1 / 29

Maintaining & Reviewing a Web Application’s Security

Maintaining & Reviewing a Web Application’s Security. By: Karen Baldacchino Date: 15 September 2012. Agenda:. The Project Areas of Study Selecting the Right Resources Ideas for Further Studies. Agenda:. The Project Areas of Study Selecting the Right Resources

woods
Download Presentation

Maintaining & Reviewing a Web Application’s Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Maintaining & Reviewing a Web Application’s Security By: Karen Baldacchino Date: 15September2012

  2. Agenda: The Project Areas of Study Selecting the Right Resources Ideas for FurtherStudies

  3. Agenda: The Project Areas of Study Selecting the Right Resources Ideas for FurtherStudies

  4. The Project • Title: Auditing the Security of E-banking Applications: • An Analysis of the Standards, Guidelines and Best PractisesAvailable • Objective: To highlight the mostusefulresourcesavailable to the information security manager and the information securityauditor in securing and reviewing the security of web applications.

  5. Agenda: The Project Areas of Study Selecting the Right Resources Ideas for FurtherStudies

  6. Areas of Study Information Security Governance Information Security Policies & User Awareness Security Incident Management Communication Channel Security Logical Access Controls Change Management Systems Development Systems Backup & RecoveryProcedures Management of User Authentication Web-Application Specific Security Measures Monitoring of System Security Security Reviews and PenetrationTesting CompliancewithLaws, Regulations & Applicable Standards Outsourcing

  7. Areas of Study Information Security Governance Information Security Policies & User Awareness Security Incident Management Communication Channel Security Logical Access Controls Change Management Systems Development Systems Backup & RecoveryProcedures Management of User Authentication Web-Application Specific Security Measures Monitoring of System Security Security Reviews and PenetrationTesting CompliancewithLaws, Regulations & Applicable Standards Outsourcing

  8. Communication Channel Security Risks WEB STRIDE Attacks -- Tampering and Eavesdropping Message mis-routing or re-routing Message interception Covert channels

  9. Communication Channel Security Controls Use of MAC, HMAC and Digital Signatures Use of public key certificate Adequate service levels from network service provider Use of SSL or IPSec Close unnecessary ports Disable unused protocols Use secure flag on cookies Harden the TCP/IP Stack

  10. Monitoring of System Security Risks • Mis-use or compromise of security audit tools • Insufficient notifications and alerts • Failure to identifysuspicious transactions • Failure to respond to alerts • Use of keyloggers, form-grabbers and spyware • Scanning, foot-printing and fingerprinting

  11. Monitoring of System Security Controls • Intrustiondetection and Intrusion preventionsystems • Security incident handling • Alerting on unauthorizedactivities • Alerting on unusualactivities • Use of network monitoring tools • Deploy software patches and anti-virus definitions in a timelymanner

  12. Agenda: The Project Areas of Study Selecting the Right Resources Ideas for FurtherStudies

  13. Selecting the Right Resources

  14. Selecting the Right Resources

  15. ShortlistedResources (40)

  16. Selecting the Right Resources

  17. Selecting the Right Resources

  18. Selecting the Right Resources • Read the 40 resources Risks Register Controls Register

  19. Selecting the Right Resources • Read the 40 resources Risks Register Controls Register

  20. The RisksRegister

  21. Selecting the Right Resources • Read the 40 resources Risks Register Controls Register

  22. Selecting the Right Resources • Read the 40 resources Risks Register Controls Register

  23. The ControlsRegister

  24. Selecting the Right Resources

  25. Selecting the Right Resources

  26. ResourcesSelected

  27. Agenda: The Project Areas of Study Selecting the Right Resources Ideas for FurtherStudies

  28. FurtherStudyIdeas • Focus the study on other web-application types, eg: e-shopping, social networking etc. • Focus the study on mobile-banking applications • Focus the study on cloud-based applications • Apply the same methodology for supporting other areas such as Enterprise-wide Security Risk Management

  29. Thankyou for Listening Any Questions? Contact Information: Karen Baldacchino Email: karen.baldacchino@gmail.com Tel: +356 2563 1263 Mob: +356 7904 6528 Skype:karenbaldacchino

More Related