abc about me
DESCRIPTION
ABC About me. MOSHIUL ISLAM, CISA A : Information System Auditor B: Currently working for a Bank – EBL , IT Security Department C: Contributor of OWASP, Chapter leader & Chair, OWASP Bangladesh And also Board member of ISACA Dhaka chapter. Awareness test . - PowerPoint PPT PresentationTRANSCRIPT
The OWASP Foundationhttp://www.owasp.org
ABC About me
MOSHIUL ISLAM, CISA
A: Information System AuditorB: Currently working for a Bank – EBL, IT Security DepartmentC: Contributor of OWASP,
Chapter leader & Chair,OWASP Bangladesh And also Board member of ISACA Dhaka chapter.
Awareness test
2
Only 2 Compromised ATM = -$2M
3
Friday 06-01-2012
• DBS Bank Singapore• 400 Customer become
victim
Hack makes ATM vomit cash
• Mr. Barnaby Jack demonstrated various ATM Attack
• Network attack was significant.
4
Zeus Strikes Mobile Banking
• Real e-banking fraud incidents
• ZeuS Man in the Mobile (MitMo)
–September 2010, Spain
–February 2011, Poland
5
Internet Banking
Infected browser gives full control of the account to attacker
6
High tech crimes are difficult to prove
How you will prove if you become a victim of account forgery?
RSA Hacked, SecurID a Little Less Secure Now
• Breach Size: Data related to SecureID tokens
• Date: March 2011
• Why Significant?
• Targeted criminal hacking
• External threat goes inside the corporation
• Source:
http://bits.blogs.nytimes.com/2011/04/02/the-rsa-hack-how-they-did-it/
Access to Hacked GOV, EDU and MIL Websites Sold on Underground Market
8
http://blog.imperva.com/2011/01/major-websites-govmiledu-are-hacked-and-up-for-sale.html
Source:
Where we are ?
•No information •Don’t know much
9
Our Myth
We have Firewall (which was never updated )
IPS and we are using VPN too.
We are secure
11
Problem IllustratedApplication Layer
Attacker sends attacks inside valid HTTP requests
Your custom code is tricked into doing something it should not
Security requires software development expertise, not signatures
Network LayerFirewall, hardening,
patching, IDS, and SSL cannot detect or stop attacks inside HTTP requests.
Security relies on signature databasesFi
rew
all
Hardened OS
Web Server
App ServerFi
rew
all
Dat
abas
esLe
gacy
Sys
tem
sW
eb S
ervi
ces
Dire
ctor
ies
Hum
an R
esrc
sB
illin
g
Custom Code
APPLICATIONATTACK
Net
wor
k La
yer
App
licat
ion
Laye
r
Acc
ount
sFi
nanc
eA
dmin
istr
atio
nTr
ansa
ctio
nsC
omm
unic
atio
nK
now
ledg
e M
gmt
E-C
omm
erce
Bus
. Fun
ctio
ns
Insider
12
Why Web Application Security important?
Attacks Shift Towards Application Layer
Network Server
WebApplications
% of Attacks % of Dollars
90%
Sources: Gartner, Watchfire
Security Spending
of All Web Applications Are Vulnerable2/3
75%
25%
10%
13
Application Security Is Just Getting Started
You can’t improve what you can’t measureWe need to…• Experiment • Share what works • Combine our efforts
• Long way to go!
What we should do?
We can mitigate Information Security risks by
• Being AWARE,
• Staying up to date
• Following to policy and procedure, and adopting best practices
• MOST Importantly, Placing right person in right place
InfoSec is about People, Process & Technology
14
OWASPThe Open Web Application Security Project (OWASP) is a not-for-profit worldwide organization focused on improving the security of application software.
Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks.
Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.
220 Chapters
16
17
Our Successes• OWASP Tools and
Documentation:• ~15,000 downloads
(per month)
• ~30,000 unique visitors (per month)
• ~2 million website hits (per month)
• OWASP Chapters are blossoming worldwide• 1500+ OWASP Members
in active chapters worldwide
• 20,000+ participants
• OWASP AppSec Conferences:• Chicago, New York,
London, Washington D.C, Brazil, China, Germany, more…
• Distributed content portal• 100+ authors for tools,
projects, and chapters
• OWASP and its materials are used, recommended and referenced by many government, standards and industry organizations.
~140 Projects• PROTECT - These are tools and documents
that can be used to guard against security-related design and implementation flaws.
• DETECT - These are tools and documents that can be used to find security-related design and implementation flaws.
• LIFE CYCLE - These are tools and documents that can be used to add security-related activities into the Software Development Life Cycle (SDLC).
The OWASP Foundationhttp://www.owasp.org
New projects - last 6 months• Common Numbering Project• HTTP Post Tool• Forward Exploit Tool Project• Java XML Templates Project• ASIDE Project• Secure Password Project• Secure the Flag Competition Project• Security Baseline Project• ESAPI Objective – C Project• Academy Portal Project• Exams Project• Portuguese Language Project• Browser Security ACID Tests Project• Web Browser Testing System Project• Java Project• Myth Breakers Project• LAPSE Project• Software Security Assurance Process• Enhancing Security Options Framework
• German Language Project• Mantra – Security Framework• Java HTML Sanitizer• Java Encoder Project• WebScarab NG Project• Threat Modelling Project• Application Security Assessment
Standards Project• Hackademic Challenges Project• Hatkit Proxy Project• Hatkit Datafiddler Project• ESAPI Swingset Interactive Project• ESAPI Swingset Demo Project• Web Application Security Accessibility
Project• Cloud ‐ 10 Project• Web Testing Environment Project• iGoat Project• Opa• Mobile Security Project – Mobile Threat
Model• Codes of Conduct
Conferences
20
Download Get OWASP Books
22
Web Goat A classic vulnerable application to teach developers security code flaws
23
WebScarab – A Proxy Engine
A Proxy tool to intercept Http Request and Http Response
24
Software Assurance Maturity Model
25
Process perspective: Build Security in the SDLC
26
Users and Adopters Payment Card Industry (PCI)
PCI DSS - Requirements 6.5 OWASP Guide (OWASP Top 10) PA-DSS - Requirements 5.2 is OWASP Guide (OWASP Top 10)
Security code review for all the custom code.
OWASP Supporters
27
Educational Supporters
Call for action• Join OWASP Bangladesh chapter
mailing list.• Join OWASP projects•Translate material (documents, tool
interfaces)•Together we will achieve our
mission!
28
The OWASP Foundationhttp://www.owasp.org
Thank you & enjoy securITy
29