SlideShare a Scribd company logo

Secure Code Warrior - Privacy

Download as PPTX, PDF
Secure Code Warrior
Secure Code Warrior

Application Security Fundamentals - Slidepack on "Privacy" by Secure Code Warrior Limited and licensed under CC BY-ND 4.0

Technology
1 of 9
Data Protection & Privacy Application Security Fundamentals by Secure Code Warrior Limited is licensed under CC BY-ND 4.0
The application should implement security controls to ensure the protection and integrity of its sensitive information. What could happen? An attacker could retrieve sensitive and private information through stolen log files, caching, man-in-the- middle attacks or other means. How to implement it? Only store private information that is absolutely required. Make sure any stored or transmitted information is properly secured using encryption. What’s the concept about?
An internet payment company called “Paybuddy” is taking precautions to protect its customers from credit card theft. Communications to and from the site are protected using TLS, preventing attackers from sniffing the traffic. Credit card numbers are stored encrypted in the database using a strong algorithm. Credit card numbers are never displayed in full, so attackers cannot view the numbers through shoulder surfing. Caching is turned off as well. Data Protection & Privacy Understanding the concept Properly protected data Web application User: John Doe User Credit Card John 69d4a73c196f60c3e453a9832fb4 admin 086569d4a73c196f60c3e453a983 Bart a73c196f60c3e453a9832fb4fz90o bcrypt(creditcard) CC: XXXXXXX420
This time, “Paybuddy” forgot to take precautions to properly protect their customers and their data. An attacker sniffs traffic between the client and the server. He is able to steal sensitive information, such as the user’s credit card number. An attacker that is able to retrieve weakly hashed credit card numbers won’t have difficulties to decrypt them using rainbow tables. An attacker that is shoulder surfing can see a full credit card number in the application, which can be abused to commit fraud. Data Protection & Privacy What could happen with the concept? Unprotected data Web application User: John Doe User Credit Card John a73c196f60c3e453a9832fb4 admin 69d4a73c196f60c3e453a983 Bart a7360c3e453a9832fb4fz90o md5(creditcard) User: John Doe CC: 475629420 CC: 475629420
A software company is very careful in protecting the source code of their new mobile application. The source code repository is stored on encrypted hardware in a secured server room. To protect the source code in production, heavy obfuscation techniques are applied to the application. The source code repository can only be accessed from their internal network. Access to the repository is limited to developers with the right clearance. Data Protection & Privacy Understanding the concept Source code protection 0101011 1010010 1001010 1011011 1001010 Developer X Developer Y Developer Z
The company’s intellectual property is in danger due to a lack of source code protection. The repository is stored on a physically accessible server. Local attackers can copy the code, which is stored in clear text. Without obfuscation, users can decompile the application and retrieve the source. It can be modified and repackaged to be sold by a third party. The repository is publicly accessible and therefore easier to target by attackers. Data Protection & Privacy What could happen with the concept? Source code unprotected 0101011 1010010 1001010 1011011 1001010 Developer X Developer Y
Data Protection & Privacy Understanding the concept User’s privacy respected User: John Doe DoB: 29/02/1973 Sex: M Location: Sydney Religion: Pastafari John’s info DB Admin A certain web application allows users to create a profile. The application stores date of birth, sex, location, and religion. The user’s private information is stored in a database with restricted access. Only the database administrator has access to the database and the information. Additionally, he had to sign a non-disclosure agreement.
A certain web application allows users to create a profile. The application stores date of birth, sex, location, and religion. The user’s private information is stored in a database with restricted access. All developers working on the application can view the user’s private information in the development database. This clearly causes privacy issues. Before a new release, the database contents is copied to a development environment for testing purposes. Data Protection & Privacy What could happen with the concept? Privacy issues User: John Doe DoB: 29/02/1973 Sex: M Location: Sydney Religion: Pastafari John’s info John’s info Developer 1 Developer 2 Development
Data Protection & Privacy Typical controls Only store private information if absolutely needed. Don’t hard-code secret information in source code. Don’t store DB credentials or encryptions keys in plain text. Securely store all sensitive user information. Send traffic over a secure communication channel. Inform users using a privacy policy.

Recommended

E-Banking Web Security
E-Banking Web SecurityE-Banking Web Security
E-Banking Web SecurityDragos Lungu
 
HACKING AND PHISHING
HACKING AND PHISHINGHACKING AND PHISHING
HACKING AND PHISHING
santhuana sg
 
Phishing
PhishingPhishing
Phishing
shivli0769
 
Phising
PhisingPhising
Phising
ThuvendranSandraSega
 
Online security and payment system
Online security and payment systemOnline security and payment system
Online security and payment system
Gc university faisalabad
 
E security and payment 2013-1
E security and payment 2013-1E security and payment 2013-1
E security and payment 2013-1Abdelfatah hegazy
 
Phishing
PhishingPhishing
PhishingHK Khemnani
 
Cyber - Dark Web, Deep Web and More
Cyber - Dark Web, Deep Web and MoreCyber - Dark Web, Deep Web and More
Cyber - Dark Web, Deep Web and More
Chirag Joshi, CISA, CISM, CRISC
 

Recommended

E-Banking Web Security
E-Banking Web SecurityE-Banking Web Security
E-Banking Web SecurityDragos Lungu
 
HACKING AND PHISHING
HACKING AND PHISHINGHACKING AND PHISHING
HACKING AND PHISHING
santhuana sg
 
Phishing
PhishingPhishing
Phishing
shivli0769
 
Phising
PhisingPhising
Phising
ThuvendranSandraSega
 
Online security and payment system
Online security and payment systemOnline security and payment system
Online security and payment system
Gc university faisalabad
 
E security and payment 2013-1
E security and payment 2013-1E security and payment 2013-1
E security and payment 2013-1Abdelfatah hegazy
 
Phishing
PhishingPhishing
PhishingHK Khemnani
 
Cyber - Dark Web, Deep Web and More
Cyber - Dark Web, Deep Web and MoreCyber - Dark Web, Deep Web and More
Cyber - Dark Web, Deep Web and More
Chirag Joshi, CISA, CISM, CRISC
 
Privacy and Security Issues in E-Commerce
Privacy and Security Issues in E-Commerce Privacy and Security Issues in E-Commerce
Privacy and Security Issues in E-Commerce
Titas Ahmed
 
Privacy-preserving user identity in Identity-as-a-Service
Privacy-preserving user identity in Identity-as-a-ServicePrivacy-preserving user identity in Identity-as-a-Service
Privacy-preserving user identity in Identity-as-a-Service
Hoang Tri Vo
 
Risks of E-commerce
Risks of E-commerceRisks of E-commerce
Risks of E-commerce
anshutomar6
 
Security issue in e commerce
Security issue in e commerceSecurity issue in e commerce
Security issue in e commerce
Bosco Technical Training Society, Don Bosco Technical School (Aff. GGSIP University, New Delhi)
 
Phishing
Phishing Phishing
Phishing
Yash Bhatt
 
Security issues in E-commerce
Security issues in E-commerceSecurity issues in E-commerce
Security issues in E-commerce
nikitaTahilyani1
 
E-commerce Security and Payment
E-commerce Security and PaymentE-commerce Security and Payment
E-commerce Security and Payment
Laguna State Polytechnic University
 
Phishing
PhishingPhishing
Phishing
defquon
 
Eamonn O Raghallaigh The Major Security Issues In E Commerce
Eamonn O Raghallaigh The Major Security Issues In E CommerceEamonn O Raghallaigh The Major Security Issues In E Commerce
Eamonn O Raghallaigh The Major Security Issues In E Commerce
EamonnORagh
 
Computer related risks presentation
Computer related risks presentationComputer related risks presentation
Computer related risks presentationleodegras
 
Computer related risks presentation
Computer related risks presentationComputer related risks presentation
Computer related risks presentationleodegras
 
protection & security of e-commerce ...
protection & security of e-commerce ...protection & security of e-commerce ...
protection & security of e-commerce ...Rishav Gupta
 
Iaetsd secure emails an integrity assured email
Iaetsd secure emails an integrity assured emailIaetsd secure emails an integrity assured email
Iaetsd secure emails an integrity assured email
Iaetsd Iaetsd
 
What is Phishing and How can you Avoid it?
What is Phishing and How can you Avoid it?What is Phishing and How can you Avoid it?
What is Phishing and How can you Avoid it?
Quick Heal Technologies Ltd.
 
Re-using existing PKIs for online Identity Management
Re-using existing PKIs for online Identity ManagementRe-using existing PKIs for online Identity Management
Re-using existing PKIs for online Identity Management
Martijn Oostdijk
 
E-commerce & Security
E-commerce & SecurityE-commerce & Security
E-commerce & SecurityNetstarterSL
 
6 e commerce security
6 e commerce security6 e commerce security
6 e commerce security
Naveed Ahmed Siddiqui
 
Security issues in e business
Security issues in e businessSecurity issues in e business
Security issues in e business
Rahul Kumar
 
E commerce security
E commerce securityE commerce security
E commerce securityShakti Singh
 
Identity theft
Identity theftIdentity theft
Identity theft
Nick Chandi
 
Secure Code Warrior - XQuery injection
Secure Code Warrior - XQuery injectionSecure Code Warrior - XQuery injection
Secure Code Warrior - XQuery injection
Secure Code Warrior
 
Secure Code Warrior - Issues with origins
Secure Code Warrior - Issues with originsSecure Code Warrior - Issues with origins
Secure Code Warrior - Issues with origins
Secure Code Warrior
 

More Related Content

What's hot

Privacy and Security Issues in E-Commerce
Privacy and Security Issues in E-Commerce Privacy and Security Issues in E-Commerce
Privacy and Security Issues in E-Commerce
Titas Ahmed
 
Privacy-preserving user identity in Identity-as-a-Service
Privacy-preserving user identity in Identity-as-a-ServicePrivacy-preserving user identity in Identity-as-a-Service
Privacy-preserving user identity in Identity-as-a-Service
Hoang Tri Vo
 
Risks of E-commerce
Risks of E-commerceRisks of E-commerce
Risks of E-commerce
anshutomar6
 
Security issue in e commerce
Security issue in e commerceSecurity issue in e commerce
Security issue in e commerce
Bosco Technical Training Society, Don Bosco Technical School (Aff. GGSIP University, New Delhi)
 
Phishing
Phishing Phishing
Phishing
Yash Bhatt
 
Security issues in E-commerce
Security issues in E-commerceSecurity issues in E-commerce
Security issues in E-commerce
nikitaTahilyani1
 
E-commerce Security and Payment
E-commerce Security and PaymentE-commerce Security and Payment
E-commerce Security and Payment
Laguna State Polytechnic University
 
Phishing
PhishingPhishing
Phishing
defquon
 
Eamonn O Raghallaigh The Major Security Issues In E Commerce
Eamonn O Raghallaigh The Major Security Issues In E CommerceEamonn O Raghallaigh The Major Security Issues In E Commerce
Eamonn O Raghallaigh The Major Security Issues In E Commerce
EamonnORagh
 
Computer related risks presentation
Computer related risks presentationComputer related risks presentation
Computer related risks presentationleodegras
 
Computer related risks presentation
Computer related risks presentationComputer related risks presentation
Computer related risks presentationleodegras
 
protection & security of e-commerce ...
protection & security of e-commerce ...protection & security of e-commerce ...
protection & security of e-commerce ...Rishav Gupta
 
Iaetsd secure emails an integrity assured email
Iaetsd secure emails an integrity assured emailIaetsd secure emails an integrity assured email
Iaetsd secure emails an integrity assured email
Iaetsd Iaetsd
 
What is Phishing and How can you Avoid it?
What is Phishing and How can you Avoid it?What is Phishing and How can you Avoid it?
What is Phishing and How can you Avoid it?
Quick Heal Technologies Ltd.
 
Re-using existing PKIs for online Identity Management
Re-using existing PKIs for online Identity ManagementRe-using existing PKIs for online Identity Management
Re-using existing PKIs for online Identity Management
Martijn Oostdijk
 
E-commerce & Security
E-commerce & SecurityE-commerce & Security
E-commerce & SecurityNetstarterSL
 
6 e commerce security
6 e commerce security6 e commerce security
6 e commerce security
Naveed Ahmed Siddiqui
 
Security issues in e business
Security issues in e businessSecurity issues in e business
Security issues in e business
Rahul Kumar
 
E commerce security
E commerce securityE commerce security
E commerce securityShakti Singh
 
Identity theft
Identity theftIdentity theft
Identity theft
Nick Chandi
 

What's hot (20)

Privacy and Security Issues in E-Commerce
Privacy and Security Issues in E-Commerce Privacy and Security Issues in E-Commerce
Privacy and Security Issues in E-Commerce
 
Privacy-preserving user identity in Identity-as-a-Service
Privacy-preserving user identity in Identity-as-a-ServicePrivacy-preserving user identity in Identity-as-a-Service
Privacy-preserving user identity in Identity-as-a-Service
 
Risks of E-commerce
Risks of E-commerceRisks of E-commerce
Risks of E-commerce
 
Security issue in e commerce
Security issue in e commerceSecurity issue in e commerce
Security issue in e commerce
 
Phishing
Phishing Phishing
Phishing
 
Security issues in E-commerce
Security issues in E-commerceSecurity issues in E-commerce
Security issues in E-commerce
 
E-commerce Security and Payment
E-commerce Security and PaymentE-commerce Security and Payment
E-commerce Security and Payment
 
Phishing
PhishingPhishing
Phishing
 
Eamonn O Raghallaigh The Major Security Issues In E Commerce
Eamonn O Raghallaigh The Major Security Issues In E CommerceEamonn O Raghallaigh The Major Security Issues In E Commerce
Eamonn O Raghallaigh The Major Security Issues In E Commerce
 
Computer related risks presentation
Computer related risks presentationComputer related risks presentation
Computer related risks presentation
 
Computer related risks presentation
Computer related risks presentationComputer related risks presentation
Computer related risks presentation
 
protection & security of e-commerce ...
protection & security of e-commerce ...protection & security of e-commerce ...
protection & security of e-commerce ...
 
Iaetsd secure emails an integrity assured email
Iaetsd secure emails an integrity assured emailIaetsd secure emails an integrity assured email
Iaetsd secure emails an integrity assured email
 
What is Phishing and How can you Avoid it?
What is Phishing and How can you Avoid it?What is Phishing and How can you Avoid it?
What is Phishing and How can you Avoid it?
 
Re-using existing PKIs for online Identity Management
Re-using existing PKIs for online Identity ManagementRe-using existing PKIs for online Identity Management
Re-using existing PKIs for online Identity Management
 
E-commerce & Security
E-commerce & SecurityE-commerce & Security
E-commerce & Security
 
6 e commerce security
6 e commerce security6 e commerce security
6 e commerce security
 
Security issues in e business
Security issues in e businessSecurity issues in e business
Security issues in e business
 
E commerce security
E commerce securityE commerce security
E commerce security
 
Identity theft
Identity theftIdentity theft
Identity theft
 

Viewers also liked

Secure Code Warrior - XQuery injection
Secure Code Warrior - XQuery injectionSecure Code Warrior - XQuery injection
Secure Code Warrior - XQuery injection
Secure Code Warrior
 
Secure Code Warrior - Issues with origins
Secure Code Warrior - Issues with originsSecure Code Warrior - Issues with origins
Secure Code Warrior - Issues with origins
Secure Code Warrior
 
Secure Code Warrior - CRLF injection
Secure Code Warrior - CRLF injectionSecure Code Warrior - CRLF injection
Secure Code Warrior - CRLF injection
Secure Code Warrior
 
Secure Code Warrior - Least privilege
Secure Code Warrior - Least privilegeSecure Code Warrior - Least privilege
Secure Code Warrior - Least privilege
Secure Code Warrior
 
Secure Code Warrior - Client side injection
Secure Code Warrior - Client side injectionSecure Code Warrior - Client side injection
Secure Code Warrior - Client side injection
Secure Code Warrior
 
Secure Code Warrior - Fail securely
Secure Code Warrior - Fail securelySecure Code Warrior - Fail securely
Secure Code Warrior - Fail securely
Secure Code Warrior
 
Secure Code Warrior - Trust no input
Secure Code Warrior - Trust no inputSecure Code Warrior - Trust no input
Secure Code Warrior - Trust no input
Secure Code Warrior
 
Secure Code Warrior - Defense in depth
Secure Code Warrior - Defense in depthSecure Code Warrior - Defense in depth
Secure Code Warrior - Defense in depth
Secure Code Warrior
 
Secure Code Warrior - Insufficient data encoding
Secure Code Warrior - Insufficient data encodingSecure Code Warrior - Insufficient data encoding
Secure Code Warrior - Insufficient data encoding
Secure Code Warrior
 
Secure Code Warrior - Logging
Secure Code Warrior - LoggingSecure Code Warrior - Logging
Secure Code Warrior - Logging
Secure Code Warrior
 
Secure Code Warrior - Secure by default
Secure Code Warrior - Secure by defaultSecure Code Warrior - Secure by default
Secure Code Warrior - Secure by default
Secure Code Warrior
 
Secure Code Warrior - Cookies and sessions
Secure Code Warrior - Cookies and sessionsSecure Code Warrior - Cookies and sessions
Secure Code Warrior - Cookies and sessions
Secure Code Warrior
 
Secure Code Warrior - Robust error checking
Secure Code Warrior - Robust error checkingSecure Code Warrior - Robust error checking
Secure Code Warrior - Robust error checking
Secure Code Warrior
 
Secure Code Warrior - Local storage
Secure Code Warrior - Local storageSecure Code Warrior - Local storage
Secure Code Warrior - Local storage
Secure Code Warrior
 
Secure Code Warrior - Unrestricted file upload
Secure Code Warrior - Unrestricted file uploadSecure Code Warrior - Unrestricted file upload
Secure Code Warrior - Unrestricted file upload
Secure Code Warrior
 

Viewers also liked (15)

Secure Code Warrior - XQuery injection
Secure Code Warrior - XQuery injectionSecure Code Warrior - XQuery injection
Secure Code Warrior - XQuery injection
 
Secure Code Warrior - Issues with origins
Secure Code Warrior - Issues with originsSecure Code Warrior - Issues with origins
Secure Code Warrior - Issues with origins
 
Secure Code Warrior - CRLF injection
Secure Code Warrior - CRLF injectionSecure Code Warrior - CRLF injection
Secure Code Warrior - CRLF injection
 
Secure Code Warrior - Least privilege
Secure Code Warrior - Least privilegeSecure Code Warrior - Least privilege
Secure Code Warrior - Least privilege
 
Secure Code Warrior - Client side injection
Secure Code Warrior - Client side injectionSecure Code Warrior - Client side injection
Secure Code Warrior - Client side injection
 
Secure Code Warrior - Fail securely
Secure Code Warrior - Fail securelySecure Code Warrior - Fail securely
Secure Code Warrior - Fail securely
 
Secure Code Warrior - Trust no input
Secure Code Warrior - Trust no inputSecure Code Warrior - Trust no input
Secure Code Warrior - Trust no input
 
Secure Code Warrior - Defense in depth
Secure Code Warrior - Defense in depthSecure Code Warrior - Defense in depth
Secure Code Warrior - Defense in depth
 
Secure Code Warrior - Insufficient data encoding
Secure Code Warrior - Insufficient data encodingSecure Code Warrior - Insufficient data encoding
Secure Code Warrior - Insufficient data encoding
 
Secure Code Warrior - Logging
Secure Code Warrior - LoggingSecure Code Warrior - Logging
Secure Code Warrior - Logging
 
Secure Code Warrior - Secure by default
Secure Code Warrior - Secure by defaultSecure Code Warrior - Secure by default
Secure Code Warrior - Secure by default
 
Secure Code Warrior - Cookies and sessions
Secure Code Warrior - Cookies and sessionsSecure Code Warrior - Cookies and sessions
Secure Code Warrior - Cookies and sessions
 
Secure Code Warrior - Robust error checking
Secure Code Warrior - Robust error checkingSecure Code Warrior - Robust error checking
Secure Code Warrior - Robust error checking
 
Secure Code Warrior - Local storage
Secure Code Warrior - Local storageSecure Code Warrior - Local storage
Secure Code Warrior - Local storage
 
Secure Code Warrior - Unrestricted file upload
Secure Code Warrior - Unrestricted file uploadSecure Code Warrior - Unrestricted file upload
Secure Code Warrior - Unrestricted file upload
 

Similar to Secure Code Warrior - Privacy

Cyber Security
Cyber SecurityCyber Security
Cyber Security
JamshidRaqi
 
INFORMATION SECURITY: THREATS AND SOLUTIONS.
INFORMATION SECURITY: THREATS AND SOLUTIONS.INFORMATION SECURITY: THREATS AND SOLUTIONS.
INFORMATION SECURITY: THREATS AND SOLUTIONS.
Ni
 
itmsday2.pptx
itmsday2.pptxitmsday2.pptx
itmsday2.pptx
santoshmohanthy2
 
Cyber Safety
Cyber Safety Cyber Safety
Cyber Safety
Asim Sourav Rath
 
How using Tor Browser + VPN can save you $1000 and more!
How using Tor Browser + VPN can save you $1000 and more!How using Tor Browser + VPN can save you $1000 and more!
How using Tor Browser + VPN can save you $1000 and more!
TalhaMTZ
 
Top Cyber Security Interview Questions and Answers 2022.pdf
Top Cyber Security Interview Questions and Answers 2022.pdfTop Cyber Security Interview Questions and Answers 2022.pdf
Top Cyber Security Interview Questions and Answers 2022.pdf
Careerera
 
Cryptograpy Exam
Cryptograpy ExamCryptograpy Exam
Cryptograpy Exam
Lisa Olive
 
What Happens to Your Data When a Company Gets Breached
What Happens to Your Data When a Company Gets BreachedWhat Happens to Your Data When a Company Gets Breached
What Happens to Your Data When a Company Gets Breached
Digital Devices LTD: Top B2B IT Reseller in UK | Digital Devices
 
Dw communication
Dw communicationDw communication
Dw communication
Arjun Chetry
 
Ipsec And Ssl Protocols ( Vpn )
Ipsec And Ssl Protocols ( Vpn )Ipsec And Ssl Protocols ( Vpn )
Ipsec And Ssl Protocols ( Vpn )
Monique Jones
 
techalpha07
techalpha07techalpha07
techalpha07
DEBARGHYACHATTERJEE7
 
Mobile App Security: Enterprise Checklist
Mobile App Security: Enterprise ChecklistMobile App Security: Enterprise Checklist
Mobile App Security: Enterprise Checklist
Jignesh Solanki
 
Info Session on Cybersecurity & Cybersecurity Study Jams
Info Session on Cybersecurity & Cybersecurity Study JamsInfo Session on Cybersecurity & Cybersecurity Study Jams
Info Session on Cybersecurity & Cybersecurity Study Jams
GDSCCVR
 
Internet Security Essay
Internet Security EssayInternet Security Essay
Internet Security Essay
Best Online Paper Writing Service
 
12 IoT Cyber Security Threats to Avoid - CyberHive.pdf
12 IoT Cyber Security Threats to Avoid - CyberHive.pdf12 IoT Cyber Security Threats to Avoid - CyberHive.pdf
12 IoT Cyber Security Threats to Avoid - CyberHive.pdf
online Marketing
 
What-is-computer-security
What-is-computer-securityWhat-is-computer-security
What-is-computer-security
iamvishal2
 
Blockchain in cyber security
Blockchain in cyber securityBlockchain in cyber security
Blockchain in cyber security
zaarahary
 
Hacking and Cyber Security.
Hacking and Cyber Security.Hacking and Cyber Security.
Hacking and Cyber Security.
Kalpesh Doru
 
What i learned at the infosecurity isaca north america expo and conference 2019
What i learned at the infosecurity isaca north america expo and conference 2019What i learned at the infosecurity isaca north america expo and conference 2019
What i learned at the infosecurity isaca north america expo and conference 2019
Ulf Mattsson
 

Similar to Secure Code Warrior - Privacy (20)

Cyber Security
Cyber SecurityCyber Security
Cyber Security
 
INFORMATION SECURITY: THREATS AND SOLUTIONS.
INFORMATION SECURITY: THREATS AND SOLUTIONS.INFORMATION SECURITY: THREATS AND SOLUTIONS.
INFORMATION SECURITY: THREATS AND SOLUTIONS.
 
itmsday2.pptx
itmsday2.pptxitmsday2.pptx
itmsday2.pptx
 
Cyber Safety
Cyber Safety Cyber Safety
Cyber Safety
 
How using Tor Browser + VPN can save you $1000 and more!
How using Tor Browser + VPN can save you $1000 and more!How using Tor Browser + VPN can save you $1000 and more!
How using Tor Browser + VPN can save you $1000 and more!
 
Top Cyber Security Interview Questions and Answers 2022.pdf
Top Cyber Security Interview Questions and Answers 2022.pdfTop Cyber Security Interview Questions and Answers 2022.pdf
Top Cyber Security Interview Questions and Answers 2022.pdf
 
Cryptograpy Exam
Cryptograpy ExamCryptograpy Exam
Cryptograpy Exam
 
What Happens to Your Data When a Company Gets Breached
What Happens to Your Data When a Company Gets BreachedWhat Happens to Your Data When a Company Gets Breached
What Happens to Your Data When a Company Gets Breached
 
Dw communication
Dw communicationDw communication
Dw communication
 
Ipsec And Ssl Protocols ( Vpn )
Ipsec And Ssl Protocols ( Vpn )Ipsec And Ssl Protocols ( Vpn )
Ipsec And Ssl Protocols ( Vpn )
 
techalpha07
techalpha07techalpha07
techalpha07
 
Mobile App Security: Enterprise Checklist
Mobile App Security: Enterprise ChecklistMobile App Security: Enterprise Checklist
Mobile App Security: Enterprise Checklist
 
Info Session on Cybersecurity & Cybersecurity Study Jams
Info Session on Cybersecurity & Cybersecurity Study JamsInfo Session on Cybersecurity & Cybersecurity Study Jams
Info Session on Cybersecurity & Cybersecurity Study Jams
 
Internet Security Essay
Internet Security EssayInternet Security Essay
Internet Security Essay
 
12 IoT Cyber Security Threats to Avoid - CyberHive.pdf
12 IoT Cyber Security Threats to Avoid - CyberHive.pdf12 IoT Cyber Security Threats to Avoid - CyberHive.pdf
12 IoT Cyber Security Threats to Avoid - CyberHive.pdf
 
What-is-computer-security
What-is-computer-securityWhat-is-computer-security
What-is-computer-security
 
GuardianGabriel
GuardianGabrielGuardianGabriel
GuardianGabriel
 
Blockchain in cyber security
Blockchain in cyber securityBlockchain in cyber security
Blockchain in cyber security
 
Hacking and Cyber Security.
Hacking and Cyber Security.Hacking and Cyber Security.
Hacking and Cyber Security.
 
What i learned at the infosecurity isaca north america expo and conference 2019
What i learned at the infosecurity isaca north america expo and conference 2019What i learned at the infosecurity isaca north america expo and conference 2019
What i learned at the infosecurity isaca north america expo and conference 2019
 

Recently uploaded

Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
James Anderson
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
DianaGray10
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Neo4j
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
nkrafacyberclub
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
Peter Spielvogel
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 

Recently uploaded (20)

Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 

Secure Code Warrior - Privacy

  • 1. Data Protection & Privacy Application Security Fundamentals by Secure Code Warrior Limited is licensed under CC BY-ND 4.0
  • 2. The application should implement security controls to ensure the protection and integrity of its sensitive information. What could happen? An attacker could retrieve sensitive and private information through stolen log files, caching, man-in-the- middle attacks or other means. How to implement it? Only store private information that is absolutely required. Make sure any stored or transmitted information is properly secured using encryption. What’s the concept about?
  • 3. An internet payment company called “Paybuddy” is taking precautions to protect its customers from credit card theft. Communications to and from the site are protected using TLS, preventing attackers from sniffing the traffic. Credit card numbers are stored encrypted in the database using a strong algorithm. Credit card numbers are never displayed in full, so attackers cannot view the numbers through shoulder surfing. Caching is turned off as well. Data Protection & Privacy Understanding the concept Properly protected data Web application User: John Doe User Credit Card John 69d4a73c196f60c3e453a9832fb4 admin 086569d4a73c196f60c3e453a983 Bart a73c196f60c3e453a9832fb4fz90o bcrypt(creditcard) CC: XXXXXXX420
  • 4. This time, “Paybuddy” forgot to take precautions to properly protect their customers and their data. An attacker sniffs traffic between the client and the server. He is able to steal sensitive information, such as the user’s credit card number. An attacker that is able to retrieve weakly hashed credit card numbers won’t have difficulties to decrypt them using rainbow tables. An attacker that is shoulder surfing can see a full credit card number in the application, which can be abused to commit fraud. Data Protection & Privacy What could happen with the concept? Unprotected data Web application User: John Doe User Credit Card John a73c196f60c3e453a9832fb4 admin 69d4a73c196f60c3e453a983 Bart a7360c3e453a9832fb4fz90o md5(creditcard) User: John Doe CC: 475629420 CC: 475629420
  • 5. A software company is very careful in protecting the source code of their new mobile application. The source code repository is stored on encrypted hardware in a secured server room. To protect the source code in production, heavy obfuscation techniques are applied to the application. The source code repository can only be accessed from their internal network. Access to the repository is limited to developers with the right clearance. Data Protection & Privacy Understanding the concept Source code protection 0101011 1010010 1001010 1011011 1001010 Developer X Developer Y Developer Z
  • 6. The company’s intellectual property is in danger due to a lack of source code protection. The repository is stored on a physically accessible server. Local attackers can copy the code, which is stored in clear text. Without obfuscation, users can decompile the application and retrieve the source. It can be modified and repackaged to be sold by a third party. The repository is publicly accessible and therefore easier to target by attackers. Data Protection & Privacy What could happen with the concept? Source code unprotected 0101011 1010010 1001010 1011011 1001010 Developer X Developer Y
  • 7. Data Protection & Privacy Understanding the concept User’s privacy respected User: John Doe DoB: 29/02/1973 Sex: M Location: Sydney Religion: Pastafari John’s info DB Admin A certain web application allows users to create a profile. The application stores date of birth, sex, location, and religion. The user’s private information is stored in a database with restricted access. Only the database administrator has access to the database and the information. Additionally, he had to sign a non-disclosure agreement.
  • 8. A certain web application allows users to create a profile. The application stores date of birth, sex, location, and religion. The user’s private information is stored in a database with restricted access. All developers working on the application can view the user’s private information in the development database. This clearly causes privacy issues. Before a new release, the database contents is copied to a development environment for testing purposes. Data Protection & Privacy What could happen with the concept? Privacy issues User: John Doe DoB: 29/02/1973 Sex: M Location: Sydney Religion: Pastafari John’s info John’s info Developer 1 Developer 2 Development
  • 9. Data Protection & Privacy Typical controls Only store private information if absolutely needed. Don’t hard-code secret information in source code. Don’t store DB credentials or encryptions keys in plain text. Securely store all sensitive user information. Send traffic over a secure communication channel. Inform users using a privacy policy.