Latin ISRM EFFECTIVE APPLICATION SECURITY STRATEGY FOR MANAGING ONGOING PCI-DSS 2.0 COMPLIANCE
|
|
- Eustacia Simmons
- 8 years ago
- Views:
Transcription
1 Latin ISRM EFFECTIVE APPLICATION SECURITY STRATEGY FOR MANAGING ONGOING PCI-DSS 2.0 COMPLIANCE ASHIT DALAL, PCI-DSS QSA, CRISC, CGEIT, CISM, CISA, CSSA, CPEA Sr. Manager & Managing Consultant K3DES LLC, NJ (USA) October 2011
2 DISCLAIMER The slides in the presentation are my personal views and experience and based on the publicly available information and not the views of or binding on my organization in any way. The presentation is purely for education, awareness and training through ISACA.
3 AGENDA Brief overview of Application Security and OWASP top 10 Security Threats Brief overview of Challenges and Concerns for securing Applications in conventional Client server and/or Cloud computing / Virtualized Environment Brief Introduction to PCI-DSS (V 2.0) Standard. Overview of key requirements under PCI-DSS V 2.0 with regard to Application Security Review of Effective strategy and control measures for securing Applications in conventional and/or Cloud / Virtualized Environment Analysis & Review of various Application Security methods / tools namely Source Code Review, Web Application Firewall and Web Application Scanner to comply with PCI-DSS requirements. Summary Q & A and Discussion
4 Innocent Code
5 State of Web Application Security A critical discipline within a sound overall IT strategy & Security practice. Existing physical & network security policies, products, point solutions and controls are not sufficient to meet the security needs of the enterprise. Open Web Application Security Project (OWASP) is dedicated to helping build secure Web applications. Finding the right mix of Experience and Methodology
6 New realities & requirements for Web Services Security Most security violations come from within the Firewall. Vulnerable Applications have contributed to almost 90% of recent breaches. Mission-critical initiatives (e.g. PCI-DSS, PA-DSS) often need cross-firewall access & integration. Ports that were originally intended to pass very specific protocols are now being used for many purposes. XML Web services Simple Object Access Protocol (SOAP) messages were specifically designed to easily pass through existing firewalls by being carried out transport protocols like HTTP, SMTP etc. Source: XML Web Services Security Forum
7 Application Security Is the Trend of the Future The biggest vulnerability to a corporation s network is its widespread access to its applications. Security has focused on anti-virus and network security but the most crucial part of business transaction is the application and its core data. -- Curtis Coleman, CISSP, Kick-off of new Application Assurance Department, rd Age Age of Application Security 2 nd Age Age of Network Security 1 st Age Age of Anti-Virus (Source: OWASP San Jose Chapter) 7
8 Business Impact of Application Security Defects Bad Business On average, there are 5 to 15 defects in every 1,000 lines of code US Dept. of Defense and the Software Engineering Institute Slow Business It takes 75 minutes on average to track down one defect. Fixing one of these defects takes 2 to 9 hours each 5 Year Pentagon Study Researching each of the 4,200 vulnerabilities published by CERT in for 10 minutes would have required 1 staffer to research for 17.5 full workweeks or 700 hours Intel White paper, CERT, ICSA Labs Loss of Business A company with 1,000 servers can spend $300,000 to test & deploy a patch; most companies deploy several patches a week Gartner Group
9 Existing Point Security Solutions are not enough Traditional vulnerability scanners scan web servers but not web applications. Manual Pen test is effective but is not scalable & does not focus on remediation. Traditional Network Firewalls cannot offer protection against sophisticated attacks targeted on Web Applications. (Web) Application security strategy also needs Riskbased approach comprising, People, Processes and Technology for effective protection against targeted attacks
10 Why isn t the Web Environment secure? SSL and Data-encryption are not enough They protect the information during transmission, but when this data is used by the system it must be in a readable form Odds are the data is not stored in an encrypted format It is surprisingly easy to retrieve data from many Web-based applications Conventional Firewalls are not enough Ports 80 and 443 pass completely through the firewall (Source: OWASP San Jose Chapter) 10
11 But, I have a firewall... Source: Jeremiah Grossman, BlackHat
12 OK, but I use encryption... Source: Jeremiah Grossman, BlackHat
13 Your Code is Part of Your Security Perimeter Application Layer APPLICATION ATTACK Your security perimeter has huge holes at the application layer Custom Developed Application Code Billing Human Resrcs Directories Web Services Legacy Systems Databases Network Layer Fi re w al l App Server Web Server Hardened OS You can t use network layer protection (firewall, SSL, IDS, hardening) to stop or detect application layer attacks Fi re w al l
14 Security across entire SDLC 80% of vulnerabilities are found in the source code of the application rather than the Web server or application configuration. (Ref: HP). Traditional approach of having a siloed security team finishing testing on Web Application and report the vulnerabilities to the Development teams is being replaced by more holistic and robust approach that spans across entire SDLC process. It is a team based and risk-driven approach where Development teams, QA teams and Security teams work together to build robust Applications.
15 System Development Lifecycle (SDLC) Security Checkpoints 15
16 OWASP Top Ten (2010 Edition)
17 WHAT DOES OWASP TOP 10 MEAN? TYPE OF VULNERABILITY BRIEF DEFINITION TYPICAL IMPACT A1 - INJECTION Tricking an application into including unintended commands in the data sent to an interpreter Usually severe. Entire database can usually be read or modified May also allow full database schema, or account access, or even OS level access A2- CROSS SITE SCRIPTING Raw data from attacker is sent to an innocent user s browser. Exploiting user s trust into a Website Steal user s session, steal sensitive data, rewrite web page, redirect user to phishing or malware site A3-BROKEN AUTHENTICATION & SESSION MGT. A4-INSECURE DIRECT OBJECT REFERENCE Flaws in Broken Authentication & Session Management most frequently involve the failure to protect credentials and session tokens through their lifecycle Failure to enforce proper Authorization User accounts compromised or user sessions hijacked Users are able to access unauthorized files or data A5- CROSS SITE REQUEST FORGERY (CSRF) An attack where the victim s browser is tricked into issuing a command to a vulnerable web application. Vulnerability is caused by browsers automatically. Exploiting Website s trust into the User. Initiate transactions (transfer funds, logout user, close account) Access sensitive data Change account details
18 TYPE OF VULNERABILITY BRIEF DEFINITION TYPICAL IMPACT WHAT DOES OWASP TOP 10 MEAN? A6 SECURITY MISCONFIGURATION Misconfiguration of any component from the OS up through the App Server Backdoor entry through missing OS or server patch XSS flaw exploits due to missing application framework patches Unauthorized access to default accounts, application functionality or data, or unused but accessible functionality due to poor server configuration A7- INSECURE CRYPTOGRAPHIC STORAGE Failure to identify all sensitive data Failure to identify all the places that this sensitive data gets stored e.g. Databases, files, directories, log files, backups, etc. Failure to properly protect this data in every location Attackers access or modify confidential or private information e.g., credit cards, health care records, financial data etc. Attackers extract secrets to use in additional attacks Company embarrassment, customer dissatisfaction, and loss of trust Expense of cleaning up the incident, such as forensics, sending apology letters, reissuing thousands of credit cards, providing identity theft insurance Business gets sued and/or fined (e.g. TJ Maxx)
19 WHAT DOES OWASP TOP 10 MEAN? TYPE OF VULNERABILITY BRIEF DEFINITION TYPICAL IMPACT A8- FAILURE TO RESTRICT URL ACCESS Inadequate enforcement of proper authorization, along with A4 Insecure Direct Object References Attackers invoke functions and services they re not authorized for Access other user s accounts and data Perform privileged actions A9-INSUFFICIENT TRANSPORT LAYER PROTECTION Failure to identify all sensitive data Failure to identify all the places that this sensitive data is sent e.g. On the web, to backend databases, to business partners and so on. Failure to properly protect this data in every location Attackers access or modify confidential or private information Attackers extract secrets to use in additional attacks Company embarrassment, customer dissatisfaction, and loss of trust Expense of cleaning up the incident Business gets sued and/or fined A10- UNVALIDATED REDIRECTS & FORWARDS Web Application can include user supplied parameters in the destination URL. If they aren t validated, attacker can send victim to a site of their choice Redirect victim to phishing or malware site. Attacker s request is forwarded past security checks, allowing unauthorized function or data access
20 Firewall Firewall Network Layer Application Layer Accounts Finance Administration Transactions Communication Knowledge Mgmt E-Commerce Bus. Functions Databases Legacy Systems Web Services Directories Human Resrcs Billing SQL Injection Example HTTP request APPLICATION ATTACK HTTP SQL response query Custom Code DB Table Account: "SELECT * FROM Account: Account Summary accounts SKU: WHERE acct= SKU: OR 1=1-- " Acct: Acct: Acct: Acct: Application presents a form to the attacker App Server Web Server 2. Attacker sends an attack in the form data 3. Application forwards attack to the database in a SQL query Hardened OS 4. Database runs query containing attack and sends encrypted results back to application 5. Application decrypts data as normal and sends results to the user
21 Cross-Site Scripting Example Accounts Finance Administration Transactions Communication Knowledge Mgmt E-Commerce Bus. Functions 1 Attacker sets the trap update my profile Attacker enters a malicious script into a web page that stores the data on the server Application with stored XSS vulnerability 2 Victim views page sees attacker profile Custom Code Script runs inside victim s browser with full access to the DOM and cookies 3 Script silently sends attacker Victim s session cookie
22 Accounts Finance Administration Transactions Communication Knowledge Mgmt E-Commerce Bus. Functions CSRF Example 1 Attacker sets the trap on some website on the internet (or simply via an ) Hidden <img> tag contains attack against vulnerable site Application with CSRF vulnerability 2 While logged into vulnerable site, victim views attacker site <img> tag loaded by browser sends GET request (including credentials) to vulnerable site Custom Code 3 Vulnerable site sees legitimate request from victim and performs the action requested
23 Prevention / Detection of Additional Vulnerabilities In addition to OWASP, one needs to look at the following to have a comprehensive Application Security Strategy: 1) Application runtime configuration 2) Buffer Overflow 3) Web services 4) Malicious code 5) Customized cookies or hidden fields Source: IBM 23
24 What is the PCI DSS? The Payment Card Industry Data Security Standard (PCI DSS) is a global security program that was created to increase confidence in the payment card industry and reduce risks to PCI Members, Merchants, Service Providers and Consumers.
25 Who Must Comply? PCI data security requirements apply to all merchants and service providers that store, process or transmit any cardholder data. All organizations with access to cardholder information must meet the data security standards. However, the way in which organizations validate their compliance differs based on whether they are merchants or service providers and on specific validation requirements defined by each credit card brand. Each of the five major credit card companies has its own set of validation requirements. Information regarding service provider levels and validation requirements can be obtained from each individual credit card company s Web site. The security requirements apply to all system components, network components, servers or applications included in, or connected to, the processing of cardholder data. 25
26 Who does PCI DSS apply to? Any entity that stores, process and/or transmits cardholder data must comply with the PCI Data Security Standard (DSS). Entities may include, but are not limited to, merchants and service providers. Applies to: Retail (online & brick & mortar) Hospitality (restaurants, hotel chains, etc.) Transportation (i.e. airlines, car rental, etc.) Financial Services (banks, credit unions, card processors, brokerages, insurance, etc.) Energy (Oil, Gas, Utilities, etc), Healthcare/Education (hospitals, universities) Government (Federal, Provincial, Municipal) Not-For-Profit Organizations (Red Cross, churches, etc)
27 Key PCI DSS Requirements Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data sent across open, public networks Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security Connected Entities and Contracts PCI DSS Ver. 1.1
28 Three Components to Compliance Program Compliance: The set of criteria to achieve compliance with the payment brand compliance program. All payment brands require compliance with the PCI DSS. Validation: The actions that an entity must take to validate that they are compliant. Validation requirements vary by payment brand and merchant/service provider level Reporting: The method of reporting the validation of compliance to the acquirer or payment brand Reporting requirements vary by payment brand and merchant/service provider level
29 PCI Compliance Trends and Tips PCI is not about securing sensitive data, it s about eliminating data altogether. John Kindervag, Forrester Analyst and former QSA
30 PCI Compliance Trends and Tips PCI SWALLOWS ITS OWN TAIL I m concerned that as long as the payment card industry is writing the standards, we ll never see a more secure system, (Rep. Bennie) Thompson said. We in Congress must consider whether we can continue to rely on industrycreated standards, particularly if they re inadequate to address the ongoing threat.
31 Recent Credit/ Debit Card breaches Citibank (June 2011) Sony Play station (May 2011) Michael s Store (Debit Cards) (May 2011) T. J. Max (January 2007) 45 Million Customers Heartland Systems, Princeton, NJ (Jan. 2009) Hannaford Brothers (March 2008) 4.2 Million Customers Card System Solutions (2005) 40 Million Customers
32 PCI-DSS requirements for developing & maintaining secure systems & applications Section 6 of PCI-DSS (Ver: 2.0) has key requirements for developing & maintaining secure systems & applications: 6.1 Implement an effective Patch Management process for protection from known vulnerabilities. 6.2 Establish process to identify & assign a risk ranking to newly discovered security vulnerabilities. (e.g. OWASP Top 10). 6.3 Develop software applications in accordance with PCI-DSS and industry based best practices. Incorporate Information Security through out the SDLC Process. 6.4 Implement an effective Change Management Process 6.5 Develop Applications based on Secure Coding guidelines. Prevent common coding vulnerabilities in SDLC Processes.
33 PCI-DSS requirements for developing & maintaining secure systems & applications 6.6 For public-facing Web applications, address new threats & vulnerabilities on an on-going basis & ensure these applications are protected from known vulnerabilities by: Conducting Vulnerability assessment (manual or by using automated tools) at least annually or after any changes. OR Installing a Web-application Firewall in front of public-facing web applications.
34 Identified Vulnerabilities under Section 6.5 of PCI-DSS Vulnerability Injection Flaws (e.g. SQL Injection, OS Command Injection, LDAP Injection etc.) Buffer overflow Insecure cryptographic storage Insecure communications Improper error handling Identify all High Vulnerabilities as required under Section 6.2 Cross-site Scripting Testing Procedure / Countermeasure Validate input to verify user data cannot modify meaning of commands & queries. Validate buffer boundaries & truncate input strings Prevent cryptographic flaws Properly encrypt all authenticated & sensitive communications Do not leak information via error messages Identification of all High vulnerabilities. This is currently the best practice but becoming a requirement from June 30, 2012 onwards Validate all parameters before inclusion, utilize context-sensitive escaping etc.
35 Identified Vulnerabilities under Section 6.5 of PCI-DSS Vulnerability Improper Access Control such as Insecure Object References, failure to restrict URL access & Directory traversal Cross-site request Forgery (CSRF) Testing Procedure / Countermeasure Proper Authentication of users and sanitize input. Do not reveal internal object references to users. Do not reply on authorization credentials and tokens automatically submitted through or by browsers.
36 PCI-DSS Requirement Section 6.6 Requirement 6.6 (as of June 30, 2008) Web application firewall or code review? It s your choice, but should they both be required?
37 Payment Application (PA-DSS) Time for another acronym Payment Application Data Security Standard (PA-DSS) PA-DSS, originally Visa s PABP program, is targeted at payment app vendors PA-DSS applies to the payment application software/hardware only Just because the application is compliant does not mean your systems are compliant PCI DSS applies to merchant networks & service providers Standalone Terminal POS System
38 Best Practices for Secure Code Development Develop Secure Code Follow the best practices in OWASP s Guide to Building Secure Web Applications Use OWASP s Application Security Verification Standard as a guide to what an application needs to be secure Use standard security components that are a fit for your organization Use OWASP s ESAPI as a basis for your standard components Review Your Applications Have an expert team review your applications Review your applications following OWASP Guidelines OWASP Code Review Guide: OWASP Testing Guide:
39 CoBIT & Relevant Application Security Controls Plan and Organize Acquire & Impleme nt PO4 Define the IT Processes, Organization & relationships PO8 Manage Quality PO 9 Assess & Manage IT Risk AI 2 Acquire & maintain Application software AI 6 Manage changes (Change Management) AI 7 Install & accredit Solution & Changes Deliver & Support DS 5 Manage System Security DS 9 Manage the Configuration Monitor & Evaluate MI 3 Ensure compliance with external requirements (e.g. PCI-DSS)
40 (Vulnerability) Prevention v/s (Threat) Detection From PCI-DSS standpoint, Application Security Strategy can be deigned and implemented based on two main approaches: 1) Vulnerability Prevention Pro-active Prevention approach 2) Threat Detection Reactive Detection approach No Application security strategy can be considered effective without having a right balance of two approaches specific to Each organization according to threat, exposure and TCO considerations.
41 Major Techniques / Tools for implementing effective Application Security Strategy SOURCE CODE ANALYSIS- Preventive measure Source Code Analysis tools are designed to analyze the source code and /or complied version of code in order to help find security flaws. WEB APPLICATION FIREWALL- Detective measure A Web Application Firewall is a form of firewall which controls input,, output, and/or Access from, to, or by an application or service. It operates by monitoring and Potentially blocking the input, output, or system service calls which do not meet the Configured policy of the firewall. WEB APPLICATION SCANNER-Primarily Detective / (but can also be used as Preventive measure) A Web Application Scanner is program which communicates with a web application through the web front-end in order to identify potential security vulnerabilities in the web application and architectural weaknesses. It performs a black-box test.
42 EFFECTIVENESS OF VARIOUS TOOLS TYPE OF VULNERABILITY SOURCE CODE ANALYSIS WEB APPLICATION FIREWALL WEB APPLICATION SCANNER A1 - INJECTION EXCELLENT GOOD FAIR A2- CROSS SITE SCRIPTING EXCELLENT GOOD GOOD A3-BROKEN AUTHENTICATION & SESSION MGT. NOT EFFECTIVE ON ITS OWN NOT EFFECTIVE ON ITS OWN NOT EFFECTIVE ON ITS OWN A4-INSECURE DIRECT OBJECT REFERENCE A5- CROSS SITE REQUEST FORGERY (CSRF) EXCELLENT GOOD GOOD LIMITED UTILITY LIMITED UTILITY FAIR (NEEDS TO BE USED WITH MANUAL PEN TEST)
43 EFFECTIVENESS OF VARIOUS TOOLS (Contd..) TYPE OF VULNERABILITY SOURCE CODE ANALYSIS WEB APPLICATION FIREWALL WEB APPLICATION SCANNER A6 SECURITY MISCONFIGURATION A7- FAILURE TO RESTRICT URL ACCESS GOOD GOOD EXCELLENT FAIR FAIR FAIR A8-INSECURE CRYPTOGRAPHIC STORAGE GOOD NOT EFFECTIVE ON ITS OWN NOT EFFECTIVE ON ITS OWN A9-INSUFFICIENT TRANSPORT LAYER PROTECTION A10- UNVALIDATED REDIRECTS & FORWARDS GOOD GOOD GOOD FAIR GOOD FAIR
44 EFFECTIVENESS OF VARIOUS TOOLS (Contd..) TYPE OF VULNERABILITY SOURCE CODE ANALYSIS WEB APPLICATION FIREWALL WEB APPLICATION SCANNER B1-APPLICATION RUNTIME CONFIGURATION FAIR FAIR EXCELLENT B2-BUFFER OVERFLOW EXCELLENT FAIR FAIR B3-WEB SERVICES GOOD GOOD NOT EFFECTIVE B4- MALICIOUS CODE EXCELLENT NOT GOOD NOT GOOD B5- CUSTOMIZED COOKIES / HIDDEN FIELDS EXCELLENT EXCELLENT EXCELLENT
45 Why Use Web Application Firewalls? 1. Web applications deployed are generally insecure and conventional Firewalls do not provide adequate protection. 2. Developers should, of course, continue to strive to build better/more secure software. But in the meantime, System Admins must also support Defence-in-Depth approach. 3. Insecure applications aside, WAFs are an important building block in every HTTP network as they serve as an excellent detection & monitoring tool to support Preventive Controls such as Source Code Analyzer. Source: OWASP 45
46 Network Firewalls Do Not Work For HTTP Firewall Web Client Web Server Application Application Database Server HTTP Traffic Port 80 Source: OWASP 46
47 TYPICAL CLOUD BASED ENVIRONMENT
48 SUMMARY : What constitutes an effective Application Security Strategy for PCI-DSS compliance 1. Adoption of Risk-based, holistic & Defence-in-Depth approach. 2. Effective implementation of key policies, procedures and processes (e.g. Change Management, Patch Management etc. ) 3. Use of Frameworks and Industry Standards and best practices like CoBIT 4.1, ISO 27001: 2005 and so on to ensure effective implementation of general IT Controls and IT Assurance framework. 4. Deploy Industry best practices for Secure Code development, Testing, Code Review e.g. OWASP XML Web Security Services Forum (XWSS) Common Weakness enumeration (CWE) 2011 / SAN Top Deploy tools (as Preventive & Detective controls) like: Source Code Analyzers Web Application Firewall Web Application Scanner 6. Conduct periodic Pen Test 7. On-going training and awareness on Application Security 48
49 Questions 49
50 CONTACT: Contact: ASHIT DALAL, PCI-DSS QSA, CRISC, CGEIT, CISA,CISM, CPEA, CSSA Six Sigma Black Belt Sr. Manager & Managing Consultant K3 DES LLC, NJ (USA) T.NO: (USA) (India) 50
FINAL DoIT 11.03.2015 - v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES
Purpose: The Department of Information Technology (DoIT) is committed to developing secure applications. DoIT s System Development Methodology (SDM) and Application Development requirements ensure that
More informationWhere every interaction matters.
Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper
More informationArcGIS Server Security Threats & Best Practices 2014. David Cordes Michael Young
ArcGIS Server Security Threats & Best Practices 2014 David Cordes Michael Young Agenda Introduction Threats Best practice - ArcGIS Server settings - Infrastructure settings - Processes Summary Introduction
More informationOWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair dave.wichers@owasp.
and Top 10 (2007 Update) Dave Wichers The Foundation Conferences Chair dave.wichers@owasp.org COO, Aspect Security dave.wichers@aspectsecurity.com Copyright 2007 - The Foundation This work is available
More informationWHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats
WHITE PAPER FortiWeb and the OWASP Top 10 PAGE 2 Introduction The Open Web Application Security project (OWASP) Top Ten provides a powerful awareness document for web application security. The OWASP Top
More informationWHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6
WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL Ensuring Compliance for PCI DSS 6.5 and 6.6 CONTENTS 04 04 06 08 11 12 13 Overview Payment Card Industry Data Security Standard PCI Compliance for Web Applications
More informationWEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY
WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY www.alliancetechpartners.com WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY More than 70% of all websites have vulnerabilities
More informationBarracuda Web Site Firewall Ensures PCI DSS Compliance
Barracuda Web Site Firewall Ensures PCI DSS Compliance E-commerce sales are estimated to reach $259.1 billion in 2007, up from the $219.9 billion earned in 2006, according to The State of Retailing Online
More informationWHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6
WHITE PAPER FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6 Ensuring compliance for PCI DSS 6.5 and 6.6 Page 2 Overview Web applications and the elements surrounding them
More informationDFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)
Title: Functional Category: Information Technology Services Issuing Department: Information Technology Services Code Number: xx.xxx.xx Effective Date: xx/xx/2014 1.0 PURPOSE 1.1 To appropriately manage
More informationThe Top Web Application Attacks: Are you vulnerable?
QM07 The Top Web Application Attacks: Are you vulnerable? John Burroughs, CISSP Sr Security Architect, Watchfire Solutions jburroughs@uk.ibm.com Agenda Current State of Web Application Security Understanding
More informationRational AppScan & Ounce Products
IBM Software Group Rational AppScan & Ounce Products Presenters Tony Sisson and Frank Sassano 2007 IBM Corporation IBM Software Group The Alarming Truth CheckFree warns 5 million customers after hack http://infosecurity.us/?p=5168
More informationSecuring Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group
Securing Your Web Application against security vulnerabilities Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group Agenda Security Landscape Vulnerability Analysis Automated Vulnerability
More informationWeb Application Penetration Testing
Web Application Penetration Testing 2010 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Will Bechtel William.Bechtel@att.com
More informationUsing Free Tools To Test Web Application Security
Using Free Tools To Test Web Application Security Speaker Biography Matt Neely, CISSP, CTGA, GCIH, and GCWN Manager of the Profiling Team at SecureState Areas of expertise: wireless, penetration testing,
More informationOWASP Top Ten Tools and Tactics
OWASP Top Ten Tools and Tactics Russ McRee Copyright 2012 HolisticInfoSec.org SANSFIRE 2012 10 JULY Welcome Manager, Security Analytics for Microsoft Online Services Security & Compliance Writer (toolsmith),
More informationPCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker
PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker www.quotium.com 1/14 Summary Abstract 3 PCI DSS Statistics 4 PCI DSS Application Security 5 How Seeker Helps You Achieve PCI DSS
More information3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management
What is an? s Ten Most Critical Web Application Security Vulnerabilities Anthony LAI, CISSP, CISA Chapter Leader (Hong Kong) anthonylai@owasp.org Open Web Application Security Project http://www.owasp.org
More informationMagento Security and Vulnerabilities. Roman Stepanov
Magento Security and Vulnerabilities Roman Stepanov http://ice.eltrino.com/ Table of contents Introduction Open Web Application Security Project OWASP TOP 10 List Common issues in Magento A1 Injection
More information05.0 Application Development
Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development
More informationSix Essential Elements of Web Application Security. Cost Effective Strategies for Defending Your Business
6 Six Essential Elements of Web Application Security Cost Effective Strategies for Defending Your Business An Introduction to Defending Your Business Against Today s Most Common Cyber Attacks When web
More informationHow To Ensure That Your Computer System Is Safe
Establishing a Continuous Process for PCI DSS Compliance Visa, MasterCard, American Express, and other payment card companies currently require all U.S. merchants accepting credit card payments to comply
More informationIs Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security
Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security Presented 2009-05-29 by David Strauss Thinking Securely Security is a process, not
More informationHow To Protect A Web Application From Attack From A Trusted Environment
Standard: Version: Date: Requirement: Author: PCI Data Security Standard (PCI DSS) 1.2 October 2008 6.6 PCI Security Standards Council Information Supplement: Application Reviews and Web Application Firewalls
More informationInformation Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified
Standard: Data Security Standard (DSS) Requirement: 6.6 Date: February 2008 Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified Release date: 2008-04-15 General PCI
More informationHow to achieve PCI DSS Compliance with Checkmarx Source Code Analysis
How to achieve PCI DSS Compliance with Checkmarx Source Code Analysis Document Scope This document aims to assist organizations comply with PCI DSS 3 when it comes to Application Security best practices.
More informationPCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com
PCI Compliance - A Realistic Approach Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com What What is PCI A global forum launched in September 2006 for ongoing enhancement
More informationApplication Security Vulnerabilities, Mitigation, and Consequences
Application Security Vulnerabilities, Mitigation, and Consequences Sean Malone, CISSP, CCNA, CEH, CHFI sean.malone@coalfiresystems.com Institute of Internal Auditors April 10, 2012 Overview Getting Technical
More informationWeb Engineering Web Application Security Issues
Security Issues Dec 14 2009 Katharina Siorpaes Copyright 2009 STI - INNSBRUCK www.sti-innsbruck.at It is NOT Network Security It is securing: Custom Code that drives a web application Libraries Backend
More informationIntegrating Security Testing into Quality Control
Integrating Security Testing into Quality Control Executive Summary At a time when 82% of all application vulnerabilities are found in web applications 1, CIOs are looking for traditional and non-traditional
More informationFortiWeb Web Application Firewall. Ensuring Compliance for PCI DSS requirement 6.6 SOLUTION GUIDE
FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS requirement 6.6 SOLUTION GUIDE Overview Web applications and the elements surrounding them have not only become a key part of every company
More informationSitefinity Security and Best Practices
Sitefinity Security and Best Practices Table of Contents Overview The Ten Most Critical Web Application Security Risks Injection Cross-Site-Scripting (XSS) Broken Authentication and Session Management
More informationOWASP AND APPLICATION SECURITY
SECURING THE 3DEXPERIENCE PLATFORM OWASP AND APPLICATION SECURITY Milan Bruchter/Shutterstock.com WHITE PAPER EXECUTIVE SUMMARY As part of Dassault Systèmes efforts to counter threats of hacking, particularly
More informationPayment Card Industry Security Standards PCI DSS, PCI-PTS and PA-DSS
The PCI Security Standards Council http://www.pcisecuritystandards.org The OWASP Foundation http://www.owasp.org Payment Card Industry Security Standards PCI DSS, PCI-PTS and PA-DSS Omar F. Khandaker,
More informationWhite Paper. Guide to PCI Application Security Compliance for Merchants and Service Providers
White Paper Guide to PCI Application Security Compliance for Merchants and Service Providers Contents Overview... 3 I. The PCI DSS Requirements... 3 II. Compliance and Validation Requirements... 4 III.
More informationFINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE
Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security
More informationBad Romance: Three Reasons Hackers <3 Your Web Apps & How to Break Them Up
Bad Romance: Three Reasons Hackers
More informationPassing PCI Compliance How to Address the Application Security Mandates
Passing PCI Compliance How to Address the Application Security Mandates The Payment Card Industry Data Security Standards includes several requirements that mandate security at the application layer. These
More informationHow to complete the Secure Internet Site Declaration (SISD) form
1 How to complete the Secure Internet Site Declaration (SISD) form The following instructions are designed to assist you in completing the SISD form that forms part of your Merchant application. Once completed,
More informationAdobe Systems Incorporated
Adobe Connect 9.2 Page 1 of 8 Adobe Systems Incorporated Adobe Connect 9.2 Hosted Solution June 20 th 2014 Adobe Connect 9.2 Page 2 of 8 Table of Contents Engagement Overview... 3 About Connect 9.2...
More informationColumbia University Web Security Standards and Practices. Objective and Scope
Columbia University Web Security Standards and Practices Objective and Scope Effective Date: January 2011 This Web Security Standards and Practices document establishes a baseline of security related requirements
More informationNational Information Security Group The Top Web Application Hack Attacks. Danny Allan Director, Security Research
National Information Security Group The Top Web Application Hack Attacks Danny Allan Director, Security Research 1 Agenda Web Application Security Background What are the Top 10 Web Application Attacks?
More informationIntroduction to PCI DSS
Month-Year Introduction to PCI DSS March 2015 Agenda PCI DSS History What is PCI DSS? / PCI DSS Requirements What is Cardholder Data? What does PCI DSS apply to? Payment Ecosystem How is PCI DSS Enforced?
More informationDetecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008
Detecting Web Application Vulnerabilities Using Open Source Means OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008 Kostas Papapanagiotou Committee Member OWASP Greek Chapter conpap@owasp.gr
More informationCORE Security and the Payment Card Industry Data Security Standard (PCI DSS)
CORE Security and the Payment Card Industry Data Security Standard (PCI DSS) Addressing the PCI DSS with Predictive Security Intelligence Solutions from CORE Security CORE Security +1 617.399-6980 info@coresecurity.com
More informationCracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH zgrace@403labs.com January 17, 2014 2014 Mega Conference
Cracking the Perimeter via Web Application Hacking Zach Grace, CISSP, CEH zgrace@403labs.com January 17, 2014 2014 Mega Conference About 403 Labs 403 Labs is a full-service information security and compliance
More informationSQuAD: Application Security Testing
SQuAD: Application Security Testing Terry Morreale Ben Whaley June 8, 2010 Why talk about security? There has been exponential growth of networked digital systems in the past 15 years The great things
More informationHow to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering
How to break in Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering Time Agenda Agenda Item 9:30 10:00 Introduction 10:00 10:45 Web Application Penetration
More informationEssential IT Security Testing
Essential IT Security Testing Application Security Testing for System Testers By Andrew Muller Director of Ionize Who is this guy? IT Security consultant to the stars Member of OWASP Member of IT-012-04
More informationWeb Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure
Vulnerabilities, Weakness and Countermeasures Massimo Cotelli CISSP Secure : Goal of This Talk Security awareness purpose Know the Web Application vulnerabilities Understand the impacts and consequences
More informationPCI Compliance Updates
PCI Compliance Updates E-Commerce / Cloud Security Adam Goslin, Chief Operations Officer AGoslin@HighBitSecurity.com Direct: 248.388.4328 PCI Guidance Google: PCI e-commerce guidance https://www.pcisecuritystandards.org/pdfs/pci_dss_v2_ecommerce_guidelines.pdf
More informationWEB APPLICATION FIREWALLS: DO WE NEED THEM?
DISTRIBUTING EMERGING TECHNOLOGIES, REGION-WIDE WEB APPLICATION FIREWALLS: DO WE NEED THEM? SHAIKH SURMED Sr. Solutions Engineer info@fvc.com www.fvc.com HAVE YOU BEEN HACKED????? WHAT IS THE PROBLEM?
More informationWeb applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh
Web applications Web security: web basics Myrto Arapinis School of Informatics University of Edinburgh HTTP March 19, 2015 Client Server Database (HTML, JavaScript) (PHP) (SQL) 1 / 24 2 / 24 URLs HTTP
More informationAchieving PCI Compliance Using F5 Products
Achieving PCI Compliance Using F5 Products Overview In April 2000, Visa launched its Cardholder Information Security Program (CISP) -- a set of mandates designed to protect its cardholders from identity
More informationelearning for Secure Application Development
elearning for Secure Application Development Curriculum Application Security Awareness Series 1-2 Secure Software Development Series 2-8 Secure Architectures and Threat Modeling Series 9 Application Security
More informationPayment Card Industry Data Security Standard PCI-DSS #SA7D, Platform Database, Tuning & Security
Payment Card Industry Data Security Standard PCI-DSS #SA7D, Platform Database, Tuning & Security John Mason Slides & Code - labs.fusionlink.com Blog - www.codfusion.com What is PCI-DSS? Created by the
More informationOut of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet
Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet March 8, 2012 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development
More informationHow to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP
How to start a software security initiative within your organization: a maturity based and metrics driven approach Marco Morana OWASP Lead/ TISO Citigroup OWASP Application Security For E-Government Copyright
More informationMembers of the UK cyber security forum. Soteria Health Check. A Cyber Security Health Check for SAP systems
Soteria Health Check A Cyber Security Health Check for SAP systems Soteria Cyber Security are staffed by SAP certified consultants. We are CISSP qualified, and members of the UK Cyber Security Forum. Security
More information(WAPT) Web Application Penetration Testing
(WAPT) Web Application Penetration Testing Module 0: Introduction 1. Introduction to the course. 2. How to get most out of the course 3. Resources you will need for the course 4. What is WAPT? Module 1:
More informationOverview of the Penetration Test Implementation and Service. Peter Kanters
Penetration Test Service @ ABN AMRO Overview of the Penetration Test Implementation and Service. Peter Kanters ABN AMRO / ISO April 2010 Contents 1. Introduction. 2. The history of Penetration Testing
More informationWeb Application Security
Web Application Security Ng Wee Kai Senior Security Consultant PulseSecure Pte Ltd About PulseSecure IT Security Consulting Company Part of Consortium in IDA (T) 606 Term Tender Cover most of the IT Security
More informationWeb App Security Audit Services
locuz.com Professional Services Web App Security Audit Services The unsecured world today Today, over 80% of attacks against a company s network come at the Application Layer not the Network or System
More informationNuclear Regulatory Commission Computer Security Office Computer Security Standard
Nuclear Regulatory Commission Computer Security Office Computer Security Standard Office Instruction: Office Instruction Title: CSO-STD-1108 Web Application Standard Revision Number: 1.0 Effective Date:
More informationProject Title slide Project: PCI. Are You At Risk?
Blank slide Project Title slide Project: PCI Are You At Risk? Agenda Are You At Risk? Video What is the PCI SSC? Agenda What are the requirements of the PCI DSS? What Steps Can You Take? Available Services
More informationReducing Application Vulnerabilities by Security Engineering
Reducing Application Vulnerabilities by Security Engineering - Subash Newton Manager Projects (Non Functional Testing, PT CoE Group) 2008, Cognizant Technology Solutions. All Rights Reserved. The information
More informationMean Time to Fix (MTTF) IT Risk s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP
Mean Time to Fix (MTTF) IT Risk s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP Presentation Overview Basic Application Security (AppSec) Fundamentals Risks Associated With
More informationKey Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking
Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking SUMMARY The Payment Card Industry Data Security Standard (PCI DSS) defines 12 high-level security requirements directed
More informationCloud Security:Threats & Mitgations
Cloud Security:Threats & Mitgations Vineet Mago Naresh Khalasi Vayana 1 What are we gonna talk about? What we need to know to get started Its your responsibility Threats and Remediations: Hacker v/s Developer
More informationWeb application security
Web application security Sebastian Lopienski CERN Computer Security Team openlab and summer lectures 2010 (non-web question) Is this OK? int set_non_root_uid(int uid) { // making sure that uid is not 0
More information1.3 Prohibit Direct Public Access - Prohibit direct public access between the Internet and any system component in the cardholder data environment.
REQUIREMENT 1 Install and Maintain a Firewall Configuration to Protect Cardholder Data Firewalls are devices that control computer traffic allowed between an entity s networks (internal) and untrusted
More informationWEB APPLICATION SECURITY
WEB APPLICATION SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part
More informationThe monsters under the bed are real... 2004 World Tour
Web Hacking LIVE! The monsters under the bed are real... 2004 World Tour Agenda Wichita ISSA August 6 th, 2004 The Application Security Dilemma How Bad is it, Really? Overview of Application Architectures
More informationVisa U.S.A Cardholder Information Security Program (CISP) Payment Application Best Practices
This document is to be used to verify that a payment application has been validated against Visa U.S.A. Payment Application Best Practices and to create the Report on Validation. Please note that payment
More information74% 96 Action Items. Compliance
Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on July 02, 2013 11:12 AM 1 74% Compliance 96 Action Items Upcoming 0 items About PCI DSS 2.0 PCI-DSS is a legal obligation mandated
More informationCyber Exploits: Improving Defenses Against Penetration Attempts
Cyber Exploits: Improving Defenses Against Penetration Attempts Mark Burnette, CPA, CISA, CISSP, CISM, CGEIT, CRISC, QSA LBMC Security & Risk Services Today s Agenda Planning a Cyber Defense Strategy How
More informationGlobal Partner Management Notice
Global Partner Management Notice Subject: Critical Vulnerabilities Identified to Alert Payment System Participants of Data Compromise Trends Dated: May 4, 2009 Announcement: To support compliance with
More informationPCI Compliance. Top 10 Questions & Answers
PCI Compliance Top 10 Questions & Answers 1. What is PCI Compliance and PCI DSS? 2. Who needs to follow the PCI Data Security Standard? 3. What happens if I don t comply? 4. What are the basic requirements
More informationCriteria for web application security check. Version 2015.1
Criteria for web application security check Version 2015.1 i Content Introduction... iii ISC- P- 001 ISC- P- 001.1 ISC- P- 001.2 ISC- P- 001.3 ISC- P- 001.4 ISC- P- 001.5 ISC- P- 001.6 ISC- P- 001.7 ISC-
More informationPCI Requirements Coverage Summary Table
StillSecure PCI Complete Managed PCI Compliance Solution PCI Requirements Coverage Summary Table January 2013 Table of Contents Introduction... 2 Coverage assumptions for PCI Complete deployments... 2
More informationThe Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA
The Weakest Link: Mitigating Web Application Vulnerabilities webscurity White Paper webscurity Inc. Minneapolis, Minnesota USA January 25, 2007 Contents Executive Summary...3 Introduction...4 Target Audience...4
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V2.0, JULY 2015 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationWeb Application Report
Web Application Report This report includes important security information about your Web Application. Security Report This report was created by IBM Rational AppScan 8.5.0.1 11/14/2012 8:52:13 AM 11/14/2012
More informationFrom the Bottom to the Top: The Evolution of Application Monitoring
From the Bottom to the Top: The Evolution of Application Monitoring Narayan Makaram, CISSP Director, Security Solutions HP/Enterprise Security Business Unit Session ID: SP01-202 Session 2012 Classification:
More informationPCI Compliance Top 10 Questions and Answers
Where every interaction matters. PCI Compliance Top 10 Questions and Answers White Paper October 2013 By: Peer 1 Hosting Product Team www.peer1.com Contents What is PCI Compliance and PCI DSS? 3 Who needs
More informationHow To Achieve Pca Compliance With Redhat Enterprise Linux
Achieving PCI Compliance with Red Hat Enterprise Linux June 2009 CONTENTS EXECUTIVE SUMMARY...2 OVERVIEW OF PCI...3 1.1. What is PCI DSS?... 3 1.2. Who is impacted by PCI?... 3 1.3. Requirements for achieving
More informationTemplate for PFI Final Incident Report for Remote Investigations
Payment Card Industry (PCI) Data Security Standard PFI Final Incident Report for Remote Investigations Template for PFI Final Incident Report for Remote Investigations Version 1.1 February 2015 Document
More informationIntroduction:... 1 Security in SDLC:... 2 Penetration Testing Methodology: Case Study... 3
Table of Contents Introduction:... 1 Security in SDLC:... 2 Penetration Testing Methodology: Case Study... 3 Information Gathering... 3 Vulnerability Testing... 7 OWASP TOP 10 Vulnerabilities:... 8 Injection
More informationPCI-DSS: A Step-by-Step Payment Card Security Approach. Amy Mushahwar & Mason Weisz
PCI-DSS: A Step-by-Step Payment Card Security Approach Amy Mushahwar & Mason Weisz The PCI-DSS in a Nutshell It mandates security processes for handling, processing, storing and transmitting payment card
More informationCyber - Security and Investigations. Ingrid Beierly August 18, 2008
Cyber - Security and Investigations Ingrid Beierly August 18, 2008 Agenda Visa Cyber - Security and Investigations Today s Targets Recent Attack Patterns Hacking Statistics (removed) Top Merchant Vulnerabilities
More informationTesting the OWASP Top 10 Security Issues
Testing the OWASP Top 10 Security Issues Andy Tinkham & Zach Bergman, Magenic Technologies Contact Us 1600 Utica Avenue South, Suite 800 St. Louis Park, MN 55416 1 (877)-277-1044 info@magenic.com Who Are
More informationPayment Card Industry (PCI) Data Security Standard PFI Final Incident Report. Template for PFI Final Incident Report. Version 1.1.
Payment Card Industry (PCI) Data Security Standard PFI Final Incident Report Template for PFI Final Incident Report Version 1.1 February 2015 Document Changes Date Version Description August 2014 1.0 To
More informationSERENA SOFTWARE Serena Service Manager Security
SERENA SOFTWARE Serena Service Manager Security 2014-09-08 Table of Contents Who Should Read This Paper?... 3 Overview... 3 Security Aspects... 3 Reference... 6 2 Serena Software Operational Security (On-Demand
More informationTwo Approaches to PCI-DSS Compliance
Disclaimer Copyright Michael Chapple and Jane Drews, 2006. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes,
More informationState of The Art: Automated Black Box Web Application Vulnerability Testing. Jason Bau, Elie Bursztein, Divij Gupta, John Mitchell
Stanford Computer Security Lab State of The Art: Automated Black Box Web Application Vulnerability Testing, Elie Bursztein, Divij Gupta, John Mitchell Background Web Application Vulnerability Protection
More informationHow To Protect Your Data From Being Stolen
DATA SECURITY & PCI DSS COMPLIANCE PROTECTING CUSTOMER DATA WHAT IS PCI DSS? PAYMENT CARD INDUSTRY DATA SECURITY STANDARD A SET OF REQUIREMENTS FOR ANY ORGANIZATION OR MERCHANT THAT ACCEPTS, TRANSMITS
More informationWeb Application Security and the OWASP Top 10. Web Application Security and the OWASP Top 10
Web Application Security and the OWASP Top 10 1 Sapient Corporation 2011 Web Application Security and the OWASP Top 10 This paper describes the most common vulnerabilities of web applications, as outlined
More informationHow to Build a Trusted Application. John Dickson, CISSP
How to Build a Trusted Application John Dickson, CISSP Overview What is Application Security? Examples of Potential Vulnerabilities Strategies to Build Secure Apps Questions and Answers Denim Group, Ltd.
More informationPCI Requirements Coverage Summary Table
StillSecure PCI Complete Managed PCI Compliance Solution PCI Requirements Coverage Summary Table December 2011 Table of Contents Introduction... 2 Coverage assumptions for PCI Complete deployments... 2
More information