OWASP ASVS for NFTaaS in Financial Services OLEKSANDR KAZYMYROV, TECHNICAL TEST ANALYST

Similar documents
Application Security Approach

CSWAE Certified Secure Web Application Engineer

Certified Secure Web Application Engineer

SECURITY TESTING. Towards a safer web world

OWASP Review. Amherst Security Group June 14, 2017 Robert Hurlbut.

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

Ingram Micro Cyber Security Portfolio

Professional Services Overview

OWASP Top 10 The Ten Most Critical Web Application Security Risks

OWASP Top David Caissy OWASP Los Angeles Chapter July 2017

Web Application Penetration Testing

Application. Security. on line training. Academy. by Appsec Labs

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Aguascalientes Local Chapter. Kickoff

The Top 6 WAF Essentials to Achieve Application Security Efficacy

Web Applications Penetration Testing

Penetration testing.

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

Security Solutions. Overview. Business Needs

Security Best Practices. For DNN Websites

Web Application Security. Philippe Bogaerts

V Conference on Application Security and Modern Technologies

Applications Security

Mitigating Security Breaches in Retail Applications WHITE PAPER

Under the hood testing - Code Reviews - - Harshvardhan Parmar

Development*Process*for*Secure* So2ware

PCI DSS Compliance. Verba SOLUTION GUIDE. Introduction. Verba and the Payment Card Industry Data Security Standard

Managed Application Security trends and best practices in application security

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

Improving Security in the Application Development Life-cycle

Payment Card Industry Internal Security Assessor: Quick Reference V1.0

CN!Express CX-6000 Single User Version PCI Compliance Status Version June 2005

Chapter 5: Vulnerability Analysis

Ethical Hacking as a Professional Penetration Testing Technique ISSA Southern Tier & Rochester Chapters

Curso: Ethical Hacking and Countermeasures

Kaspersky Enterprise Cybersecurity. Kaspersky Security Assessment Services. #truecybersecurity

Advanced Ethical Hacking & Penetration Testing. Ethical Hacking

De-risk Your Applications. SUBSCRIBE TO EVRY S SECURITY TESTING AS A SERVICE (STaaS) TODAY!

Engineering Your Software For Attack

Securing Cloud Applications with a Distributed Web Application Firewall Riverbed Technology

TIBCO Cloud Integration Security Overview

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Scan Report Executive Summary

Your Turn to Hack the OWASP Top 10!

INFORMATION SUPPLEMENT. Use of SSL/Early TLS for POS POI Terminal Connections. Date: June 2018 Author: PCI Security Standards Council

Integrated Web Application Firewall (WAF) & Distributed Denial Of Service (DDoS) Mitigation For Today s Enterprises

PCI DSS v3. Justin

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

CLOUD COMPUTING SECURITY THE SOFT SPOT Security by Application Development Quality Assurance

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

Securing Digital Applications

Integrigy Consulting Overview

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

Simplifying Application Security and Compliance with the OWASP Top 10

Information Technology Standard for PCI systems Syracuse University Information Technology and Services PCI Network Security Standard (Appendix 1)

SOLUTION BRIEF CA API MANAGEMENT. Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management

Atlassian. Atlassian Software Development and Collaboration Tools. Bugcrowd Bounty Program Results. Report created on October 04, 2017.

Copyright

RiskSense Attack Surface Validation for Web Applications

EPRI Software Development 2016 Guide for Testing Your Software. Software Quality Assurance (SQA)

Welcome to the OWASP TOP 10

Large Scale Generation of Complex and Faulty PHP Test Cases

Exploiting and Defending: Common Web Application Vulnerabilities

Solutions Business Manager Web Application Security Assessment

C1: Define Security Requirements

PCI DSS 3.1 is here. Are you ready? Mike Goldgof Sr. Director Product Marketing

SECURITY PRACTICES OVERVIEW

TRAINING CURRICULUM 2017 Q2

En partenariat avec CA Technologies. Genève, Hôtel Warwick,

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

IBM SmartCloud Notes Security

Scan Report Executive Summary

PCI Compliance. Network Scanning. Getting Started Guide

GOING WHERE NO WAFS HAVE GONE BEFORE

Security Communications and Awareness

Sage Data Security Services Directory

Cybersecurity Education Catalog

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version to 2.0

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

Application Layer Security

CASE STUDY - Preparing for a PCI-DSS Audit using Cryptosense Analyzer

Compliance-driven Security Requirements Warzaw 12 Oct Bengt Berg, M.Sc, CISM, CISSP, QSA,...

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

Scan Report Executive Summary. Part 2. Component Compliance Summary Component (IP Address, domain, etc.):

Presentation Overview

CyberSecurity. Penetration Testing. Penetration Testing. Contact one of our specialists for more information CYBERSECURITY SERVICE DATASHEET

Building Secure Systems

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

Payment Card Industry Data Security Standards Version 1.1, September 2006

University of Sunderland Business Assurance PCI Security Policy

State of Software Security Report Volume 2. Jeff Ennis, CEH Solutions Architect Veracode

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

PEACHTECH PEACH API SECURITY AUTOMATING API SECURITY TESTING. Peach.tech

Mobile Payment Application Security. Security steps to take while developing Mobile Application s. SISA Webinar.

Providing Secure, Fast and Available

Transcription:

OWASP ASVS for NFTaaS in Financial Services OLEKSANDR KAZYMYROV, TECHNICAL TEST ANALYST

Agenda Chapter I - Brief Introduction Chapter II - Why OWASP ASVS? Chapter III - OWAS ASVS in Practice Chapter IV Summary

Brief Introduction CHAPTER I

Who am I? Education Other Job Candidate of Engineering Sciences in Information Security KHNURE, Ukraine Certificates Certified Ethical Hacker Certified Encryption Specialist Technical Test Analyst at EVRY Ph.D. in Cryptology University of Bergen, Norway Standards DSTU 7624:2014 DSTU 7564:2014 4 PRESENTATION TITLE

EVRY Nordic Champion 50 towns and cities with capacity to deliver 11 regional offices with specialist competencies 10.000 employees Women Age 26% 39yrs Universum # 4 100+ employees

EVRY GROUP - Geographic distribution Nordics Rest of the World (Global Delivery) 6

NFT Department Performance Reliability Security Front-end Load Endurance Stress Spike Failover Interruption Recoverability Load balancing Application layer Network layer Wireless PCI DSS 7

Why OWASP ASVS? CHAPTER II

PCI DSS Requirement 11.3 9

PCI DSS Penetration Testing External Internal Segmentation Checks AL NL AL NL 10

NIST SP 800-115: Appendix C - Application Security Testing and Examination 11

NIST SP 800-115: Appendix E - Table E-2. Online Resources 12

PCI DSS Penetration Testing - Summary Methodology PCI DSS Penetration Testing Guidance NIST Special Publication 800-115 Open Source Security Testing Methodology Manual Testing Guide Open Source Security Testing Methodology Manual ( OSSTMM ) OWASP Testing Guide Penetration Testing Execution Standard Penetration Testing Framework PCI DSS Requirement 6.5 Injection flaws Insecure communications Improper error handling Improper access control Cross-site scripting (XSS) etc. PCI DSS Requirement 11.3 Perform external penetration testing Perform internal penetration testing Verify segmentation methods 13

OWASP Testing Guide (from PCI Pentest Guide) 14

OWASP Top 10 2013 vs PCI DSS OWASP Top 10 2013 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Components with Known Vulnerabilities A10 Invalidated Redirects and Forwards PCI DSS Requirements 6.5.1 Injection flaws / 6.5.2 Buffer overflows 6.5.10 Broken authentication and session management 6.5.7 XSS? -? 6.5.6 All high risk vulnerabilities? 6.5.5 Improper error handling 6.5.8 Improper access control / 6.5.3 Insec. cryptostorage 6.5.9 CSRF 6.5.6 All high risk vulnerabilities? 6.5.4 Insecure communications 15

OWASP Application Security Verification Standard (ASVS) OWASP Web Top 10 Architecture OWASP Code Review Top 9 OWASP ASVS v3.0.1 16

Key parts of OWAS ASVS Scope for the application security verification standard Description of security verification levels Requirements / Controls Standards Mappings 17

OWAS ASVS Verification Controls (v3.0.1) 18

19 OWASP ASVS: Standards Mappings

Relation Between Requirements OWASP ASVS PCI DSS OWASP Top 10 20

EVRY FS EVRY PCI DSS Security OWASP TOP 10 Scope for pentesting of web applications 21

OWAS ASVS in Practice CHAPTER III

OWAS ASVS Verification Controls 23

OWAS ASVS Verification Controls (v3.0.1) 24

OWASP ASVS Levels Security 3 Advanced 2 Standard 0 Cursory 1 Opportunistic 25

An Issue With Level Definition Requirements Level AUT 26

Relation Between Project and NFT Project Manager NFT Manager Project Architect Test Env Manager NFT Coordinator NFT Manager NFT Analyst Development Manager Functional Test Manager 27

Compliance Selection at Financial Services 28

EVRY FINancial suite Operational Domains in SaaS (FINODS) Loadbalancers Area G http-servers, MQ, filetransfer, SQLproxy, Internet Proxy Area F Card Portal / Clients Portal, Internetbank and non card clients EDB ESB WS_PROXY Area E WebServices load-balancers / MQ Area D Card Services Bank Services (non-card) Issuing, Acquiring and Security Batch, Analysis, Security, Online Area C Database servers Cards Database servers serving area C and E Area B PCI Disk SAN dedicated SAN's to critical systems NON PCI Area A = Security areas 29

Authentication in Cardholder Client (CHC) Using LoginService2 (LS2) 3 LoginService2 4 6 5 Browser SO Service 71 210 Cardholder Client 9 8 30

LoginService2 31

Cardholder Client 32

General Information on LS2 and CHC LoginSevice2 Cardholder Client LS2 stays in front of almost all applications It is the first major security barrier LS2 helps to retrieve tokens (Secure Object or simply SO) and hand over it to the 3 rd party applications Available through the Internet CHC is a part of EVRY s NetBank (Online banking) It can be integrated with any 3rd party web application EVRY s NetBank is protected by LoginsService2 in front of CHC After logging in CHC uses SO as the main parameter in session management Available through the Internet 33 OWASP ASVS Level 3 OWASP ASVS Level 2

Security Application Life Cycle No or minor changes Security assessment 6 months (1 year by PCI DSS) Application update Partial Full New functionality Full pentest 34

Summary PCI DSS is a good starting point for any infrastructure OWASP ASVS is a flexible standard with minimal effort for adaptation For a stable security development lifecycle the following should be implemented o Standard operation procedures o Methodology for security testing o Security risk assessment o Role descriptions o General compliance levels 35

PRESENTATION 36 TITLE

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback