OWASP ASVS For NFTaaS In Financial Services PDF Free Download

1y ago

20 Views

1 Downloads

4.91 MB

36 Pages

Report/dmca

Download PDF

Transcription

OWASP ASVS for NFTaaS inFinancial ServicesOLEKSANDR KAZYMYROV, TECHNICAL TEST ANALYST

Agenda Chapter I - Brief Introduction Chapter II - Why OWASP ASVS? Chapter III - OWAS ASVS in Practice Chapter IV – Summary

Brief IntroductionCHAPTER I

Who am I?EducationCandidate ofEngineeringSciences inInformation SecurityOtherCertificates Certified Ethical Hacker Certified EncryptionSpecialistKHNURE, UkrainePh.D. in CryptologyUniversity of Bergen,Norway4PRESENTATION TITLEJobStandards DSTU 7624:2014 DSTU 7564:2014Technical TestAnalyst at EVRY

EVRY– Nordic Champion 50 towns and cities with capacity to deliver 11 regional offices with specialist competencies 10.000 employeesWomenAge26%39yrsUniversum#4100 employees

EVRY GROUP - Geographic distributionNordics6Rest of the World (Global Delivery)

NFT ailoverApplication layerInterruptionNetwork layerRecoverabilityWirelessLoad balancingPCI DSSLoadEnduranceStressSpike7

Why OWASP ASVS?CHAPTER II

PCI DSS Requirement 11.39

PCI DSS Penetration L

NIST SP 800-115: Appendix C Application Security Testing andExamination11

NIST SP 800-115: Appendix E Table E-2. Online Resources12

PCI DSS Penetration Testing - SummaryMethodologyTesting Guide PCI DSS Penetration TestingGuidance NIST Special Publication800-115 Open Source Security TestingMethodology Manual Open Source Security TestingMethodology Manual(“OSSTMM”) OWASP Testing Guide Penetration Testing ExecutionStandard Penetration TestingFramework13PCI DSS Requirement6.5PCI DSS Requirement11.3 Injection flaws Insecure communications Improper error handling Improper access control Cross-site scripting (XSS) etc. Perform external penetrationtesting Perform internal penetrationtesting Verify segmentation methods

OWASP Testing Guide(from PCI Pentest Guide)14

15 A1 Injection A2 Broken Authentication and SessionManagement A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Components with KnownVulnerabilities A10 Invalidated Redirects and ForwardsPCI DSS RequirementsOWASP Top 10 2013OWASP Top 10 2013 vs PCI DSS 6.5.1 Injection flaws / 6.5.2 Buffer overflows 6.5.10 Broken authentication and sessionmanagement 6.5.7 XSS ? ? 6.5.6 All “high risk” vulnerabilities ? 6.5.5 Improper error handling 6.5.8 Improper access control / 6.5.3 Insec.cryptostorage 6.5.9 CSRF 6.5.6 All “high risk” vulnerabilities ? 6.5.4 Insecure communications

OWASP Application Security Verification Standard (ASVS)OWASP WebTop 10ArchitectureOWASPCode ReviewTop 9OWASP ASVS v3.0.116

Key parts of OWAS ASVSScope for the application security verification standardDescription of security verification levelsRequirements / ControlsStandards Mappings17

OWAS ASVS Verification Controls (v3.0.1)18

OWASP ASVS: Standards Mappings19

Relation BetweenRequirementsOWASP ASVSPCI DSSOWASP Top 1020

EVRY FSPCI DSSEVRYSecurityOWASP TOP 10Scope for pentesting of web applications21

OWAS ASVS in PracticeCHAPTER III

OWAS ASVS Verification Controls23

OWAS ASVS Verification Controls (v3.0.1)24

OWASP ASVS nistic

An Issue With Level DefinitionRequirements26LevelAUT

Relation Between Project and gerNFTCoordinatorNFTAnalyst27Test EnvManagerDevelopmentManagerFunctionalTestManager

Compliance Selection at Financial Services28

EVRY FINancial suite Operational Domains in SaaS (FINODS)Card Portal / ClientsLoadbalancersArea Ghttp-servers, MQ, filetransfer, SQLproxy, Internet ProxyArea FEDB ESBWS PROXYPortal, Internetbank and “non card clients”Area EArea DWebServices – load-balancers / MQCard ServicesBank Services (non-Card)Issuing, Acquiring and SecurityBatch, Analysis, Security, OnlineArea CDatabase servers – CardsDisk SAN – dedicated SAN's to critical systemsPCIArea BDatabase servers – serving area C and ENONPCIArea A Security areas29

Authentication in Cardholder Client (CHC)Using LoginService2 (LS2)34LoginService265BrowserSO Service10271309CardholderClient8

LoginService231

Cardholder Client32

General Information on LS2 and CHCLoginSevice2Cardholder ClientLS2 stays in front of almost all applicationsCHC is a part of EVRY’s NetBank (Onlinebanking)It is the first major security barrierLS2 helps to retrieve tokens (Secure Objector simply SO) and hand over it to the 3rdparty applicationsAvailable through the Internet33OWASP ASVS Level 3It can be integrated with any 3rd party webapplicationEVRY’s NetBank is protected byLoginsService2 in front of CHCAfter logging in CHC uses SO as the mainparameter in session managementAvailable through the InternetOWASP ASVS Level 2

Security Application Life CycleNo or minorchanges6 months(1 year by PCI Newfunctionality34Full pentest

Summary PCI DSS is a good starting point forany infrastructure OWASP ASVS is a flexible standardwith minimal effort for adaptation For a stable security developmentlifecycle the following should beimplementedo Standard operation procedureso Methodology for security testingo Security risk assessmento Role descriptionso General compliance levels35

PRESENTATION TITLE36

OWASP Testing Guide (from PCI Pentest Guide) 15 OWASP Top 10 2013 vs PCI DSS 3 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure .