Amadeus Shaping the future of travel

Transcription

1 2015 Amadeus IT Group SA Amadeus Shaping the future of travel Neill Cameron Application Security Office 9 July 2015

2 2015 Amadeus IT Group SA Amadeus in a few words Amadeus is a technology and SaaS company dedicated to the global travel industry. We are present in 195 countries with a worldwide team of more than 12,000 people. Our solutions help improve the business performance of travel agencies, corporations, airlines, airports, hotels, railways and more. Page 2

3 Amadeus IT Group SA Revenues Distribution & IT (Figures in million euros) , ,707 3, , ced1609a17cf1a a2ad ae IT Distribution Page 3

4 Amadeus 2015 Amadeus IT Group IT Group SA SA Distribution An overview Customer service Learning Delivery & Implementation Operations Support Page Consultancy 4

5 Amadeus 2015 Amadeus IT Group IT Group SA SA IT An overview Customer service Learning Delivery & Implementation Operations Support Page Consultancy 5

6 Amadeus 2015 Amadeus IT Group IT Group SA SA Robust global operations 3 _ Amadeus today 1.6+ billion data requests processed per day 525+ million travel agency bookings processed in million Passengers Boarded (PBs) in % of the world s scheduled network airline seats Page 6

7 Amadeus 2015 Amadeus IT Group IT Group SA SA Close to our customers Page 7

8 Changing context Our customers are pentesting us all the time Laws changing (PCI-DSS 3.0, EU Data Privacy Directive) Organized hackers behind botnets and professional hacking Google, Microsoft, Facebook bug bounties new army of hackers

9 Amadeus 2015 Amadeus IT Group IT Group SA SA Our management team CISO Page 9

10 Amadeus Security Offices Amadeus IT Group SA CISO Policies, Regional/Information Security Officers, etc. Production Data Center Internal IT security offices R&D Applications Page 10

11 Amadeus IT Group SA R&D Application Security Office Mission Make Amadeus products sufficiently resilient against fraud & data breaches, and ensure compliance with applicable legislation, standards and regulations PCI-DSS audits & compliance Secure product design & architecture Incident management support Secure Development Lifecycle (SDL) Page 11

12 Ages and phases of security Amadeus IT Group SA Page 12

13

14 Application Attack Vector examples CSRF Directory Traversal XML injection webservice Firewall/DMZ SQL/CMD Injection webserver MiTB: XSS Clickjacking Cache Poisoning MiTM: Param Fuzzing Proxy sniffing Forged Tokens datastore Direct Object Reference filestore

15 Building security into software development lifecycle

16 Run Test Amadeus IT Group SA Build Design People & skills Secure Development Lifecycle 12 touchpoints SecDev Training Classes (WebApp, C++, QA) WhiteHat elearning WhiteHat Awareness Sessions SDL Portal WhiteHat deployment support 1 Risk Identification Threat Modelling 2 3 Technical Policy Compliance 4 Developer SecTools 5 Security Code Review 6 Code Signing Source code/static Application Scans 7 8 FOSS libs and 3rd party binary analysis 9 Web Application Scans 10 Penetration Tests 11 PRD load validation 12 Public Attack Surface audits Page 16

17 Amadeus IT Group SA Examples of some SDL tools and activities Risk Identification Microsoft Threat Modeling Tool Threat modeling workshops Internal security lab Page 17

18 Examples of some SDL tools and activities Amadeus IT Group SA Configuration file scanner Web & Application Servers Java Dependency Checker Source Code Scans Web App Scans Penetration Tests Page 18

19 Amadeus IT Group SA Microsoft Threat Modeling Tool Page 19

20 Amadeus IT Group SA Configuration file scanner Web & Application Servers Page 20

21 Amadeus IT Group SA Key takeaways Pentest & patch is not enough full SDL needed Design security-in from the start Educating/involving developers is key Page 21

22 2015 Amadeus IT Group SA Amadeus IT Group SA Thank you You can follow us on: AmadeusITGroup amadeus.com/blog amadeus.com