1 / 29

ABC About me

ABC About me. MOSHIUL ISLAM, CISA A : Information System Auditor B: Currently working for a Bank – EBL , IT Security Department C: Contributor of OWASP, Chapter leader & Chair, OWASP Bangladesh And also Board member of ISACA Dhaka chapter. Awareness test .

arden
Download Presentation

ABC About me

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ABC About me • MOSHIULISLAM, CISA • A: Information System Auditor • B: Currently working for a Bank – EBL, IT Security Department • C:Contributor of OWASP, • Chapter leader & Chair, • OWASP Bangladesh • And also Board member of ISACA Dhaka chapter.

  2. Awareness test

  3. Only 2 Compromised ATM = -$2M Friday 06-01-2012 • DBS Bank Singapore • 400 Customer become victim

  4. Hack makes ATM vomit cash • Mr. Barnaby Jack demonstrated various ATM Attack • Network attack was significant.

  5. Zeus Strikes Mobile Banking • Real e-banking fraud incidents • ZeuS Man in the Mobile (MitMo) –September 2010, Spain –February 2011, Poland

  6. Internet Banking Infected browser gives full control of the account to attacker High tech crimes are difficult to prove How you will prove if you become a victim of account forgery?

  7. RSA Hacked, SecurID a Little Less Secure Now • Breach Size: Data related to SecureID tokens • Date: March 2011 • Why Significant? • Targeted criminal hacking • External threat goes inside the corporation • Source: http://bits.blogs.nytimes.com/2011/04/02/the-rsa-hack-how-they-did-it/

  8. Access to Hacked GOV, EDU and MIL Websites Sold on Underground Market Source: http://blog.imperva.com/2011/01/major-websites-govmiledu-are-hacked-and-up-for-sale.html

  9. Where we are ? • No information • Don’t know much

  10. Our Myth We have Firewall (which was never updated ) IPSand we are using VPN too. We are secure

  11. Insider Problem Illustrated Application Layer • Attacker sends attacks inside valid HTTP requests • Your custom code is tricked into doing something it should not • Security requires software development expertise, not signatures Network Layer • Firewall, hardening, patching, IDS, and SSL cannot detect or stop attacks inside HTTP requests. • Security relies on signature databases Finance Transactions Accounts Administration Communication Knowledge Mgmt E-Commerce Bus. Functions Databases Legacy Systems Web Services Directories Billing Human Resrcs Application Layer APPLICATIONATTACK Custom Code App Server Web Server Hardened OS Network Layer Firewall Firewall

  12. Security Spending Why Web Application Security important? Attacks Shift Towards Application Layer % of Attacks % of Dollars 10% Web Applications 75% 90% Network Server 25% 2/3 of All Web Applications Are Vulnerable Sources: Gartner, Watchfire

  13. Application Security Is Just Getting Started You can’t improve what you can’t measure We need to… • Experiment • Share what works • Combine our efforts • Long way to go!

  14. What we should do? We can mitigate Information Security risks by • Being AWARE, • Staying up to date • Following to policy and procedure, and adopting best practices • MOST Importantly, Placing right person in right place InfoSec is about People, Process & Technology

  15. OWASP The Open Web Application Security Project (OWASP) is a not-for-profit worldwide organization focused on improving the security of application software. Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.

  16. 220 Chapters

  17. Our Successes • OWASP Tools and Documentation: • ~15,000 downloads (per month) • ~30,000 unique visitors (per month) • ~2 million website hits (per month) • OWASP Chapters are blossoming worldwide • 1500+ OWASP Members in active chapters worldwide • 20,000+ participants • OWASP AppSecConferences: • Chicago, New York, London, Washington D.C, Brazil, China, Germany, more… • Distributed content portal • 100+ authors for tools, projects, and chapters • OWASP and its materials are used, recommended and referenced by many government, standards and industry organizations.

  18. ~140 Projects • PROTECT- These are tools and documents that can be used to guard against security-related design and implementation flaws. • DETECT - These are tools and documents that can be used to find security-related design and implementation flaws. • LIFE CYCLE - These are tools and documents that can be used to add security-related activities into the Software Development Life Cycle (SDLC).

  19. New projects - last 6 months • Common Numbering Project • HTTP Post Tool • Forward Exploit Tool Project • Java XML Templates Project • ASIDE Project • Secure Password Project • Secure the Flag Competition Project • Security Baseline Project • ESAPI Objective – C Project • Academy Portal Project • Exams Project • Portuguese Language Project • Browser Security ACID Tests Project • Web Browser Testing System Project • Java Project • Myth Breakers Project • LAPSE Project • Software Security Assurance Process • Enhancing Security Options Framework • German Language Project • Mantra – Security Framework • Java HTML Sanitizer • Java Encoder Project • WebScarab NG Project • Threat Modelling Project • Application Security Assessment Standards Project • Hackademic Challenges Project • Hatkit Proxy Project • Hatkit Datafiddler Project • ESAPI Swingset Interactive Project • ESAPI Swingset Demo Project • Web Application Security Accessibility Project • Cloud ‐ 10 Project • Web Testing Environment Project • iGoat Project • Opa • Mobile Security Project – Mobile Threat Model • Codes of Conduct

  20. Conferences

  21. Download Get OWASP Books

  22. Web Goat A classic vulnerable application to teach developers security code flaws

  23. WebScarab – A Proxy Engine A Proxy tool to intercept Http Request and Http Response

  24. Software Assurance Maturity Model

  25. Process perspective: Build Security in the SDLC

  26. Users and Adopters • Payment Card Industry (PCI) • PCI DSS - Requirements 6.5 OWASP Guide (OWASP Top 10) • PA-DSS - Requirements 5.2 is OWASP Guide (OWASP Top 10) Security code review for all the custom code. • OWASP Supporters

  27. Educational Supporters

  28. Call for action • Join OWASP Bangladesh chapter mailing list. • Join OWASP projects • Translate material (documents, tool interfaces) • Together we will achieve our mission!

  29. Thank you & enjoy securITy

More Related