CONTENTS. Recommendations. Prize Q & A

Size: px
Start display at page:

Download "CONTENTS. Recommendations. Prize Q & A"

Transcription

1

2 CONTENTS Contents Disclaimer Introduction Common uses for Web Applications Common Web Application Infrastructure and Users The Importance of Web Application Security Why OWASP About OWASP Top Ten Summary. Mapping to Verizon Data Breach Report (Hacking Methods) In Detail (with Examples and Case Studies) 2013 Release Candidate Update Recommendations Prize Q & A

3 DISCLAIMER Informational Purposes and ownership of views. The content of this publication is for information purposes only, individuals and organisations should assess the suitability of this information for their own purposes. The information is provided for the purpose of understanding software vulnerabilities and how to prevent their exploitation. The views are not necessarily those of OWASP, however their will be similarities. Chatham House Rule This presentation is provided under the Chatham House Rule for the purpose of facilitating free and open discussion. Chatham House Rule: Participants are free to use the information received, but neither the identity nor the affiliation of the speaker(s), nor that of any participant, may be revealed.

4 COMMON USES FOR WEB APPLICATIONS Internet Banking Online Shopping Online Bill Payments Online Gambling Online Forums Software as a Service Remote Access Device Management (ICT Infrastructure)

5 COMMON WEB APPLICATION INFRASTRUCTURE & USERS

6 COMMON WEB APPLICATION INFRASTRUCTURE & USERS

7 THE IMPORTANCE OF WEB APP SECURITY Competitive Advantage Increased Consumer / Customer Confidence Lower Costs from managing Theft / Fraud / Misuse / Recovery Continuity of Business Services are less susceptible to data corruption and/or data accessibility problems resulting from unauthorised access Compliance with requirements to protect information

8 WHY OWASP Widely Recognised : 31 Different ICT Security Related Organisations have cited OWASP dustry_codes_of_practice Compliance with Security Standards PCI DSS: Requirement 6.5 Develop Secure Applications (v2). as industry best practices for vulnerability management are updated (for example, the OWASP Guide, Approved Scanning Vendor Program Guide Reference 1.0/PCI DSS Version 1.2: Perform a Scan without Interference from IDS/IPS Australian Government ISM: Control 0971: Agencies should follow the documentation provided in the Open Web Application Security Project guides to building secure web applications

9 ABOUT OWASP Open Web Application Security Project OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted Publications Top 10 Full Development Guide (293 Pages) Tutorials Detail advice on Specific Topics

10 OWASP S TOP TEN (1-5)

11 OWASP S TOP TEN (6-10)

12 ALIGNMENT TO VERIZON DATA BREACH REPORT (2012) H A C K I N G M E T H O D S O W A S P T O P 1 0 ( A L L % / E N T E R P R I S E % ) SQL Injection (3/14) Brute force and dictionary attacks (29/14) Exploitation of default or guessable credentials (55/9) Exploitation of insufficient authentication (6/3) Use of stolen login credentials (40/51) Exploitation of backdoor or command and control channel (25/29) Remote File Inclusion (1/6) Abuse of Functionality (1/3) Unknown (4/31) 1. Injection 2. Cross Site Scripting 3. Broken Authentication and Session Management 4. Insecure Direct Object Access 5. Cross Site Request Forgery 6. Security Misconfiguration 7. Insecure Cryptographic Storage 8. Failure to Restrict URL Access 9. Insufficient Transport Layer Protection 10. Unvalidated Redirects and Forwards.

13 INJECTION - OVERVIEW OWASP Rating Prevention: Parameterized Queries, Escaping and Whitelisting.

14 INJECTION CASE STUDY Case Study: Membership Website Root Cause: Unchecked Numeric Field due to lack of security awareness. Log Entries show the attack. Normal Use: GET /<BaseURL>/<Events> <FIELD>=<Number> <ClientIP> Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+6.1;+WOW64;+Trident /5.0) Attack: GET /<BaseURL>/<Events> <FIELD>='+declare+<snip>exec%28%40s% <AttackerIP> Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.0)

15 INJECTION CASE STUDY

16 INJECTION CASE STUDY Initial Query (insecure) sql_query = select date,title,status from events, registrations where events.id = registrations.id and events.date >. date(). and registrations.id=. $_POST[ membershipid ]. ; Resultant Query from attempted Exploitation $_POST[ membershipid ]= ; <injected commands>; -- sql_query = select date,title,status from events, registrations where events.id = registrations.id and events.date >. date(). and registrations.id= 1000 ; <injected commands>; -- Using escaping to prevent exploitation, using PHP s addslashes() function. sql_query = select date,title,status from events, registrations where events.id = registrations.id and events.date >. date(). and registrations.id=. addslashes($_post[ membershipid ]); Resultant Query exploitation prevented sql_query = select date,title,status from events, registrations where events.id = registrations.id and events.date >. date(). and registrations.id= 1000\ ; <injected commands>; --

17 INJECTION EXAMPLE Additional Input Validation Check if membership is a number. // validate all supplied user input. Set $process = true if all input has been validated. $process = false; //don t process by default $valid_data_count=0; //initialise the counter for valid data elements $expected_elements=1; // we are expecting to validate 1 element here. if (is_numeric($_post[ membershipid ]) { //if membershipid is a number increment valid data counter $valid_data_count++; } if ($valid_data_count == $expected_elements) { //if the valid data count the required number of elements? $process = true; } if ($process) { sql_query = select date,title,status from events, registrations where events.id = registrations.id and events.date >. date(). and registrations.id=. addslashes($_post[ membershipid ]); } else { // Gracefully handle the invalid membershipid echo Invalid data has been received\n ; // Log input data, source address, date/time into errors database for security operations review. }

18 INJECTION CASE STUDY Threat Agent Grouping: Organised Crime. Motivation: Spread Malware or Extortion Based on: Sophistication: Use of Multiple Hosting Providers Use of Multiple DNS Names for malware hosting servers Targeting: Attacked Multiple of Businesses Business Impact Outage of Online Membership Functions Reduced Services to members. Increased costs to provide member services. Remediation and Incident Response Costs: Application Remediation to Check User Input by Developers Lost Productivity of IT Support staff diverted to Incident Response 3 rd Party Security Incident Response Assistance

19 CROSS SITE SCRIPTING - OVERVIEW OWASP Rating: Prevention: Escaping and Whitelisting.

20 CROSS SITE SCRIPTING CASE STUDY Case Study: User Registration Root Cause: Unchecked form data included in HTML source.

21 CROSS SITE SCRIPTING CASE STUDY Analysis of Vulnerability

22 CROSS SITE SCRIPT CASE STUDY Insecure Code Fix - Escaping <?php //code to obtain data from database echo Customer Name:. $custname; echo Customer Address1:. $custaddr1;?> <?php //code to obtain data from database echo Customer Name:. htmlspecialchars($custname); echo Customer Address1:. htmlspecialchars($custaddr1);?> Fix Output Validation <?php //code to obtain data from database echo Customer Name:. htmlspecialchars($custname); echo Customer Address1:. htmlspecialchars($custaddr1); if (is_number($custpostcode)) { // Works for Australian Numeric Post Codes // accomodation of International Post Codes will require adjustment. echo Customer Post Code:. $custpostcode; } else { //error handler }?>

23 CROSS SITE SCRIPTING CASE STUDY Threat Agent Grouping: Motivation: N/A N/A Business Impact Risk: Cascaded exploitation by attackers. Costs: Application remediation Developer costs

24 BROKEN AUTHENTICATION AND SESSION MANAGEMENT - OVERVIEW Overview

25 BROKEN AUTHENTICATION AND SESSION MANAGEMENT CASE STUDY Case Study: Web Application Root Cause: Insufficient protection of passwords exposed by inadequate system maintenance.

26 BROKEN AUTHENTICATION AND SESSION MANAGEMENT CASE STUDY Analysis of Vulnerability

27 BROKEN AUTHENTICATION AND SESSION MANAGEMENT Insecure Code <?php //code to store a password from a user in a sql database $query = update passwords set password=. $password. where username=. $username. ; } mysql_query($query); if (mysql_num_rows($query) == 1) {?> //As there is a matching username and password, //we consider the user authenticated

28 BROKEN AUTHENTICATION AND SESSION MANAGEMENT Using Salt + multiple hashing. <?php //code to store a password from a user in a sql database $salt_length = mt_rand(135,270); // characters in the salt. $iterations = mt_rand(2000,4000); // iterations of the hashfunction $hash_algo = sha256 ; //Generate the salt $salt = ; for ($saltcounter = 0; $saltcounter++; $saltcounter < $salt_length) { $salt.= mt_rand(32,255); } //Combine the salt with the password and iterate the hash function. $hashpass = $salt. $password; for ($hashcounter = 0; $hashcounter++; $hashcounter < $iterations) { $hashpass = hash($hash_algo, $hashpass); } $query = update passwords set hashpass=. $hashpass., salt=. $salt., iterations=. $iterations. where username=. $username. ; mysql_query($query);?>

29 BROKEN AUTHENTICATION AND SESSION MANAGEMENT CASE STUDY Threat Agent Grouping: Infamy (Skilled Employed Anti-Forensics) Motivation: (Limited) Distribution of Copyrighted Material Business Impact Disruption: Services unavailable while servers were rebuilt. Delays to other projects as staff were resolving issues. Costs: Security Incident Response Team 7 FTE Staff for 3 Weeks, plus External Security Incident Support. Lost Productivity. Reputational Damage Additional Support Additional Security Awareness Training 1 Year Fixed Term Staff Member to Provide. Improvement to Policies, Procedures and Processes.

30 INSECURE DIRECT OBJECT REFERENCES Overview Prevention: Check access, use per user/session indirect object references.

31 INSECURE DIRECT OBJECT REFERENCES CASE STUDY Root Cause: Direct access to objects, common in White Label Sites.

32 INSECURE DIRECT OBJECT REFERENCES Code Sample <?php include $_GET["header"]; echo "<h1>payment Gateway</h1>\n"; include $_GET["footer"];?>

33 INSECURE DIRECT OBJECT REFERENCES CASE STUDY Analysis of the Vulnerability

34 INSECURE DIRECT OBJECT REFERENCES A Fix Map hostname to a numeric client identifier. <?php clientid = hostclientmap($_server[ http_host ]); include /. $clientid. /header ; echo <h1>payment Gateway</h1>\n ; include /. $clientid. /footer ; function hostclientmap($hostname) { $result = mysql_query( select clientid from client-hostname-mapping where hostname=. addslashes($hostname). ); if(!result) { // return clientid=0 which is a warning to update the clientid <-> hostname mapping. $clientid=0; } else { $row=mysql_row(); $clientid = $row[ clientid ]; } }?>

35 INSECURE DIRECT OBJECT REFERENCES CASE STUDY Threat Agent Grouping: Discovered during testing. Motivation: N/A Business Impact Vendor rework for compliance. Damages Vendor s credibility (hence reputation). Claims of PCI DSS Compliance where able to be cast into doubt.

36 CROSS SITE REQUEST FORGERY Overview

37 CROSS SITE REQUEST FORGERY - EXAMPLE Analysis of the forgery Visiting the malicious site may be incidental e.g compromised ads, forums, etc.

38 CROSS SITE REQUEST FORGERY - EXAMPLE Threat Agent Grouping: Typically Organised Crime Motivation: Fraud / Theft. Business Impact Damages Vendor s reputation. Increased losses from Fraud / Theft.

39 SECURITY MISCONFIGURATION Overview Prevention: System Hardening, System Maintenance.

40 SECURITY MISCONFIGURATION CASE STUDY Code Red Worm (July )..ida isapi extension left enabled. Indexing Service Largely unused. System maintenance not conducted since June

41 SECURITY MISCONFIGURATION CASE STUDY Code Red Worm

42 SECURITY MISCONFIGURATION CASE STUDY Threat Agent Grouping: Self Promotion Motivation: Infamy eeye believed that the worm had the same original as the ILOVEYOU worm. Business Impact Disruption Restoration costs to websites

43 INSECURE CRYPTOGRAPHIC STORAGE Overview

44 INSECURE CRYPTOGRAPHIC STORAGE Transactional Data was stored in a temporary table in clear text.

45 INSECURE CRYPTOGRAPHIC STORAGE Threat Agent Grouping: N/A Motivation: N/A Business Impact Failure to meet contractual obligations Increased compliance costs due to additional infrastructure falling into scope. Remediation Costs

46 FAILURE TO RESTRICT URL ACCESS Overview Prevention:

47 FAILURE TO RESTRICT URL ACCESS

48 FAILURE TO RESTRICT URL ACCESS Threat Agent Grouping: N/A Motivation: N/A Business Impact Possible Denial of Service, Data Sniffing. Remediation Costs Options: Immediate Fix: 2 hours x 200 devices = 4 weeks. Approximately $40,000 to bring in a resource. Delayed Fix and Counter Measures. Action Taken: Delayed fix with other maintenance. Changed Passwords on other systems (4 hours). Risk Acceptance by Management.

49 INSUFFICIENT TRANSPORT LAYER PROTECTION Overview Prevention: Require SSL for Sensitive Pages, Configure SSL to only use approved algorithms.

50 INSUFFICIENT TRANSPORT LAYER PROTECTION CASE STUDY Local Australian Bank. Root Cause: Use of Deprecated Private Key Crypto. SSL Uses both Public Key and Private Key Cryptography.

51 INSUFFICIENT TRANSPORT LAYER PROTECTION CASE STUDY Public Key Ok 2048 Bits Meets recent key length upgrade requirements.

52 INSUFFICIENT TRANSPORT LAYER PROTECTION Private Key Encryption Use of Deprecated RC4. Considered ineffective as early as 2009[1]. Not approved by NIST in SP A Not approved by DSD in the 2012 ISM. PCI-DSS requires strong cryptography. Apache Config changes are easy. SSLProtocol all +SSLv2 SSLCipherSuite SSLv2:+HIGH

53 INSUFFICIENT TRANSPORT LAYER PROTECTION Threat Agent Grouping: Motivation: N/A Obtaining of sensitive information. Business Impact Reputation Damage to reputation. Compliance: Fails to meet compliance requirements for PCI-DSS (Req 3.4). Costs: Reconfigure equipment to use newer algorithms. Possible upgrade costs to equipment for newer algorithms

54 UNVALIDATED REDIRECTS AND FORWARDS Overview Prevention Don t allow users to control redirects. Very common with Central Authentication Systems.

55 UNVALIDATED REDIRECTS AND FORWARDS Common with Central Authentication Systems.

56 UNVALIDATED REDIRECTS AND FORWARDS Common with Central Authentication Systems

57 UNVALIDATED REDIRECTS AND FORWARDS

58 UNVALIDATED REDIRECTS AND FORWARDS Threat Agent Grouping: N/A Motivation: N/A Business Impact Reduced Customer / Staff Confidence. Remediation Costs

59 2010 / 2013 RC TOP 10 COMPARISON Injection 2. Cross Site Scripting 3. Broken Authentication & Session Management 4. Insecure Direct Object References 5. Cross-Site Request Forgery (CSRF) 6. Security Misconfiguration 7. Insecure Cryptographic Storage 8. Failure to Restrict URL Access 9. Insufficient Transport Layer Protection 10. Unvalidated Redirects and Forwards R E L E A S E C A N D I D A T E 1. Injection (NC) 2. Broken Authentication & Session Management (+1) 3. Cross-Site Scripting (XSS) (-1) 4. Insecure Direct Object References (NC) 5. Security Misconfiguration (+1) 6. Sensitive Data Exposure (+1 Similar to 7) 7. Missing Function Level Access Control (+1 Similar to 8) 8. Cross-Site Request Forgery (CSRF) (-3) 9. Using Components with Known Vulnerabilities (New) 10. Unvalidated Redirects and Forwards. (NC)

60 RECOMMENDATIONS When Developing Web Applications Ensure that you have an Application Security Program Train (new) developers before projects (including updates) Develop reusable architectures and code libraries Build-in rather than retrofit Take unintended / unwanted users into consideration When Purchasing Web Applications Include appropriate security measures in the contract. Consider remediation clauses. Consider requiring support for dependant vendor updates. If both cases: Assessing the level of compliance with these measures to understand the risk to your organisation is vital. Assessments should occur at multiple stages during and after development.

61 PRIZE In the presentation iconic object from a James Bond film. a) What is the object? b) Which James Bond film is it from?

62 Q&A

Copyright

Copyright 1 Security Test EXTRA Workshop : ANSWER THESE QUESTIONS 1. What do you consider to be the biggest security issues with mobile phones? 2. How seriously are consumers and companies taking these threats?

More information

Web Application Security. Philippe Bogaerts

Web Application Security. Philippe Bogaerts Web Application Security Philippe Bogaerts OWASP TOP 10 3 Aim of the OWASP Top 10 educate developers, designers, architects and organizations about the consequences of the most common web application security

More information

Application Layer Security

Application Layer Security Application Layer Security General overview Ma. Angel Marquez Andrade Benefits of web Applications: No need to distribute separate client software Changes to the interface take effect immediately Client-side

More information

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati OWASP TOP 10 2017 Release Andy Willingham June 12, 2018 OWASP Cincinnati Agenda A quick history lesson The Top 10(s) Web Mobile Privacy Protective Controls Why have a Top 10? Software runs the world (infrastructure,

More information

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s Session I of III JD Nir, Security Analyst Why is this important? ISE Proprietary Agenda About ISE Web Applications

More information

Your Turn to Hack the OWASP Top 10!

Your Turn to Hack the OWASP Top 10! OWASP Top 10 Web Application Security Risks Your Turn to Hack OWASP Top 10 using Mutillidae Born to Be Hacked Metasploit in VMWare Page 1 https://www.owasp.org/index.php/main_page The Open Web Application

More information

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite: Secure Java Web Application Development Lifecycle - SDL (TT8325-J) Day(s): 5 Course Code: GK1107 Overview Secure Java Web Application Development Lifecycle (SDL) is a lab-intensive, hands-on Java / JEE

More information

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any OWASP Top 10 Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any tester can (and should) do security testing

More information

OWASP Top 10 The Ten Most Critical Web Application Security Risks

OWASP Top 10 The Ten Most Critical Web Application Security Risks OWASP Top 10 The Ten Most Critical Web Application Security Risks The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain

More information

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V3.0, MAY 2017 Multiple Layers of Protection Overview Password Salted-Hash Thank you

More information

Web Application Vulnerabilities: OWASP Top 10 Revisited

Web Application Vulnerabilities: OWASP Top 10 Revisited Pattern Recognition and Applications Lab Web Application Vulnerabilities: OWASP Top 10 Revisited Igino Corona igino.corona AT diee.unica.it Computer Security April 5th, 2018 Department of Electrical and

More information

Web Application Threats and Remediation. Terry Labach, IST Security Team

Web Application Threats and Remediation. Terry Labach, IST Security Team Web Application Threats and Remediation Terry Labach, IST Security Team IST Security Team The problem While we use frewalls and other means to prevent attackers from access to our networks, we encourage

More information

1 About Web Security. What is application security? So what can happen? see [?]

1 About Web Security. What is application security? So what can happen? see [?] 1 About Web Security What is application security? see [?] So what can happen? 1 taken from [?] first half of 2013 Let s focus on application security risks Risk = vulnerability + impact New App: http://www-03.ibm.com/security/xforce/xfisi

More information

C1: Define Security Requirements

C1: Define Security Requirements OWASP Top 10 Proactive Controls IEEE Top 10 Software Security Design Flaws OWASP Top 10 Vulnerabilities Mitigated OWASP Mobile Top 10 Vulnerabilities Mitigated C1: Define Security Requirements A security

More information

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite: Securing Java/ JEE Web Applications (TT8320-J) Day(s): 4 Course Code: GK1123 Overview Securing Java Web Applications is a lab-intensive, hands-on Java / JEE security training course, essential for experienced

More information

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda THREAT MODELING IN SOCIAL NETWORKS Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda INTRODUCTION Social Networks popular web service. 62% adults worldwide use social media 65% of world top companies

More information

Development*Process*for*Secure* So2ware

Development*Process*for*Secure* So2ware Development*Process*for*Secure* So2ware Development Processes (Lecture outline) Emphasis on building secure software as opposed to building security software Major methodologies Microsoft's Security Development

More information

Solutions Business Manager Web Application Security Assessment

Solutions Business Manager Web Application Security Assessment White Paper Solutions Business Manager Solutions Business Manager 11.3.1 Web Application Security Assessment Table of Contents Micro Focus Takes Security Seriously... 1 Solutions Business Manager Security

More information

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant Penetration Testing following OWASP Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant За Лирекс Penetration testing A method of compromising the security of a computer system or network by

More information

OWASP Top David Caissy OWASP Los Angeles Chapter July 2017

OWASP Top David Caissy OWASP Los Angeles Chapter July 2017 OWASP Top 10-2017 David Caissy OWASP Los Angeles Chapter July 2017 About Me David Caissy Web App Penetration Tester Former Java Application Architect IT Security Trainer: Developers Penetration Testers

More information

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP OWASP Top 10 Risks Dean.Bushmiller@ExpandingSecurity.com Many thanks to Dave Wichers & OWASP My Mom I got on the email and did a google on my boy My boy works in this Internet thing He makes cyber cafes

More information

EasyCrypt passes an independent security audit

EasyCrypt passes an independent security audit July 24, 2017 EasyCrypt passes an independent security audit EasyCrypt, a Swiss-based email encryption and privacy service, announced that it has passed an independent security audit. The audit was sponsored

More information

Web Application Whitepaper

Web Application Whitepaper Page 1 of 16 Web Application Whitepaper Prepared by Simone Quatrini and Isa Shorehdeli Security Advisory EMEAR 6 th September, 2017 1.0 General Release Page 2 of 16 1. Introduction In this digital age,

More information

GOING WHERE NO WAFS HAVE GONE BEFORE

GOING WHERE NO WAFS HAVE GONE BEFORE GOING WHERE NO WAFS HAVE GONE BEFORE Andy Prow Aura Information Security Sam Pickles Senior Systems Engineer, F5 Networks NZ Agenda: WTF is a WAF? View from the Trenches Example Attacks and Mitigation

More information

Presentation Overview

Presentation Overview Presentation Overview Basic Application Security (AppSec) Fundamentals Risks Associated With Vulnerable Applications Understanding the Software Attack Surface Mean Time to Fix (MTTF) Explained Application

More information

EPRI Software Development 2016 Guide for Testing Your Software. Software Quality Assurance (SQA)

EPRI Software Development 2016 Guide for Testing Your Software. Software Quality Assurance (SQA) EPRI Software Development 2016 Guide for Testing Your Software Software Quality Assurance (SQA) Usability Testing Sections Installation and Un-Installation Software Documentation Test Cases or Tutorial

More information

Applications Security

Applications Security Applications Security OWASP Top 10 PyCon Argentina 2018 Objectives Generate awareness and visibility on web-apps security Set a baseline of shared knowledge across the company Why are we here / Trigger

More information

6-Points Strategy to Get Your Application in Security Shape

6-Points Strategy to Get Your Application in Security Shape 6-Points Strategy to Get Your Application in Security Shape Sherif Koussa OWASP Ottawa Chapter Leader Static Analysis Technologies Evaluation Criteria Project Leader Application Security Specialist - Software

More information

What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards

What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards PCI DSS What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards Definition: A multifaceted security standard that includes requirements for security management, policies, procedures,

More information

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009 Securing Web Applications: Defense Mechanisms Kishin Fatnani Founder & Director K-Secure Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009 1 Agenda Current scenario in Web Application

More information

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14 Attacks Against Websites 3 The OWASP Top 10 Tom Chothia Computer Security, Lecture 14 OWASP top 10. The Open Web Application Security Project Open public effort to improve web security: Many useful documents.

More information

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

PASS4TEST. IT Certification Guaranteed, The Easy Way!  We offer free update service for one year PASS4TEST \ http://www.pass4test.com We offer free update service for one year Exam : SY0-301 Title : CompTIA Security+ Certification Exam (SY0-301) Vendor : CompTIA Version : DEMO 1 / 5 Get Latest & Valid

More information

The Top 6 WAF Essentials to Achieve Application Security Efficacy

The Top 6 WAF Essentials to Achieve Application Security Efficacy The Top 6 WAF Essentials to Achieve Application Security Efficacy Introduction One of the biggest challenges IT and security leaders face today is reducing business risk while ensuring ease of use and

More information

Security Communications and Awareness

Security Communications and Awareness Security Communications and Awareness elearning OVERVIEW Recent high-profile incidents underscore the need for security awareness training. In a world where your employees are frequently exposed to sophisticated

More information

Effective Strategies for Managing Cybersecurity Risks

Effective Strategies for Managing Cybersecurity Risks October 6, 2015 Effective Strategies for Managing Cybersecurity Risks Larry Hessney, CISA, PCI QSA, CIA 1 Everybody s Doing It! 2 Top 10 Cybersecurity Risks Storing, Processing or Transmitting Sensitive

More information

Vulnerabilities in online banking applications

Vulnerabilities in online banking applications Vulnerabilities in online banking applications 2019 Contents Introduction... 2 Executive summary... 2 Trends... 2 Overall statistics... 3 Comparison of in-house and off-the-shelf applications... 6 Comparison

More information

Aguascalientes Local Chapter. Kickoff

Aguascalientes Local Chapter. Kickoff Aguascalientes Local Chapter Kickoff juan.gama@owasp.org About Us Chapter Leader Juan Gama Application Security Engineer @ Aspect Security 9+ years in Appsec, Testing, Development Maintainer of OWASP Benchmark

More information

Testpassport http://www.testpassport.net Exam : SY0-301 Title : Security+ Certification Exam 2011 version Version : Demo 1 / 5 1.Which of the following is the BEST approach to perform risk mitigation of

More information

Managed Application Security trends and best practices in application security

Managed Application Security trends and best practices in application security Managed Application Security trends and best practices in application security Adrian Locusteanu, B2B Delivery Director, Telekom Romania adrian.locusteanu@telekom.ro About Me Adrian Locusteanu is the B2B

More information

PCI DSS 3.1 is here. Are you ready? Mike Goldgof Sr. Director Product Marketing

PCI DSS 3.1 is here. Are you ready? Mike Goldgof Sr. Director Product Marketing PCI DSS 3.1 is here. Are you ready? Mike Goldgof Sr. Director Product Marketing 1 WhiteHat Security Application Security Company Leader in the Gartner Magic Quadrant Headquartered in Santa Clara, CA 320+

More information

COMP9321 Web Application Engineering

COMP9321 Web Application Engineering COMP9321 Web Application Engineering Semester 2, 2017 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 http://webapps.cse.unsw.edu.au/webcms2/course/index.php?cid=2465 1 Assignment

More information

Securing Cloud Applications with a Distributed Web Application Firewall Riverbed Technology

Securing Cloud Applications with a Distributed Web Application Firewall Riverbed Technology Securing Cloud Applications with a Distributed Web Application Firewall www.riverbed.com 2013 Riverbed Technology Primary Target of Attack Shifting from Networks and Infrastructure to Applications NETWORKS

More information

Mitigating Security Breaches in Retail Applications WHITE PAPER

Mitigating Security Breaches in Retail Applications WHITE PAPER Mitigating Security Breaches in Retail Applications WHITE PAPER Executive Summary Retail security breaches have always been a concern in the past, present and will continue to be in the future. They have

More information

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing Mobile Malfeasance Exploring Dangerous Mobile Code Jason Haddix, Director of Penetration Testing Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to

More information

10 FOCUS AREAS FOR BREACH PREVENTION

10 FOCUS AREAS FOR BREACH PREVENTION 10 FOCUS AREAS FOR BREACH PREVENTION Keith Turpin Chief Information Security Officer Universal Weather and Aviation Why It Matters Loss of Personally Identifiable Information (PII) Loss of Intellectual

More information

A practical guide to IT security

A practical guide to IT security Data protection A practical guide to IT security Ideal for the small business The Data Protection Act states that appropriate technical and organisational measures shall be taken against unauthorised or

More information

CSWAE Certified Secure Web Application Engineer

CSWAE Certified Secure Web Application Engineer CSWAE Certified Secure Web Application Engineer Overview Organizations and governments fall victim to internet based attacks every day. In many cases, web attacks could be thwarted but hackers, organized

More information

Welcome to the OWASP TOP 10

Welcome to the OWASP TOP 10 Welcome to the OWASP TOP 10 Secure Development for Java Developers Dominik Schadow 03/20/2012 BASEL BERN LAUSANNE ZÜRICH DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. HAMBURG MÜNCHEN STUTTGART WIEN 1 AGENDA

More information

Security Communications and Awareness

Security Communications and Awareness Security Communications and Awareness elearning OVERVIEW Recent high-profile incidents underscore the need for security awareness training. In a world where your employees are frequently exposed to sophisticated

More information

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

The SANS Institute Top 20 Critical Security Controls. Compliance Guide The SANS Institute Top 20 Critical Security Controls Compliance Guide February 2014 The Need for a Risk-Based Approach A common factor across many recent security breaches is that the targeted enterprise

More information

Security Best Practices. For DNN Websites

Security Best Practices. For DNN Websites Security Best Practices For DNN Websites Mitchel Sellers Who am I? Microsoft MVP, ASPInsider, DNN MVP Microsoft Certified Professional CEO IowaComputerGurus, Inc. Contact Information msellers@iowacomputergurus.com

More information

VULNERABILITIES IN 2017 CODE ANALYSIS WEB APPLICATION AUTOMATED

VULNERABILITIES IN 2017 CODE ANALYSIS WEB APPLICATION AUTOMATED AUTOMATED CODE ANALYSIS WEB APPLICATION VULNERABILITIES IN 2017 CONTENTS Introduction...3 Testing methods and classification...3 1. Executive summary...4 2. How PT AI works...4 2.1. Verifying vulnerabilities...5

More information

COMP9321 Web Application Engineering

COMP9321 Web Application Engineering COMP9321 Web Application Engineering Semester 2, 2016 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 http://webapps.cse.unsw.edu.au/webcms2/course/index.php?cid=2445 1 Assignment

More information

Application Security Approach

Application Security Approach Technical Approach Page 1 CONTENTS Section Page No. 1. Introduction 3 2. What is Application Security 7 3. Typical Approaches 9 4. Methodology 11 Page 2 1. INTRODUCTION Page 3 It is a Unsafe Cyber world..

More information

SECURITY PRACTICES OVERVIEW

SECURITY PRACTICES OVERVIEW SECURITY PRACTICES OVERVIEW 2018 Helcim Inc. Copyright 2006-2018 Helcim Inc. All Rights Reserved. The Helcim name and logo are trademarks of Helcim Inc. P a g e 1 Our Security at a Glance About Helcim

More information

OWASP TOP 10. By: Ilia

OWASP TOP 10. By: Ilia OWASP TOP 10 By: Ilia Alshanetsky @iliaa ME, MYSELF & I PHP Core Developer Author of Guide to PHP Security Security Aficionado WEB SECURITY THE CONUNDRUM USABILITY SECURITY YOU CAN HAVE ONE ;-) OPEN WEB

More information

OWASP Top David Johansson. Principal Consultant, Synopsys. Presentation material contributed by Andrew van der Stock

OWASP Top David Johansson. Principal Consultant, Synopsys. Presentation material contributed by Andrew van der Stock OWASP Top 10 2017 David Johansson Principal Consultant, Synopsys Presentation material contributed by Andrew van der Stock David Johansson Security consultant with 10 years in AppSec Helping clients design

More information

Web Application Penetration Testing

Web Application Penetration Testing Web Application Penetration Testing COURSE BROCHURE & SYLLABUS Course Overview Web Application penetration Testing (WAPT) is the Security testing techniques for vulnerabilities or security holes in corporate

More information

OPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES

OPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES OPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES What is the OWASP Top 10? A list of the top ten web application vulnerabilities Determined by OWASP and the security community at large

More information

Certified Secure Web Application Engineer

Certified Secure Web Application Engineer Certified Secure Web Application Engineer ACCREDITATIONS EXAM INFORMATION The Certified Secure Web Application Engineer exam is taken online through Mile2 s Assessment and Certification System ( MACS ),

More information

epldt Web Builder Security March 2017

epldt Web Builder Security March 2017 epldt Web Builder Security March 2017 TABLE OF CONTENTS Overview... 4 Application Security... 5 Security Elements... 5 User & Role Management... 5 User / Reseller Hierarchy Management... 5 User Authentication

More information

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK Hacker Academy Ltd COURSES CATALOGUE Hacker Academy Ltd. LONDON UK TABLE OF CONTENTS Basic Level Courses... 3 1. Information Security Awareness for End Users... 3 2. Information Security Awareness for

More information

Will you be PCI DSS Compliant by September 2010?

Will you be PCI DSS Compliant by September 2010? Will you be PCI DSS Compliant by September 2010? Michael D Sa, Visa Canada Presentation to OWASP Toronto Chapter Toronto, ON 19 August 2009 Security Environment As PCI DSS compliance rates rise, new compromise

More information

Sichere Software vom Java-Entwickler

Sichere Software vom Java-Entwickler Sichere Software vom Java-Entwickler Dominik Schadow Java Forum Stuttgart 05.07.2012 BASEL BERN LAUSANNE ZÜRICH DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. HAMBURG MÜNCHEN STUTTGART WIEN We can no longer

More information

Topics. Ensuring Security on Mobile Devices

Topics. Ensuring Security on Mobile Devices Ensuring Security on Mobile Devices It is possible right? Topics About viaforensics Why mobile security matters Types of security breaches and fraud Anticipated evolution of attacks Common mistakes that

More information

SECURITY TESTING. Towards a safer web world

SECURITY TESTING. Towards a safer web world SECURITY TESTING Towards a safer web world AGENDA 1. 3 W S OF SECURITY TESTING 2. SECURITY TESTING CONCEPTS 3. SECURITY TESTING TYPES 4. TOP 10 SECURITY RISKS ate: 2013-14 Few Security Breaches September

More information

Simplifying Application Security and Compliance with the OWASP Top 10

Simplifying Application Security and Compliance with the OWASP Top 10 Simplifying Application Security and Compliance with the OWASP Top 10 An Executive Perspective 187 Ballardvale Street, Wilmington, MA 01887 978.694.1008 ExECuTivE PErSPECTivE 2 introduction From a management

More information

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle Data Security and Privacy : Compliance to Stewardship Jignesh Patel Solution Consultant,Oracle Agenda Connected Government Security Threats and Risks Defense In Depth Approach Summary Connected Government

More information

Protect Your Organization from Cyber Attacks

Protect Your Organization from Cyber Attacks Protect Your Organization from Cyber Attacks Leverage the advanced skills of our consultants to uncover vulnerabilities our competitors overlook. READY FOR MORE THAN A VA SCAN? Cyber Attacks by the Numbers

More information

Your guide to the Payment Card Industry Data Security Standard (PCI DSS) banksa.com.au

Your guide to the Payment Card Industry Data Security Standard (PCI DSS) banksa.com.au Your guide to the Payment Card Industry Data Security Standard (PCI DSS) 1 13 13 76 banksa.com.au CONTENTS Page Contents 1 Introduction 2 What are the 12 key requirements of PCIDSS? 3 Protect your business

More information

V Conference on Application Security and Modern Technologies

V Conference on Application Security and Modern Technologies V Conference on Application Security and Modern Technologies In collaborazione con Venezia, Università Ca Foscari 6 Ottobre 2017 1 Matteo Meucci OWASP Nuovi standard per la sicurezza applicativa 2

More information

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0 Welcome BIZEC Roundtable @ IT Defense, Berlin SAP Security BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0 February 1, 2013 Andreas Wiegenstein CTO, Virtual Forge 2 SAP Security SAP security is a complex

More information

Atlassian. Atlassian Software Development and Collaboration Tools. Bugcrowd Bounty Program Results. Report created on October 04, 2017.

Atlassian. Atlassian Software Development and Collaboration Tools. Bugcrowd Bounty Program Results. Report created on October 04, 2017. Atlassian Software Development and Collaboration Tools Atlassian Bugcrowd Bounty Program Results Report created on October 04, 2017 Prepared by Ryan Black, Director of Technical Operations Table of Contents

More information

Application Security. Doug Ashbaugh CISSP, CISA, CSSLP. Solving the Software Quality Puzzle

Application Security. Doug Ashbaugh CISSP, CISA, CSSLP.  Solving the Software Quality Puzzle Application Security Doug Ashbaugh CISSP, CISA, CSSLP Page 1 It security Page 2 Page 3 Percent of Breaches Page 4 Hacking 5% 15% 39% Page 5 Common Attack Pathways Page 6 V u ln e ra b ilitie s / We a k

More information

Using Open Tools to Convert Threat Intelligence into Practical Defenses A Practical Approach

Using Open Tools to Convert Threat Intelligence into Practical Defenses A Practical Approach Using Open Tools to Convert Threat Intelligence into Practical Defenses A Practical Approach 2016 Presented by James Tarala (@isaudit) Principal Consultant Enclave Security 2 Historic Threat Hunting German

More information

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT? NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT? What the new data regulations mean for your business, and how Brennan IT and Microsoft 365 can help. THE REGULATIONS: WHAT YOU NEED TO KNOW Australia:

More information

Securing Cloud Computing

Securing Cloud Computing Securing Cloud Computing NLIT Summit, May 2018 PRESENTED BY Jeffrey E. Forster jeforst@sandia.gov Lucille Forster lforste@sandia.gov Sandia National Laboratories is a multimission laboratory managed and

More information

Web Applications Penetration Testing

Web Applications Penetration Testing Web Applications Penetration Testing Team Members: Rahul Motwani (2016ME10675) Akshat Khare (2016CS10315) ftarth Chopra (2016TT10829) Supervisor: Prof. Ranjan Bose Before proceeding further, we would like

More information

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software Securing Your Web Application against security vulnerabilities Alvin Wong, Brand Manager IBM Rational Software Agenda Security Landscape Vulnerability Analysis Automated Vulnerability Analysis IBM Rational

More information

Controls Electronic messaging Information involved in electronic messaging shall be appropriately protected.

Controls Electronic messaging Information involved in electronic messaging shall be appropriately protected. I Use of computers This document is part of the UCISA Information Security Toolkit providing guidance on the policies and processes needed to implement an organisational information security policy. To

More information

COMP9321 Web Application Engineering

COMP9321 Web Application Engineering COMP9321 Web Application Engineering Web Application Security Dr. Basem Suleiman Service Oriented Computing Group, CSE, UNSW Australia Semester 1, 2016, Week 8 http://webapps.cse.unsw.edu.au/webcms2/course/index.php?cid=2442

More information

Application vulnerabilities and defences

Application vulnerabilities and defences Application vulnerabilities and defences In this lecture We examine the following : SQL injection XSS CSRF SQL injection SQL injection is a basic attack used to either gain unauthorized access to a database

More information

The Interactive Guide to Protecting Your Election Website

The Interactive Guide to Protecting Your Election Website The Interactive Guide to Protecting Your Election Website 1 INTRODUCTION Cloudflare is on a mission to help build a better Internet. Cloudflare is one of the world s largest networks. Today, businesses,

More information

Application Security & Verification Requirements

Application Security & Verification Requirements Application Security & Verification Requirements David Jones July 2014 This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License. Contains content Copyright 2008 2013 The

More information

External Supplier Control Obligations. Cyber Security

External Supplier Control Obligations. Cyber Security External Supplier Control Obligations Cyber Security Control Title Control Description Why this is important 1. Cyber Security Governance The Supplier must have cyber risk governance processes in place

More information

IBM Future of Work Forum

IBM Future of Work Forum IBM Cognitive IBM Future of Work Forum The Engaged Enterprise Comes Alive Improving Organizational Collaboration and Efficiency While Enhancing Security on Mobile and Cloud Apps Chris Hockings IBM Master

More information

RSA Web Threat Detection

RSA Web Threat Detection RSA Web Threat Detection Online Threat Detection in Real Time Alaa Abdulnabi. CISSP, CIRM RSA Pre-Sales Manager, TEAM Region 1 Web Threat Landscape In the Wild Begin Session Login Transaction Logout Web

More information

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11 Attacks Against Websites Tom Chothia Computer Security, Lecture 11 A typical web set up TLS Server HTTP GET cookie Client HTML HTTP file HTML PHP process Display PHP SQL Typical Web Setup HTTP website:

More information

Cyber Security Audit & Roadmap Business Process and

Cyber Security Audit & Roadmap Business Process and Cyber Security Audit & Roadmap Business Process and Organizations planning for a security assessment have to juggle many competing priorities. They are struggling to become compliant, and stay compliant,

More information

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

Charting the Course to Your Success! Securing.Net Web Applications Lifecycle Course Summary Course Summary Description Securing.Net Web Applications - Lifecycle is a lab-intensive, hands-on.net security training course, essential for experienced enterprise developers who need to produce secure.net-based

More information

The requirements were developed with the following objectives in mind:

The requirements were developed with the following objectives in mind: FOREWORD This document defines four levels of application security verification. Each level includes a set of requirements for verifying the effectiveness of security controls that protect web applications

More information

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security. Web Security Web Programming Uta Priss ZELL, Ostfalia University 2013 Web Programming Web Security Slide 1/25 Outline Web insecurity Security strategies General security Listing of server-side risks Language

More information

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13 Airlock and the OWASP TOP 10-2017 Version 2.1 11.24.2017 OWASP Top 10 A1 Injection... 3 A2 Broken Authentication... 5 A3 Sensitive Data Exposure... 6 A4 XML External Entities (XXE)... 7 A5 Broken Access

More information

Cyber Attacks and Application - Motivation, Methods and Mitigation. Alfredo Vistola Solution Architect Security, EMEA

Cyber Attacks and Application - Motivation, Methods and Mitigation. Alfredo Vistola Solution Architect Security, EMEA Cyber Attacks and Application - Motivation, Methods and Mitigation Alfredo Vistola a.vistola@f5.com Solution Architect Security, EMEA Attacks are Moving Up the Stack Network Threats Application Threats

More information

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors Protecting Against Modern Attacks Protection Against Modern Attack Vectors CYBER SECURITY IS A CEO ISSUE. - M C K I N S E Y $4.0M 81% >300K 87% is the average cost of a data breach per incident. of breaches

More information

Bank Infrastructure - Video - 1

Bank Infrastructure - Video - 1 Bank Infrastructure - 1 05/09/2017 Threats Threat Source Risk Status Date Created Account Footprinting Web Browser Targeted Malware Web Browser Man in the browser Web Browser Identity Spoofing - Impersonation

More information

Ingram Micro Cyber Security Portfolio

Ingram Micro Cyber Security Portfolio Ingram Micro Cyber Security Portfolio Ingram Micro Inc. 1 Ingram Micro Cyber Security Portfolio Services Trainings Vendors Technical Assessment General Training Consultancy Service Certification Training

More information

Protect Your Application with Secure Coding Practices. Barrie Dempster & Jason Foy JAM306 February 6, 2013

Protect Your Application with Secure Coding Practices. Barrie Dempster & Jason Foy JAM306 February 6, 2013 Protect Your Application with Secure Coding Practices Barrie Dempster & Jason Foy JAM306 February 6, 2013 BlackBerry Security Team Approximately 120 people work within the BlackBerry Security Team Security

More information

An analysis of security in a web application development process

An analysis of security in a web application development process An analysis of security in a web application development process Florent Gontharet Ethical Hacking University of Abertay Dundee MSc Ethical Hacking 2015 Table of Contents Abstract...2 Introduction...3

More information

PCI DSS. Compliance and Validation Guide VERSION PCI DSS. Compliance and Validation Guide

PCI DSS. Compliance and Validation Guide VERSION PCI DSS. Compliance and Validation Guide PCI DSS VERSION 1.1 1 PCI DSS Table of contents 1. Understanding the Payment Card Industry Data Security Standard... 3 1.1. What is PCI DSS?... 3 2. Merchant Levels and Validation Requirements... 3 2.1.

More information