Transcription
OWASP ASVS for NFTaaS inFinancial ServicesOLEKSANDR KAZYMYROV, TECHNICAL TEST ANALYST
Agenda Chapter I - Brief Introduction Chapter II - Why OWASP ASVS? Chapter III - OWAS ASVS in Practice Chapter IV – Summary
Brief IntroductionCHAPTER I
Who am I?EducationCandidate ofEngineeringSciences inInformation SecurityOtherCertificates Certified Ethical Hacker Certified EncryptionSpecialistKHNURE, UkrainePh.D. in CryptologyUniversity of Bergen,Norway4PRESENTATION TITLEJobStandards DSTU 7624:2014 DSTU 7564:2014Technical TestAnalyst at EVRY
EVRY– Nordic Champion 50 towns and cities with capacity to deliver 11 regional offices with specialist competencies 10.000 employeesWomenAge26%39yrsUniversum#4100 employees
EVRY GROUP - Geographic distributionNordics6Rest of the World (Global Delivery)
NFT ailoverApplication layerInterruptionNetwork layerRecoverabilityWirelessLoad balancingPCI DSSLoadEnduranceStressSpike7
Why OWASP ASVS?CHAPTER II
PCI DSS Requirement 11.39
PCI DSS Penetration L
NIST SP 800-115: Appendix C Application Security Testing andExamination11
NIST SP 800-115: Appendix E Table E-2. Online Resources12
PCI DSS Penetration Testing - SummaryMethodologyTesting Guide PCI DSS Penetration TestingGuidance NIST Special Publication800-115 Open Source Security TestingMethodology Manual Open Source Security TestingMethodology Manual(“OSSTMM”) OWASP Testing Guide Penetration Testing ExecutionStandard Penetration TestingFramework13PCI DSS Requirement6.5PCI DSS Requirement11.3 Injection flaws Insecure communications Improper error handling Improper access control Cross-site scripting (XSS) etc. Perform external penetrationtesting Perform internal penetrationtesting Verify segmentation methods
OWASP Testing Guide(from PCI Pentest Guide)14
15 A1 Injection A2 Broken Authentication and SessionManagement A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Components with KnownVulnerabilities A10 Invalidated Redirects and ForwardsPCI DSS RequirementsOWASP Top 10 2013OWASP Top 10 2013 vs PCI DSS 6.5.1 Injection flaws / 6.5.2 Buffer overflows 6.5.10 Broken authentication and sessionmanagement 6.5.7 XSS ? ? 6.5.6 All “high risk” vulnerabilities ? 6.5.5 Improper error handling 6.5.8 Improper access control / 6.5.3 Insec.cryptostorage 6.5.9 CSRF 6.5.6 All “high risk” vulnerabilities ? 6.5.4 Insecure communications
OWASP Application Security Verification Standard (ASVS)OWASP WebTop 10ArchitectureOWASPCode ReviewTop 9OWASP ASVS v3.0.116
Key parts of OWAS ASVSScope for the application security verification standardDescription of security verification levelsRequirements / ControlsStandards Mappings17
OWAS ASVS Verification Controls (v3.0.1)18
OWASP ASVS: Standards Mappings19
Relation BetweenRequirementsOWASP ASVSPCI DSSOWASP Top 1020
EVRY FSPCI DSSEVRYSecurityOWASP TOP 10Scope for pentesting of web applications21
OWAS ASVS in PracticeCHAPTER III
OWAS ASVS Verification Controls23
OWAS ASVS Verification Controls (v3.0.1)24
OWASP ASVS nistic
An Issue With Level DefinitionRequirements26LevelAUT
Relation Between Project and gerNFTCoordinatorNFTAnalyst27Test EnvManagerDevelopmentManagerFunctionalTestManager
Compliance Selection at Financial Services28
EVRY FINancial suite Operational Domains in SaaS (FINODS)Card Portal / ClientsLoadbalancersArea Ghttp-servers, MQ, filetransfer, SQLproxy, Internet ProxyArea FEDB ESBWS PROXYPortal, Internetbank and “non card clients”Area EArea DWebServices – load-balancers / MQCard ServicesBank Services (non-Card)Issuing, Acquiring and SecurityBatch, Analysis, Security, OnlineArea CDatabase servers – CardsDisk SAN – dedicated SAN's to critical systemsPCIArea BDatabase servers – serving area C and ENONPCIArea A Security areas29
Authentication in Cardholder Client (CHC)Using LoginService2 (LS2)34LoginService265BrowserSO Service10271309CardholderClient8
LoginService231
Cardholder Client32
General Information on LS2 and CHCLoginSevice2Cardholder ClientLS2 stays in front of almost all applicationsCHC is a part of EVRY’s NetBank (Onlinebanking)It is the first major security barrierLS2 helps to retrieve tokens (Secure Objector simply SO) and hand over it to the 3rdparty applicationsAvailable through the Internet33OWASP ASVS Level 3It can be integrated with any 3rd party webapplicationEVRY’s NetBank is protected byLoginsService2 in front of CHCAfter logging in CHC uses SO as the mainparameter in session managementAvailable through the InternetOWASP ASVS Level 2
Security Application Life CycleNo or minorchanges6 months(1 year by PCI Newfunctionality34Full pentest
Summary PCI DSS is a good starting point forany infrastructure OWASP ASVS is a flexible standardwith minimal effort for adaptation For a stable security developmentlifecycle the following should beimplementedo Standard operation procedureso Methodology for security testingo Security risk assessmento Role descriptionso General compliance levels35
PRESENTATION TITLE36
OWASP Testing Guide (from PCI Pentest Guide) 15 OWASP Top 10 2013 vs PCI DSS 3 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure .