This document discusses security testing and key security concepts. It provides an overview of why security is important, common security breaches, and how authentication, authorization, availability, confidentiality, and integrity help ensure security. It also offers some simple security checks like encrypting passwords and disabling browser back buttons on banking sites. The document recommends performing regular security testing and penetration testing to check for vulnerabilities and make systems more secure by default.

1. v o d Q A , H y d e r a b a d
SECURITY: TOWARDSASAFER WEB WORLD

2. AGENDA
•Why Security?
•Security Testing
•Key Security Concepts
•Simple Security Checks
2

3. SOME SECURITY BREACHES
3

4. HEARD ABOUT THEM??
4
They have 13 million Customers!!

5. KNOW THIS PERSON??
5
Senior Staff writer in wired
Mat Honan

6. AN EPIC HACK
6
Agenda
mathonan@me.com
@mat
How about CC
number?
Billing
m******n@me.co
Apple
Wait!!
I’ll give you
Got the CC
Number :)
Insert
new Credit card
Lost
access! Add new e-
mail
Reset
Password

7. SECURITY
7

8. SECURITY TESTING
•Process intended to reveal flaws in the security mechanisms of an information system
•Finding out the potential loopholes & weakness of the system
•To check whether there is an information leakage
•Passing Security Testing is not an indication that no flaws exist
8

9. BASIC PRINCIPLES
9

10. AUTHENTICATION - WHO AM I??
1 0
Something you
know!! Something you have!!

11. AUTHORIZATION - WHAT CAN I DO?
1 1

12. AVAILABILITY - CAN I ACCESS IT??
1 2

13. CONFIDENTIALITY - IS MY SECRET SAFE??
1 3

14. INTEGRITY - IS MY DATA TAMPERED??
1 4

15. SIMPLE CHECKS
1 5

16. •Password should be in encrypted / hashed
•Credentials(say login) delivered only over HTTPS
•System/Application should not allow invalid users
•Browser Back button should not allowed for a Banking website
•Cookies / Session token should timeout after a certain time
•Forms should be validated at Server side also. Test the APIs
•Directory structure should not be browsable
•Check if Exceptions are handled correctly. Stack trace errors shouldn’t be displayed
•Use plugins to keep checking for vulnerabilities from time to time (Eg: Tamper Data, Site Spider, etc)
1 6

17. PENETRATION TESTING
1 7
•Vulnerability Scanning
•Ethical Hacking
•Password Cracking
•DDOS Attacks
•URL Manipulation

18. KEY TAKEAWAYS
1 8
•Make things safe by default
•Make security test plan in accordance to the business requirements & Security goals
•Have the ability to deploy/respond quickly

19. REFERENCES
1 9
•http://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/
•http://whatis.techtarget.com/definition/Confidentiality-integrity-and-availability-CIA
•https://www.owasp.org/index.php/Web_Application_Security_Testing_Cheat_Sheet
•https://en.wikipedia.org/wiki/Security_testing

20. F o r q u e s t i o n s o r s u g g e s t i o n s :
W r i t e t o u s @
h a r i k r i s @ t h o u g h t w o r k s . c o m
s h i l p a b @ t h o u g h t w o r k s . c o m
THANK YOU