
Introduction to Security TestingIntroduction to Security Testing
Introduction to Security Testing
vodQA
 
Web application security part 01
Web application security part 01Web application security part 01
Web application security part 01
G Prachi
 
"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman
Rinaldi Rampen
 
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTING
Er Vivek Rana
 
Testingfor Sw Security
Testingfor Sw SecurityTestingfor Sw Security
Testingfor Sw Security
ankitmehta21
 
Networking and penetration testing
Networking and penetration testingNetworking and penetration testing
Networking and penetration testing
Mohit Belwal
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
Rick Wanner
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?
btpsec
 

What's hot (20)

we45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Studywe45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Study
 
Security testing
Security testingSecurity testing
Security testing
 
Finacle - Secure Coding Practices
Finacle - Secure Coding PracticesFinacle - Secure Coding Practices
Finacle - Secure Coding Practices
 
Security testing fundamentals
Security testing fundamentalsSecurity testing fundamentals
Security testing fundamentals
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodology
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
 
Platform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterPlatform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building Better
 
Security Testing for Web Application
Security Testing for Web ApplicationSecurity Testing for Web Application
Security Testing for Web Application
 
5 Important Secure Coding Practices
5 Important Secure Coding Practices5 Important Secure Coding Practices
5 Important Secure Coding Practices
 
OWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideOWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference Guide
 
Web Application Security 101 - 03 Web Security Toolkit
Web Application Security 101 - 03 Web Security ToolkitWeb Application Security 101 - 03 Web Security Toolkit
Web Application Security 101 - 03 Web Security Toolkit
 
Confidentiality policies UNIT 2 (CSS)
Confidentiality policies UNIT 2 (CSS)Confidentiality policies UNIT 2 (CSS)
Confidentiality policies UNIT 2 (CSS)
 
Introduction to Security Testing
Introduction to Security TestingIntroduction to Security Testing
Introduction to Security Testing
 
Web application security part 01
Web application security part 01Web application security part 01
Web application security part 01
 
"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman
 
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTING
 
Testingfor Sw Security
Testingfor Sw SecurityTestingfor Sw Security
Testingfor Sw Security
 
Networking and penetration testing
Networking and penetration testingNetworking and penetration testing
Networking and penetration testing
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?
 

Similar to Develop, Test & Maintain Secure Systems (While Being PCI Compliant)

chap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systemschap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systems
KashfUlHuda1
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessment
Ravikumar Paghdal
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
Security Innovation
 
CohenNancyPresentation.ppt
CohenNancyPresentation.pptCohenNancyPresentation.ppt
CohenNancyPresentation.ppt
mypc72
 
Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...
Michael Hidalgo
 
Web applications security conference slides
Web applications security conference slidesWeb applications security conference slides
Web applications security conference slides
Bassam Al-Khatib
 
Software Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical SecuritySoftware Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical Security
Nicholas Davis
 
Software security (vulnerabilities) and physical security
Software security (vulnerabilities) and physical securitySoftware security (vulnerabilities) and physical security
Software security (vulnerabilities) and physical security
Nicholas Davis
 
Exploitation techniques and fuzzing
Exploitation techniques and fuzzingExploitation techniques and fuzzing
Exploitation techniques and fuzzing
G Prachi
 
Lannguyen-Detecting Cyber Attacks
Lannguyen-Detecting Cyber AttacksLannguyen-Detecting Cyber Attacks
Lannguyen-Detecting Cyber Attacks
Security Bootcamp
 
Owasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developerOwasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developer
Sameer Paradia
 
Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101
Zack Meyers
 
information system security --internet cyber security
information system security --internet cyber securityinformation system security --internet cyber security
information system security --internet cyber security
VivekSinghShekhawat2
 
SDL: Secure design principles
SDL: Secure design principlesSDL: Secure design principles
SDL: Secure design principles
sluge
 
Introduction to security testing raj
Introduction to security testing rajIntroduction to security testing raj
Introduction to security testing raj
Rajakrishnan S, MCA,MBA,MA Phil,PMP,CSM,ISTQB-Test Mgr,ITIL
 
Security Design Principles.ppt
Security Design Principles.ppt Security Design Principles.ppt
Security Design Principles.ppt
DrBasemMohamedElomda
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks
Ahmed Sherif
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan Koch
QA or the Highway
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan Koch
QA or the Highway
 
Top 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answerTop 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answer
ShivamSharma909
 

Similar to Develop, Test & Maintain Secure Systems (While Being PCI Compliant) (20)

chap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systemschap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systems
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessment
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
CohenNancyPresentation.ppt
CohenNancyPresentation.pptCohenNancyPresentation.ppt
CohenNancyPresentation.ppt
 
Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...
 
Web applications security conference slides
Web applications security conference slidesWeb applications security conference slides
Web applications security conference slides
 
Software Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical SecuritySoftware Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical Security
 
Software security (vulnerabilities) and physical security
Software security (vulnerabilities) and physical securitySoftware security (vulnerabilities) and physical security
Software security (vulnerabilities) and physical security
 
Exploitation techniques and fuzzing
Exploitation techniques and fuzzingExploitation techniques and fuzzing
Exploitation techniques and fuzzing
 
Lannguyen-Detecting Cyber Attacks
Lannguyen-Detecting Cyber AttacksLannguyen-Detecting Cyber Attacks
Lannguyen-Detecting Cyber Attacks
 
Owasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developerOwasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developer
 
Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101
 
information system security --internet cyber security
information system security --internet cyber securityinformation system security --internet cyber security
information system security --internet cyber security
 
SDL: Secure design principles
SDL: Secure design principlesSDL: Secure design principles
SDL: Secure design principles
 
Introduction to security testing raj
Introduction to security testing rajIntroduction to security testing raj
Introduction to security testing raj
 
Security Design Principles.ppt
Security Design Principles.ppt Security Design Principles.ppt
Security Design Principles.ppt
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan Koch
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan Koch
 
Top 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answerTop 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answer
 

More from Security Innovation

Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the Cloud
Security Innovation
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Security Innovation
 
Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)
Security Innovation
 
5 Ways To Train Security Champions
5 Ways To Train Security Champions5 Ways To Train Security Champions
5 Ways To Train Security Champions
Security Innovation
 
Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to Compliance
Security Innovation
 
How to Hijack a Pizza Delivery Robot with Injection Flaws
How to Hijack a Pizza Delivery Robot with Injection FlawsHow to Hijack a Pizza Delivery Robot with Injection Flaws
How to Hijack a Pizza Delivery Robot with Injection Flaws
Security Innovation
 
How an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software SystemsHow an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software Systems
Security Innovation
 
Opening the Talent Spigot to Securing our Digital Future
Opening the Talent Spigot to Securing our Digital FutureOpening the Talent Spigot to Securing our Digital Future
Opening the Talent Spigot to Securing our Digital Future
Security Innovation
 
Assessing System Risk the Smart Way
Assessing System Risk the Smart WayAssessing System Risk the Smart Way
Assessing System Risk the Smart Way
Security Innovation
 
Slashing Your Cloud Risk: 3 Must-Do's
Slashing Your Cloud Risk: 3 Must-Do'sSlashing Your Cloud Risk: 3 Must-Do's
Slashing Your Cloud Risk: 3 Must-Do's
Security Innovation
 
A Fresh, New Look for CMD+CTRL Cyber Range
A Fresh, New Look for CMD+CTRL Cyber RangeA Fresh, New Look for CMD+CTRL Cyber Range
A Fresh, New Look for CMD+CTRL Cyber Range
Security Innovation
 
Security Testing for IoT Systems
Security Testing for IoT SystemsSecurity Testing for IoT Systems
Security Testing for IoT Systems
Security Innovation
 
Cyber Ranges: A New Approach to Security
Cyber Ranges: A New Approach to SecurityCyber Ranges: A New Approach to Security
Cyber Ranges: A New Approach to Security
Security Innovation
 
Is Blockchain Right for You? The Million Dollar Question
Is Blockchain Right for You? The Million Dollar QuestionIs Blockchain Right for You? The Million Dollar Question
Is Blockchain Right for You? The Million Dollar Question
Security Innovation
 
Privacy: The New Software Development Dilemma
Privacy: The New Software Development DilemmaPrivacy: The New Software Development Dilemma
Privacy: The New Software Development Dilemma
Security Innovation
 
Privacy Secrets Your Systems May Be Telling
Privacy Secrets Your Systems May Be TellingPrivacy Secrets Your Systems May Be Telling
Privacy Secrets Your Systems May Be Telling
Security Innovation
 
Secure DevOps - Evolution or Revolution?
Secure DevOps - Evolution or Revolution?Secure DevOps - Evolution or Revolution?
Secure DevOps - Evolution or Revolution?
Security Innovation
 
IoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" MythIoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" Myth
Security Innovation
 
Threat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to VulnerabilitiesThreat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to Vulnerabilities
Security Innovation
 
GDPR: The Application Security Twist
GDPR: The Application Security TwistGDPR: The Application Security Twist
GDPR: The Application Security Twist
Security Innovation
 

More from Security Innovation (20)

Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the Cloud
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
 
Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)
 
5 Ways To Train Security Champions
5 Ways To Train Security Champions5 Ways To Train Security Champions
5 Ways To Train Security Champions
 
Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to Compliance
 
How to Hijack a Pizza Delivery Robot with Injection Flaws
How to Hijack a Pizza Delivery Robot with Injection FlawsHow to Hijack a Pizza Delivery Robot with Injection Flaws
How to Hijack a Pizza Delivery Robot with Injection Flaws
 
How an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software SystemsHow an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software Systems
 
Opening the Talent Spigot to Securing our Digital Future
Opening the Talent Spigot to Securing our Digital FutureOpening the Talent Spigot to Securing our Digital Future
Opening the Talent Spigot to Securing our Digital Future
 
Assessing System Risk the Smart Way
Assessing System Risk the Smart WayAssessing System Risk the Smart Way
Assessing System Risk the Smart Way
 
Slashing Your Cloud Risk: 3 Must-Do's
Slashing Your Cloud Risk: 3 Must-Do'sSlashing Your Cloud Risk: 3 Must-Do's
Slashing Your Cloud Risk: 3 Must-Do's
 
A Fresh, New Look for CMD+CTRL Cyber Range
A Fresh, New Look for CMD+CTRL Cyber RangeA Fresh, New Look for CMD+CTRL Cyber Range
A Fresh, New Look for CMD+CTRL Cyber Range
 
Security Testing for IoT Systems
Security Testing for IoT SystemsSecurity Testing for IoT Systems
Security Testing for IoT Systems
 
Cyber Ranges: A New Approach to Security
Cyber Ranges: A New Approach to SecurityCyber Ranges: A New Approach to Security
Cyber Ranges: A New Approach to Security
 
Is Blockchain Right for You? The Million Dollar Question
Is Blockchain Right for You? The Million Dollar QuestionIs Blockchain Right for You? The Million Dollar Question
Is Blockchain Right for You? The Million Dollar Question
 
Privacy: The New Software Development Dilemma
Privacy: The New Software Development DilemmaPrivacy: The New Software Development Dilemma
Privacy: The New Software Development Dilemma
 
Privacy Secrets Your Systems May Be Telling
Privacy Secrets Your Systems May Be TellingPrivacy Secrets Your Systems May Be Telling
Privacy Secrets Your Systems May Be Telling
 
Secure DevOps - Evolution or Revolution?
Secure DevOps - Evolution or Revolution?Secure DevOps - Evolution or Revolution?
Secure DevOps - Evolution or Revolution?
 
IoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" MythIoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" Myth
 
Threat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to VulnerabilitiesThreat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to Vulnerabilities
 
GDPR: The Application Security Twist
GDPR: The Application Security TwistGDPR: The Application Security Twist
GDPR: The Application Security Twist
 

Recently uploaded

Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
Tomaz Bratanic
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Neo4j
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
Mariano Tinti
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
Daiki Mogmet Ito
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
IndexBug
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Speck&Tech
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
Zilliz
 

Recently uploaded (20)

Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
 

Develop, Test & Maintain Secure Systems (While Being PCI Compliant)

  • 1. 1
  • 2. 2 • Securing software in all the challenging places…. • ….while helping clients get smarter Assessment: show me the gaps Standards: set goals and make it easy Education: help me make good decisions Over 3 Million Users Authored 18 Books Named 6x Gartner MQ About Security Innovation
  • 3. 3 Agenda  Identifying and preventing critical vulnerabilities  Restricting Access to Cardholder Data – “need to know”  Test and Threat Mitigation techniques
  • 4. 4 Injection Occurs when an Interpreter confuses input as commands Successful attack can allow an attacker to: Steal data from tables Modify content Steal content from files Gain complete access Chain exploits Gain access to other networked servers There are many types of injections: Command Injection SQL Injection (SQLi) LDAP Could happen when using ANY interpreted language
  • 5. 5 Testing for SQL Injection Two most common initial tests of a SQL application are Adding a single quote ('), which terminates a string in SQL syntax Adding a semicolon (;), which terminates a SQL statement Test each field separately and then in combination if possible. Identify all input fields used to craft SQL queries within the application, including hidden fields of POST requests
  • 6. 6 Testing for Command Injection Identify code capable of passing user supplied data Identify request parameters extracted Create a fuzz list – payloads to fuzz OS command being used Use a fuzzer to determine if payloads cause application to behave differently Confirm possibility of OS command injection
  • 7. 7 How to Test for Command Injection • Approach is similar to testing for SQL Injection, but tools used (fuzzers), might differ from those used during development and are the same used by attackers • Typically, focus is the server-side scripting engine run by the web server, such as ASP or PHP, and the information entered by the tester is processed either as dynamic code or as an included file. • To defend against these attacks, use input validation and secure coding practices.
  • 8. 8 Checking for LDAP Injection Create Fuzz List Payloads to fuzz LDAP query Identify Metacharacters Identify the search filter metacharacters Determine Interaction Determine if feature interacts with an LDAP database and if it uses input to form the query
  • 9. 9 Example: PHP Injection in a JPEG file
  • 10. 10 Protecting Applications from Injection Vulnerabilities • Keep untrusted data separate from commands and queries • Use a safe API and validate your assumptions about the APIs you use • If parametrized API is not available, carefully escape special characters for the context • Use whitelist input validation with appropriate canonicalization • Most web frameworks provide API functions to easily address injection attacks, including character escaping and whitelist validation. Note: You cannot use this technique as a complete defense against an injection attack, because many applications require special characters in their input. For example: User’s last name
  • 11. 11 Cross-Site Scripting (XSS) Attack • Execute malicious script in the user’s browser • Can perform actions on behalf of user within the application and abuse user’s browser • Example: can force browser to request a web page containing exploit code that will execute malicious code on user’s system
  • 12. 12 Preventing XSS • Use a secure framework • Encode data • Understand the context in which your data will be used • Especially important when transmitting data between different components • For data that will be output to another web page use the appropriate encoding on all non-alphanumeric characters • Parts of the same output document may require different encodings, which will vary depending on where the output resides. MicrosoftAnti-XSS Library provides excellent encoding functionality for the .NET platform. Other platforms have their own similar functionality
  • 13. 1313 Restricting Access to Cardholder Data – “need to know”
  • 14. 14 “Need to Know” Access Rights • Ensure critical data can only be accessed by authorized personnel • Define the data to mitigate developer assumptions • Systems and processes must be in place to limit access based on job responsibilities • Access rights are granted to only the least amount of data and privileges needed to perform a job • System components, processes, and software should be tested frequently to ensure security controls reflect a changing environment
  • 15. 15 Principle of Least Privilege • Accomplishes two things: • Reduces the attack surface • Limits capabilities after a successful attack • Common implementation techniques: • Using a limited-user account context • Removing write privileges for the web application’s user • Configuring firewall to only allow HTTP or HTTPS • Setting file permissions that prevent modification of web content files
  • 16. 16 Least Privileged Best Practices • Start with nothing • Segment your application for a role-based approach • Consider granting temporary privilege and revoke upon completion • Have stakeholder buy-in
  • 17. 17 Security Misconfiguration Improperly secured operating systems, web server applications, and databases all contribute to the overall attack surface Most misconfiguration mistakes are common and are the preferred attack vector due to ease of exploitation
  • 18. 18 Defending the Operating System (OS) Keep the system up-to-date with the latest OS, web server, database, and other software patches. (more details to follow) Install only what is necessary for your purpose Strictly limit user accounts and disable/rename default accounts. Establish strong password policies for the OS and all installed applications Set file and directory permissions to the least necessary to run the required applications.
  • 19. 19 Defending the OS (cont’d) Review OS settings that can improve system security. Ensure that proper system auditing and log file management is in place. Avoid installing software development and debugging tools on a production server. Install antivirus and other security software as appropriate Consider using a hardening guide or tool appropriate for your OS Ensure that the server is physically secure.
  • 20. 20 Security Patching Process Document • Platform Application Update Procedures and Anticipated Delays • Non-Technical Procedures • Application Security Bug Bar • Third-Party Code and Services Used by Applications • Alternative Patch Delivery Methods • Escalation Paths • Availability of On-Call Support Resources
  • 21. 2121 Test & Threat Mitigation Techniques
  • 22. 22 Techniques to Identify Vulnerabilities and Mitigate Risk Vulnerability Scanners Penetration Testing Threat Modeling Fuzzing
  • 23. 23 Vulnerability Scanning • Many standards require regular scanning to maintain compliance. • Scanners are pre-programmed to detect known patterns, syntax and vulnerabilities • Scanners are great at finding common vulnerabilities and misconfigurations faster than humans, but are prone to: • False positives - scanners can only flag potential issues, so findings still need to be validated which is time consuming • False negatives – scanners often miss business logic or complex vulnerabilities, leading to a false sense of security
  • 24. 24 Penetration Testing Penetration tests differ from vulnerability scans in that attacks are performed and vulnerabilities are actually exploited Regular penetration tests are often legally required to maintain regulatory compliance Penetration tests are performed by actual security experts who use both custom and off-the-shelf tools and manual techniques. Unlike vulnerability scanners, penetration testers can adapt to custom protocols and business logic. Because penetration testers are human, they cannot scale to the same degree as automated scanners
  • 25. 25 Threat Modeling • Secure software starts by thinking about threats • Threats are NOT vulnerabilities; they live forever • Think about the attacker’s goals • Threat model guides secure coding, test, and deployment efforts Threat Mitigation Vulnerability Attacker Vulnerabilities are unmitigated threats. Here’s our opportunity!
  • 26. 26 Fuzzing • Fuzzing is a testing technique that consists of finding implementation bugs by using malformed input injected into an application in an automated fashion. • The tool that performs this action is called a fuzzer. • The randomized approach used by fuzzers allows them to find vulnerabilities that may be missed by human inspection.
  • 27. 27 Types of Fuzzers Application Fuzzers Generate random inputs for all visible and non-visible input fields Protocol Fuzzers Generate random protocol data inside of network packets. For example, an HTTP fuzzer File Format Fuzzers Generate malformed files and attempt to open/parse the files. For example, a PDF file fuzzer
  • 28. 28 Summary  Becoming PCI compliant and maintaining the compliance is a continual process.  All applications have risk. Our goal is to mitigate the risk to an acceptable level by using the techniques discussed.  All phases of the software development lifecycle must include security tasks to achieve the desired risk mitigation.
  • 29. 29 How Can We Help? Software Security Consulting • Security Testing • SDLC Gap Analysis Computer Based Training • All major roles and technologies • PCI, NIST, OWASP, CWE, ISO, etc PCI Specific Courses • Protecting Stored Cardholder Data • Encrypting Transmission of Cardholder Data • Develop & Maintain Secure Systems and Apps • Regularly Test Security Systems and Processes • Fundamentals of the PCI Secure SLC Standard Cyber Range • Authentic, turn-key, fun • Reports map to courses • Identify champions • Meet PCI Compliance
  • 30. 30 Want More on PCI? Check out the other webinars in our PCI webinar series: • On-Demand: Protect Sensitive Data (and be PCI Compliant too!) https://bit.ly/PCI2020-1 • The PCI Secure Software Life Cycle Standard (SLC) https://bit.ly/PCI2020-3 June 3, 2020 @ 2pm ET