Presentation is loading. Please wait.

Presentation is loading. Please wait.

Maintaining & Reviewing a Web Application’s Security By: Karen Baldacchino Date: 15 September 2012.

Published byCuthbert Dalton Modified over 9 years ago

Similar presentations

Presentation on theme: "Maintaining & Reviewing a Web Application’s Security By: Karen Baldacchino Date: 15 September 2012."— Presentation transcript:

1 Maintaining & Reviewing a Web Application’s Security By: Karen Baldacchino Date: 15 September 2012

2 Agenda: The Project Areas of Study Selecting the Right Resources Ideas for Further Studies

3 Agenda: The Project Areas of Study Selecting the Right Resources Ideas for Further Studies

4 The Project Title: Auditing the Security of E-banking Applications: An Analysis of the Standards, Guidelines and Best Practises Available Objective: To highlight the most useful resources available to the information security manager and the information security auditor in securing and reviewing the security of web applications.

5 Agenda: The Project Areas of Study Selecting the Right Resources Ideas for Further Studies

6 Areas of Study 1.Information Security Governance 2.Information Security Policies & User Awareness 3.Security Incident Management 4.Communication Channel Security 5.Logical Access Controls 6.Change Management 7.Systems Development 8.Systems Backup & Recovery Procedures 9.Management of User Authentication 10.Web-Application Specific Security Measures 11.Monitoring of System Security 12.Security Reviews and Penetration Testing 13.Compliance with Laws, Regulations & Applicable Standards 14.Outsourcing

7 Areas of Study 1.Information Security Governance 2.Information Security Policies & User Awareness 3.Security Incident Management 4.Communication Channel Security 5.Logical Access Controls 6.Change Management 7.Systems Development 8.Systems Backup & Recovery Procedures 9.Management of User Authentication 10.Web-Application Specific Security Measures 11.Monitoring of System Security 12.Security Reviews and Penetration Testing 13.Compliance with Laws, Regulations & Applicable Standards 14.Outsourcing

8 STRIDE Attacks -- Tampering and Eavesdropping Message mis-routing or re-routing Message interception Covert channels WEB Communication Channel Security Risks

9 Use of MAC, HMAC and Digital Signatures Use of public key certificate Adequate service levels from network service provider Use of SSL or IPSec Close unnecessary ports Disable unused protocols Use secure flag on cookies Harden the TCP/IP Stack Communication Channel Security Controls

10  Mis-use or compromise of security audit tools  Insufficient notifications and alerts  Failure to identify suspicious transactions  Failure to respond to alerts  Use of key loggers, form-grabbers and spyware  Scanning, foot-printing and fingerprinting Monitoring of System Security Risks

11 Intrustion detection and Intrusion prevention systems Security incident handling Alerting on unauthorized activities Alerting on unusual activities Use of network monitoring tools Deploy software patches and anti-virus definitions in a timely manner Monitoring of System Security Controls

12 Agenda: The Project Areas of Study Selecting the Right Resources Ideas for Further Studies

13 Selecting the Right Resources Over 80 different resources selected Shortlisted to 40 Analysis Selection of 11 Resources

14 Selecting the Right Resources Over 80 different resources selected Shortlisted to 40 Analysis Selection of 11 Resources

15 Shortlisted Resources (40)

16 Selecting the Right Resources Over 80 different resources selected Shortlisted to 40 Analysis Selection of 11 Resources

17 Selecting the Right Resources Over 80 different resources selected Shortlisted to 40 Analysis Selection of 11 Resources

18 Selecting the Right Resources Risks Register Controls Register Read the 40 resources

19 Selecting the Right Resources Read the 40 resources Risks Register Controls Register

20 The Risks Register

21 Selecting the Right Resources Controls Register Risks Register Read the 40 resources

22 Selecting the Right Resources Controls Register Risks Register Read the 40 resources

23 The Controls Register

24 Selecting the Right Resources Over 80 different resources selected Shortlisted to 40 Analysis Selection of 11 Resources

25 Selecting the Right Resources Over 80 different resources selected Shortlisted to 40 Analysis Selection of 11 Resources

26 Resources Selected Resource Title:Focus: BS ISO/IEC 27002:2005 BS 7799-1:2005– Information technology — Security techniques — Code of practice for information security management Generic BS 10012:2009 Data protection – Specification for a personal information management system Generic “Pharming” Guidance on How Financial Institutions Can Protect Against Pharming Attacks e-Banking A Security Checklist for Web Application DesignWeb-Apps A Taxonomy of Operational Cyber Security Risks (CERT Program)Web-Apps Internet Banking and Technology Risk Management Guidelinese-Banking Guidelines on Securing Public Web Servers, Recommendations of the National Institute of Standards and Technology Web-Apps OWASP Top 10 – 2010 The Ten Most Critical Web Application Security RisksWeb-Apps The Web Application Security Consortium: Threat classificationWeb-Apps Electronic Authentication Guideline, Recommendations of the National Institute of Standards and Technology Generic WhiteHat Website Security Statistics Report, Measuring Website Security: Windows of Exposure Web-Apps

27 Agenda: The Project Areas of Study Selecting the Right Resources Ideas for Further Studies

28 Further Study Ideas Focus the study on other web-application types, eg: e-shopping, social networking etc. Focus the study on mobile-banking applications Focus the study on cloud-based applications Apply the same methodology for supporting other areas such as Enterprise-wide Security Risk Management

29 Thank you for Listening Any Questions? Contact Information: Karen Baldacchino Email:karen.baldacchino@gmail.com Tel: +356 2563 1263 Mob:+356 7904 6528 Skype:karenbaldacchino

Download ppt "Maintaining & Reviewing a Web Application’s Security By: Karen Baldacchino Date: 15 September 2012."

Similar presentations

Security Update Server Registration, Active scanning and Windows patching.

Security Update Server Registration, Active scanning and Windows patching.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Security Controls – What Works

Security Controls – What Works
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
(Geneva, Switzerland, September 2014)

(Geneva, Switzerland, September 2014)
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Factors to be taken into account when designing ICT Security Policies

Factors to be taken into account when designing ICT Security Policies
PCI's Changing Environment – “What You Need to Know & Why You Need To Know It.” Stephen Scott – PCI QSA, CISA, CISSP

PCI's Changing Environment – “What You Need to Know & Why You Need To Know It.” Stephen Scott – PCI QSA, CISA, CISSP
Network security policy: best practices

Network security policy: best practices
Comptroller of the Currency Administrator of National Banks E- Security Risk Mitigation: A Supervisor’s Perspective Global Dialogue World Bank Group September.

Comptroller of the Currency Administrator of National Banks E- Security Risk Mitigation: A Supervisor’s Perspective Global Dialogue World Bank Group September.
Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.

Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.

Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.
Securing Information Systems

Securing Information Systems

Similar presentations

Ads by Google