Maintaining & Reviewing

a Web Application’s Security

By: Karen BaldacchinoDate: 15 September 2012

Agenda:

The Project

Areas of Study

Selecting the Right Resources

Ideas for Further Studies

Agenda:

The Project

Areas of Study

Selecting the Right Resources

Ideas for Further Studies

The Project

Title: Auditing the Security of E-banking Applications:

An Analysis of the Standards, Guidelines and Best Practises Available

Objective: To highlight the most useful resources available to the information security manager and the information security auditor in securing and

reviewing the security of web applications.

Agenda:

The Project

Areas of Study

Selecting the Right Resources

Ideas for Further Studies

Areas of Study1.Information Security Governance2.Information Security Policies & User Awareness3.Security Incident Management4.Communication Channel Security5.Logical Access Controls6.Change Management7.Systems Development8.Systems Backup & Recovery Procedures9.Management of User Authentication10.Web-Application Specific Security Measures11.Monitoring of System Security12.Security Reviews and Penetration Testing13.Compliance with Laws, Regulations & Applicable Standards14.Outsourcing

Areas of Study1.Information Security Governance2.Information Security Policies & User Awareness3.Security Incident Management4.Communication Channel Security5.Logical Access Controls6.Change Management7.Systems Development8.Systems Backup & Recovery Procedures9.Management of User Authentication10.Web-Application Specific Security Measures11.Monitoring of System Security12.Security Reviews and Penetration Testing13.Compliance with Laws, Regulations & Applicable Standards14.Outsourcing

STRIDE Attacks -- Tampering and Eavesdropping

Message mis-routing or re-routing

Message interception

Covert channels

WEB

Communication Channel SecurityRisks

Use of MAC, HMAC and Digital Signatures

Use of public key certificate

Adequate service levels from network service provider

Use of SSL or IPSec

Close unnecessary ports

Disable unused protocols

Use secure flag on cookies

Harden the TCP/IP Stack

Communication Channel SecurityControls

Mis-use or compromise of security audit tools Insufficient notifications and alerts Failure to identify suspicious transactions Failure to respond to alerts Use of key loggers, form-grabbers and spyware Scanning, foot-printing and fingerprinting

Monitoring of System SecurityRisks

Intrustion detection and Intrusion prevention systems

Security incident handling

Alerting on unauthorized activities

Alerting on unusual activities

Use of network monitoring tools

Deploy software patches and anti-virus definitions in a timely manner

Monitoring of System SecurityControls

Agenda:

The Project

Areas of Study

Selecting the Right Resources

Ideas for Further Studies

Selecting the Right Resources

Over 80 different resources selected

Shortlisted to 40

Analysis

Selection of 11 Resources

Selecting the Right Resources

Over 80 different resources selected

Shortlisted to 40

Analysis

Selection of 11 Resources

Shortlisted Resources (40)

Selecting the Right Resources

Over 80 different resources selected

Shortlisted to 40

Analysis

Selection of 11 Resources

Selecting the Right Resources

Over 80 different resources selected

Shortlisted to 40

Analysis

Selection of 11 Resources

Selecting the Right Resources

Risks Register

Controls Register

Read the 40 resources

Selecting the Right Resources

Read the 40 resources

Risks Register

Controls Register

The Risks Register

Selecting the Right Resources

Controls Register

Risks Register

Read the 40 resources

Selecting the Right Resources

Controls Register

Risks Register

Read the 40 resources

The Controls Register

Selecting the Right Resources

Over 80 different resources selected

Shortlisted to 40

Analysis

Selection of 11 Resources

Selecting the Right Resources

Over 80 different resources selected

Shortlisted to 40

Analysis

Selection of 11 Resources

Resources SelectedResource Title: Focus:BS ISO/IEC 27002:2005 BS 7799-1:2005– Information technology — Security techniques — Code of practice for information security management

Generic

BS 10012:2009 Data protection – Specification for a personal information management system

Generic

“Pharming” Guidance on How Financial Institutions Can Protect Against Pharming Attacks

e-Banking

A Security Checklist for Web Application Design Web-Apps

A Taxonomy of Operational Cyber Security Risks (CERT Program) Web-Apps

Internet Banking and Technology Risk Management Guidelines e-Banking

Guidelines on Securing Public Web Servers, Recommendations of the National Institute of Standards and Technology

Web-Apps

OWASP Top 10 – 2010 The Ten Most Critical Web Application Security Risks Web-Apps

The Web Application Security Consortium: Threat classification Web-Apps

Electronic Authentication Guideline, Recommendations of the National Institute of Standards and Technology

Generic

WhiteHat Website Security Statistics Report, Measuring Website Security: Windows of Exposure

Web-Apps

Agenda:

The Project

Areas of Study

Selecting the Right Resources

Ideas for Further Studies

Further Study Ideas

• Focus the study on other web-application types, eg: e-shopping, social networking etc.

• Focus the study on mobile-banking applications

• Focus the study on cloud-based applications

• Apply the same methodology for supporting other areas such as Enterprise-wide Security Risk Management

Thank you for Listening

Any Questions?

Contact Information:

Karen Baldacchino

Email: karen.baldacchino@gmail.comTel: +356 2563 1263Mob: +356 7904 6528Skype:karenbaldacchino