Understanding The Effect of Algaecide Application’s Timing ...
Maintaining & Reviewing a Web Application’s Security
description
Transcript of Maintaining & Reviewing a Web Application’s Security
Maintaining & Reviewing
a Web Application’s Security
By: Karen BaldacchinoDate: 15 September 2012
Agenda:
The Project
Areas of Study
Selecting the Right Resources
Ideas for Further Studies
Agenda:
The Project
Areas of Study
Selecting the Right Resources
Ideas for Further Studies
The Project
Title: Auditing the Security of E-banking Applications:
An Analysis of the Standards, Guidelines and Best Practises Available
Objective: To highlight the most useful resources available to the information security manager and the information security auditor in securing and
reviewing the security of web applications.
Agenda:
The Project
Areas of Study
Selecting the Right Resources
Ideas for Further Studies
Areas of Study1.Information Security Governance2.Information Security Policies & User Awareness3.Security Incident Management4.Communication Channel Security5.Logical Access Controls6.Change Management7.Systems Development8.Systems Backup & Recovery Procedures9.Management of User Authentication10.Web-Application Specific Security Measures11.Monitoring of System Security12.Security Reviews and Penetration Testing13.Compliance with Laws, Regulations & Applicable Standards14.Outsourcing
Areas of Study1.Information Security Governance2.Information Security Policies & User Awareness3.Security Incident Management4.Communication Channel Security5.Logical Access Controls6.Change Management7.Systems Development8.Systems Backup & Recovery Procedures9.Management of User Authentication10.Web-Application Specific Security Measures11.Monitoring of System Security12.Security Reviews and Penetration Testing13.Compliance with Laws, Regulations & Applicable Standards14.Outsourcing
STRIDE Attacks -- Tampering and Eavesdropping
Message mis-routing or re-routing
Message interception
Covert channels
WEB
Communication Channel SecurityRisks
Use of MAC, HMAC and Digital Signatures
Use of public key certificate
Adequate service levels from network service provider
Use of SSL or IPSec
Close unnecessary ports
Disable unused protocols
Use secure flag on cookies
Harden the TCP/IP Stack
Communication Channel SecurityControls
Mis-use or compromise of security audit tools Insufficient notifications and alerts Failure to identify suspicious transactions Failure to respond to alerts Use of key loggers, form-grabbers and spyware Scanning, foot-printing and fingerprinting
Monitoring of System SecurityRisks
Intrustion detection and Intrusion prevention systems
Security incident handling
Alerting on unauthorized activities
Alerting on unusual activities
Use of network monitoring tools
Deploy software patches and anti-virus definitions in a timely manner
Monitoring of System SecurityControls
Agenda:
The Project
Areas of Study
Selecting the Right Resources
Ideas for Further Studies
Selecting the Right Resources
Over 80 different resources selected
Shortlisted to 40
Analysis
Selection of 11 Resources
Selecting the Right Resources
Over 80 different resources selected
Shortlisted to 40
Analysis
Selection of 11 Resources
Shortlisted Resources (40)
Selecting the Right Resources
Over 80 different resources selected
Shortlisted to 40
Analysis
Selection of 11 Resources
Selecting the Right Resources
Over 80 different resources selected
Shortlisted to 40
Analysis
Selection of 11 Resources
Selecting the Right Resources
Risks Register
Controls Register
Read the 40 resources
Selecting the Right Resources
Read the 40 resources
Risks Register
Controls Register
The Risks Register
Selecting the Right Resources
Controls Register
Risks Register
Read the 40 resources
Selecting the Right Resources
Controls Register
Risks Register
Read the 40 resources
The Controls Register
Selecting the Right Resources
Over 80 different resources selected
Shortlisted to 40
Analysis
Selection of 11 Resources
Selecting the Right Resources
Over 80 different resources selected
Shortlisted to 40
Analysis
Selection of 11 Resources
Resources SelectedResource Title: Focus:BS ISO/IEC 27002:2005 BS 7799-1:2005– Information technology — Security techniques — Code of practice for information security management
Generic
BS 10012:2009 Data protection – Specification for a personal information management system
Generic
“Pharming” Guidance on How Financial Institutions Can Protect Against Pharming Attacks
e-Banking
A Security Checklist for Web Application Design Web-Apps
A Taxonomy of Operational Cyber Security Risks (CERT Program) Web-Apps
Internet Banking and Technology Risk Management Guidelines e-Banking
Guidelines on Securing Public Web Servers, Recommendations of the National Institute of Standards and Technology
Web-Apps
OWASP Top 10 – 2010 The Ten Most Critical Web Application Security Risks Web-Apps
The Web Application Security Consortium: Threat classification Web-Apps
Electronic Authentication Guideline, Recommendations of the National Institute of Standards and Technology
Generic
WhiteHat Website Security Statistics Report, Measuring Website Security: Windows of Exposure
Web-Apps
Agenda:
The Project
Areas of Study
Selecting the Right Resources
Ideas for Further Studies
Further Study Ideas
• Focus the study on other web-application types, eg: e-shopping, social networking etc.
• Focus the study on mobile-banking applications
• Focus the study on cloud-based applications
• Apply the same methodology for supporting other areas such as Enterprise-wide Security Risk Management
Thank you for Listening
Any Questions?
Contact Information:
Karen Baldacchino
Email: [email protected]: +356 2563 1263Mob: +356 7904 6528Skype:karenbaldacchino