Embed Size (px)
DESCRIPTION
Citation preview
Challenges in implementing and certifying an
online payment application
Ana Tudosa Java Senior Developer
October 2013
Challenges in implementing and certifying an online payment application
AN INTRODUCTION HERE
HELP!!!!
Why Do We Care About Security?
Challenges in implementing and certifying an online payment application
The majority of the attacks are very easy to
execute
78% of the attacks required Low or Very Low
difficulty to execute
How Hard Is It To Compromise?
Source: Verizon Data breach investigation report 2013
Challenges in implementing and certifying an online payment application
Variety and origin of external attackers
Some Hacker Profiling
Source: Verizon Data breach investigation report 2013
Challenges in implementing and certifying an online payment application
Variety of internal attackers
Hey developers are pretty honest comparing to upper
management and system administrators
Some Hacker Profiling
Source: Verizon Data breach investigation report 2013
Challenges in implementing and certifying an online payment application
Most commonly applications
What is Being Compromised?
Source: Post Breach Boom, Ponemon Institute 2013
Challenges in implementing and certifying an online payment application
SQL injection is the most common form of
successful attack
How Did It Occur?
Source: Post Breach Boom, Ponemon Institute 2013
Challenges in implementing and certifying an online payment application
In order to protect your application you
need to understand WHO, WHY and HOW
APT
Opportunistic breach
Hacktivist breach
Self-inflicted breach
Types of Breaches
Challenges in implementing and certifying an online payment application
Night Dragon
Source: Global energy cyber attacks, “Night Dragon”, McAfee, 2011
Challenges in implementing and certifying an online payment application
The Hacktivist Breach
Challenges in implementing and certifying an online payment application
$395,262.00
$565,020.00
$1,412,548.00 $3,030,814.00
Detection and Escalation
Notification
Ex-Post Response
Lost Business
Cost Of a Data Breach
Source: Cost of A Data Breach: Global Analysis Ponemon Institute 2013
Challenges in implementing and certifying an online payment application
Payment Card Industry Data
Security Standard
Enforced by all the credit card
companies around the globe
Created the PCI Council
Its purpose is to protect the
customer’s data
The merchant is most often the
weakest link
Why?
What is PCI-DSS?
Challenges in implementing and certifying an online payment application
WHO Needs It?
MANUFACTURERS
PCI PTS PIN Transaction
Security
SOFTWARE
DEVELOPERS
PCI PA-DSS Payment Application
Vendors
MERCHANT & PROCESSORS
PCI DSS Data Security
Standard
PCI SECURITY STANDARDS
& COMPLIANCE
Ecosystem of payment devices, applications, infrastructure and users
Challenges in implementing and certifying an online payment application
Realize that it refers to the entire organization:
IT infrastructure & management
How you store data (in particular CC data)
Security procedures
How you limit access to CC data
How you log everything
How strong is your application (security wise)
What is the level of physical security
Tons of documents you need to produce
PCI does not allow different styles of compliancy
100% compliant, less is not acceptable
What Does It Mean To Adhere To The Standard
Challenges in implementing and certifying an online payment application
Cardholder data
PAN – primary account number
Expiration date
Card holder name
Sensitive authentication data
Track data
CAV/ CVV /CVC / CID
PIN
PCI data elements
Challenges in implementing and certifying an online payment application
Whenever you get some sort of feedback from either
QA or security audit you will be referred to OWASP
Open Web Application Security Project
Not-for-profit organization
Focused on providing application security
Technology agnostic
They produce the “Top ten most critical web
application security risks”
Not the only one, there are others like Microsoft SDL
OWASP
Challenges in implementing and certifying an online payment application
A1: Injection
A2: Broken authentication and session
management
A3: Cross site scripting (XSS)
A4: Insecure direct object references
A5: Security misconfiguration
A6: Sensitive data exposure
A7: Missing function level access control
A8: Cross-site request forgery (CSRF)
A9: Using unknown vulnerable components
A10: Unvalidated redirects and forwards
OWASP top 10
Source: OWASP TOP 10 , 2013
Challenges in implementing and certifying an online payment application
We implemented our own set of JSF
components
The requirements were :
Single way to present the UI
Highly customizable
It came in handy when implementing
protection against top 10 security threats
Escaping, URL encoding, validation, challenge codes
JSF Components
Challenges in implementing and certifying an online payment application
Method: Application functions related to
authentication and session management are
often not implemented correctly.
Risk:
Compromise passwords, keys, session tokens
Assume other user’s identities
Unauthorized access to application
A2: Broken authentication and session management
Challenges in implementing and certifying an online payment application
Solution Session cookies - secured and httponly
No session ID in URLs
Session timeouts and maximum session TTL
Create new session after login
Challenge codes
Use password hashing (with salt)
Use strong encryption algorithms for sensitive data
Login from an encrypted page
Don’t re-invent the wheel (use existing session
management)
A2: Broken authentication and session management
Challenges in implementing and certifying an online payment application
A2: Example: Tunisian Arab Spring
Challenges in implementing and certifying an online payment application
Method: Exploit incorrect secure
configuration such as AS/DB servers defaults
Risk:
Unauthorized access to some system data or
functionality.
Occasionally, such flaws result in a complete
system compromise.
Very generic, it can be anything
A5: Security misconfiguration
Challenges in implementing and certifying an online payment application
Solution:
AS hardening
Implementing new AS services for extended
cryptographic capabilities
Keep dependencies up to date
Periodic scans/audits
A strong application architecture - tokenization
A5: Security misconfiguration
Challenges in implementing and certifying an online payment application
A5: Application Architecture : Tokenization
Facade Facade
1001101010
1001101010
Clearing
Connectors Datasets in Memory
Tokenization Module
Tokenization
Encryption Engine
Challenges in implementing and certifying an online payment application
A5: Application Architecture
DMZ
DB Tier
App Tier
Internal Network Database
Application Server Payment Application (core)
Web Server Payment Application (web) Firewall
Un-Trusted
Un-Trusted Users
Users
Challenges in implementing and certifying an online payment application
Method: Exploit poorly protected sensitive
data
This used to be old A7&A9
A7: Insecure Cryptographic Storage
A9: Insufficient Transport Layer Protection
Risk:
Information Leakage
Unauthorized access to sensitive data in transit
Network sniffing
A6: Sensitive data exposure
Challenges in implementing and certifying an online payment application
Solution: Use existing strong encryption algorithms
Generate keys offline and store private keys with
extreme care
Ensure that properly secured
Always use SSL 3.0/TLS 1.2 for sensitive data in
transit
Protect communication between web servers and
data bases
Use certificates where applicable even in internal
networks
A6: Sensitive data exposure
Challenges in implementing and certifying an online payment application
https://www.pcisecuritystandards.org/appro
ved_companies_providers/validated_payme
nt_applications.php?agree=true
And The Result
Challenges in implementing and certifying an online payment application
Please fill in the evaluation form
Contact: [email protected]
