Upload
rap-payne
View
51
Download
1
Embed Size (px)
DESCRIPTION
Part of the Web Application Security Course
Citation preview
Security Overview
Who defines security?
PCI
o P______ C____ I________ o Really means P______ C____ I________
Security Standards Council
o Goal: o Manage the ever-________ Payment Card
Industry Data Security Standard.
o American Express o Discover o MasterCard
o Visa o Japan Credit Bureau
The PCI DSS Control Objectives PCI DSS Requirements Build and Maintain a Secure Network
1. Maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and
other security parameters
Protect Cardholder Data
3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public
networks
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software on all systems commonly affected by malware
6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy
12. Maintain a policy that addresses information security
Web vulnerabilities (from WASC 9/2010)
OWASP is a not-for profit foundation supporting web application security
Open Web Application Security Project
OWASP publishes some great things
o The Guide – This document that provides detailed guidance on web application security
o Top Ten Most Critical Web Application Vulnerabilities – A high-level document to help focus on the most critical issues
o AppSec FAQ – Frequently asked questions and answers about application security
And the members create some good software tools
o ZAP – a web application vulnerability assessment suite including proxy tools
o WebScarab – (see ZAP) o WebGoat – an interactive training and
benchmarking tool that users can learn about web application security in a safe and legal environment
o AntiSamy – An enterprise web input validation and output encoding tool. Anti-XSS
The OWASP Guide
o Note the copyright. o Written to cover all forms of web application
security issues including ... • phishing, • credit card handling, • session fixation, • compliance • privacy issues.
The OWASP top 10 suggests what we should focus on
2007 A1 Injection Flaws
A2 XSS
A3 Malicious file execution
A4 Insecure Direct Object Reference
A5 CSRF
A6 Information Leakage
A7 Broken authentication and session management
A8 Insecure crypto storage
A9 Insecure communication
A10 Failure to restrict url access
2010 A1 Injection Flaws
A2 XSS
A3 Broken authentication and session management
A4 Insecure Direct Object Reference
A5 CSRF
A6 Security misconfig
A7 Insecure crypto storage
A8 Failure to restrict url access
A9 Insufficient transport layer protection
A10 Unvalidated Redirects and Forwards
2013 A1 Injection Flaws
A2 Broken authentication and session management
A3 XSS
A4 Insecure Direct Object Reference
A5 Security misconfig
A6 Sensitive data exposure
A7 Missing function level access control
A8 CSRF
A9 Using components with known vulnerabilities
A10 Unvalidated Redirects and Forwards
One must know how
thieves think
What we’ll cover
o This course targets the web application developer and demonstrates how hackers employ common vulnerabilities to compromise web apps.
o We'll show how hackers target websites, focusing on the code that you and I write.
o Then, after showing their strategy, we'll learn how to protect against those strategies.
Summary
o OWASP is a group that defines security o The OWASP Guide is the defacto industry
standard for development o The OWASP Top Ten shows us where to
focus our attention
Further study
o OWASP’s Site • http://www.owasp.org
o OWASP’s Top Ten • http://bit.ly/OWASPTopTen
o PCI DSS • http://bit.ly/PCIStandards
o Real-time data on latest web exploits • http://bit.ly/HackingStats
o List of data breach disclosure laws by state • http://bit.ly/BreachNotificationLaws