02 security overview.pptx

Security Overview

Who defines security?

PCI

o  P______ C____ I________ o  Really means P______ C____ I________

Security Standards Council

o  Goal: o  Manage the ever-________ Payment Card

Industry Data Security Standard.

o American Express o Discover o MasterCard

o Visa o Japan Credit Bureau

The PCI DSS Control Objectives PCI DSS Requirements Build and Maintain a Secure Network

1.  Maintain a firewall configuration to protect cardholder data 2.  Do not use vendor-supplied defaults for system passwords and

other security parameters

Protect Cardholder Data

3.  Protect stored cardholder data 4.  Encrypt transmission of cardholder data across open, public

networks

Maintain a Vulnerability Management Program

5.  Use and regularly update anti-virus software on all systems commonly affected by malware

6.  Develop and maintain secure systems and applications

Implement Strong Access Control Measures

7.  Restrict access to cardholder data by business need-to-know 8.  Assign a unique ID to each person with computer access 9.  Restrict physical access to cardholder data

Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data

11.  Regularly test security systems and processes

Maintain an Information Security Policy

12. Maintain a policy that addresses information security

Web vulnerabilities (from WASC 9/2010)

OWASP is a not-for profit foundation supporting web application security

Open Web Application Security Project

OWASP publishes some great things

o  The Guide – This document that provides detailed guidance on web application security

o  Top Ten Most Critical Web Application Vulnerabilities – A high-level document to help focus on the most critical issues

o  AppSec FAQ – Frequently asked questions and answers about application security

And the members create some good software tools

o  ZAP – a web application vulnerability assessment suite including proxy tools

o  WebScarab – (see ZAP) o  WebGoat – an interactive training and

benchmarking tool that users can learn about web application security in a safe and legal environment

o  AntiSamy – An enterprise web input validation and output encoding tool. Anti-XSS

The OWASP Guide

o  Note the copyright. o  Written to cover all forms of web application

security issues including ... •  phishing, •  credit card handling, •  session fixation, •  compliance •  privacy issues.

The OWASP top 10 suggests what we should focus on

2007 A1 Injection Flaws

A2 XSS

A3 Malicious file execution

A4 Insecure Direct Object Reference

A5 CSRF

A6 Information Leakage

A7 Broken authentication and session management

A8 Insecure crypto storage

A9 Insecure communication

A10 Failure to restrict url access


A2 XSS



A5 CSRF

A6 Security misconfig

A7 Insecure crypto storage

A8 Failure to restrict url access

A9 Insufficient transport layer protection

A10 Unvalidated Redirects and Forwards



A3 XSS


A5 Security misconfig

A6 Sensitive data exposure

A7 Missing function level access control

A8 CSRF

A9 Using components with known vulnerabilities

A10 Unvalidated Redirects and Forwards

One must know how

thieves think

What we’ll cover

o  This course targets the web application developer and demonstrates how hackers employ common vulnerabilities to compromise web apps.

o  We'll show how hackers target websites, focusing on the code that you and I write.

o  Then, after showing their strategy, we'll learn how to protect against those strategies.

Summary

o  OWASP is a group that defines security o  The OWASP Guide is the defacto industry

standard for development o  The OWASP Top Ten shows us where to

focus our attention

Further study

o  OWASP’s Site •  http://www.owasp.org

o  OWASP’s Top Ten •  http://bit.ly/OWASPTopTen

o  PCI DSS •  http://bit.ly/PCIStandards

o  Real-time data on latest web exploits •  http://bit.ly/HackingStats

o  List of data breach disclosure laws by state •  http://bit.ly/BreachNotificationLaws

Technology

02 security overview.pptx