E-commerce Application Security Ways to secure your application from hackers Building a software is easy, building a secure software is difficult…. Vulnerabilities are inevitable, hacking is not…

You can also view a recorded session of this presentation here! What is it all about ?? Importance of security in e-commerce Major attacks on e-commerce applications Common issues and vulnerabilities in applications What makes attackers target your application? Vulnerabilities that might be present in your application How do hackers attack your application? Do's and Dont's to improve application security You can also view a recorded session of this presentation here!

How security affects e-commerce? Tarnishes company’s reputation in public Huge financial loss due to post breach activities like email notification, patching, business loss etc. Image One breach invites many other hackers Loss of costumers trust Loss of business You can also view a recorded session of this presentation here!

Ecommerce Hacks What does eBay, Zappos (Amazon), Dominos and Starbucks have in common? They all suffered huge data breaches in the last few years. For more info checkout: Link

You can also view a recorded session of this presentation here! eBay Data Breach Attackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay’s corporate network The attack obtained user information such as dates of birth, names, email addresses, phone numbers, residential addresses and passwords (encrypted) Lessons to learn from this hack: Centralize Application Management Secure Employee Personal Accounts Ensure strong password policy Proactive stand for security You can also view a recorded session of this presentation here!

You can also view a recorded session of this presentation here! Starbucks Data Breach Starbucks mobile app was hacked twice in a period of few months Hackers stole money from several Starbucks customers by gaining access to their credit card information Criminals used Starbucks accounts to access consumers’ linked credit cards. They could steal hundreds of dollars in a matter of minutes. Lessons to learn from this hack: Securing the mobile application and backend API Proactive measure against the cyber attacks, like Penetration testing and vulnerability assessments You can also view a recorded session of this presentation here!

Commonly Exploited Vulnerabilities Injection Attacks like Sql Injection, leads to critical data loss Improper implementation of payment system and logical vulnerabilities X0RC0NF presentation: Link Insecure mobile application and backend API server Insecure direct object reference: Unrestricted access to subdomains Privilege Escalation and authorization bypass Cross Site Scripting: Hijacking accounts Improper Policy implementations, like weak passwords, insecure storage You can also view a recorded session of this presentation here!

You can also view a recorded session of this presentation here! Injection Attacks Injection attacks can result in data loss or corruption, lack of accountability, denial of access or complete host takeover. For e.g., Sql injection may lead to total compromise of your database. You can also view a recorded session of this presentation here!

Payment system and logical vulnerabilities Payment gateways are often found to be insecurely implemented that may lead to attacks like Payment forgery or restrictions bypass. Logical vulnerabilities are hard to discover but have huge impact on business. You can also view a recorded session of this presentation here!

Insecure mobile application and backend API server Protecting only the web applications from hackers is not sufficient. With the increased use of smart phones and tablets, the internet is flooded with mobile applications. These applications must also be secured from attacks along with proper implementations of API calls. Source: nerdwallet.com You can also view a recorded session of this presentation here!

Insecure direct object reference Insecure direct object reference means referencing an object such as a page or a file directly that was not meant to be directly referenced. Such insecure entry points are often discovered in applications while performing a pentest. Source: slideshare.net You can also view a recorded session of this presentation here!

Privilege Escalation and authorization bypass Privilege Escalation enables the attacker to compromise an user’s account by accessing those resources that are meant to be private. If the compromised account is that of an administrator, the attacker now controls the admin functionalities. Source: cyber-security-blog.com You can also view a recorded session of this presentation here!

You can also view a recorded session of this presentation here! Cross Site Scripting Attackers can execute scripts in a victim’s browser to hijack user sessions and steal cookies. This is one of the most common attack vectors that attackers use to steal credentials/tokens and perform targeted attacks Source: lifas.com You can also view a recorded session of this presentation here!

Improper Policy implementations- A Weak Password A weak password policy that allows the users to set a weak password makes the application vulnerable to attacks such as brute force and Password guessing. Source: betanews.com

You can also view a recorded session of this presentation here! Hacker’s Jackpot Credit card data, personal info like, phone number, address can be sold in black market Personal Info can be used for blackmailing and phishing Un-encrypted database can be sold very easily to competitors “If you're a @dominos_pizzafr customer, u may want to know that we have offered Domino's not to publish your data in exchange for €30,000,” -Tweet by hackers after Dominos Hack Financial services are amongst top 3 of most attacked services on internet -2015-DBIR (Verizon) You can also view a recorded session of this presentation here!

You can also view a recorded session of this presentation here! What Hacker’s look for? Unpatched servers, or network devices Insecure vulnerable implementation of known software's like WordPress Older/outdated software being used, with known publicly available exploits Common vulnerabilities like CSRF, XSS, lack of HTTPS, brute-forcing etc. Subdomains without proper authorization or public sensitive data “In our experience, 30-45% or applications have one or more than one critical vulnerability.” 47% of all breaches in 2015 study were caused by malicious or criminal attacks. -DBIR (Verizon) You can also view a recorded session of this presentation here!

You can also view a recorded session of this presentation here! How hackers attack? Choosing the weakest link to attack, web application, unpatched servers, employee credentials etc. Finding the vulnerability in web application to steal credentials or users and exploit One XSS in any page may lead to admin account compromise Search for any vulnerable implementation of known software like WordPress or Magento Hacking a weak WordPress blog is way easier than hacking the website itself Data exfiltration is done in an stealth mode You can also view a recorded session of this presentation here!

You can also view a recorded session of this presentation here! Safeguarding It might be dark, but the light is not very far  Proactively discover and remediate the application vulnerabilities in a timely manner A good penetration test will discover logical vulnerabilities and authorization issues too Make sure to assess all the subdomains, servers and all accessible portals. It’s not hidden if you have not provided a direct link Doing a small Google search will reveal many sub-domains “site:xyz.com -www” Ensure strong encryption and policy to be implemented on application and network Easy to find vulnerabilities affect the most, if not fixed. XSS, CSRF, file uploads etc. Always audit the application server together with the web application Mobile applications are becoming the easy target for hackers, make sure to assess it for vulnerabilities You can also view a recorded session of this presentation here!

Ways to Enhance the Security of Your E-commerce Applications MORE INSIGHTS……. To know more about, Application Security in E-commerce apps WEBINAR RECORDING Ways to Enhance the Security of Your E-commerce Applications VIEW NOW

Contact Us We are keen to know about your idea info@tothenew.com Email us at: info@tothenew.com abhinav.mishra@tothenew.com Our Office Client Location 20