Building Secure: Payment Systems & Applicatins By: Sarath Geethakumar Sarath Geethakumar (@sarathgk) 24 September 2014 1
Abut Me Security Researcher Sr. Directr, Infrmatin Security, Visa Mbile Security Enthusiast C-Authr: Hacking Expsed Mbile Develper by passin Sarath Geethakumar (@sarathgk) 24 September 2014 2
Cntents IEEE Tp 10 Scariest Threats 2013/14 Breach Recap Payment Systems/Applicatin Overview Security Life Cycle Building Security IN Sarath Geethakumar (@sarathgk) 24 September 2014 3
IEEE survey results: Tp 10 Threats New threats emerge every day. Which d yu think are the Tp 10 scariest security threats this year? Attacks against cryptcurrency exchanges Ransmware Gvernment spying Retail data breaches Mbile malware Heartbleed vulnerabilities Massive Russian hacker database Vulnerabilities in hme netwrk ruters Airplane cmmunicatins systems flaws Vulnerabilities in USBs 0.00 1.00 2.00 3.00 4.00 5.00 6.00 7.00 8.00 9.00 What is the real threat? Sarath Geethakumar (@sarathgk) 24 September 2014 4
Breaches 2013/2014 Recap f KNOWN & PUBLICIZED breaches: Retail Stres Restaurants Health Care Banks Target Neiman Marcus Hme Dept PF Chang Cmmunity Health Systems JP Mrgan Chase Are there mre? Sarath Geethakumar (@sarathgk) 24 September 2014 5
Wh, What, Hw and Wh is affected: Large enterprises, retailers, manufacturers and mre Cmmn man!!! What is the impact: Encmpass every realm f day t day life! Hw did it happen: 3 rd Party HVAC prvider, 3 rd party sftware, platfrm etc Web applicatin vulnerability, Missing patches Phishing and targeted attacks Why? Same vectrs re-used again and again Sarath Geethakumar (@sarathgk) 24 September 2014 6
Payment System: Overview POS Sarath Geethakumar (@sarathgk) 24 September 2014 7
Breach Analysis Explit: Malware/Phishing/Drive-by-dwnlads Vulnerable applicatins and systems Pst-explitatin : Weak security architecture Weak secure sftware develpment Lack vulnerability management Nn-existent security mnitring Mst rganizatins affected by breach were cmpliant t regulatry requirements!!! Feature Review Requirements Design Develpment Quality Assurance Release Mgmt. Sarath Geethakumar (@sarathgk) 24 September 2014 8
Security Strategy Define Strategy & Gvernance Security Mnitring & Incident Respnse Establish Security Standards & Guidelines Security Assurance Benchmark - Sec. Capabilities Security Validatin Establish Risk Based Security Assessment Secure Develpment Standards Security Architecture & Framewrks Sarath Geethakumar (@sarathgk) 24 September 2014 9
Security Life Cycle Security Levels/Stages Security & Privacy Review Secure Design/Arch. Review Secure Sftware Develpment Security Validatin & Verificatin Security Assurance Sec. Mnitring Security Activities Perfrm requirement and use case review, cmpliance review, privacy review, prduct risk assessment Perfrm Threat mdeling, Architectural risk assessment, Asset mapping and generate Security Requirement Matrix Prvide Training, Chse Develpment framewrks & Libraries, Perfrm differential cde review, Checkpints Perfrm Cde Review, Static Analysis & Dynamic Analysis f develped cde Cnduct Penetratin Testing, RED Team exercises, Security Patching Incident Respnse, SIEM, Data Analytics Analyze Design Develp Implement Testing Finalize Security & Privacy Review Secure Design/Arch. Review Secure Sftware Develpment Security Validatin & Verificatin Security Assurance Sec. Mnitring Sarath Geethakumar (@sarathgk) 24 September 2014 10
Building Security int N Abslute Security Security = Defense in Depth 80% reductin in security findings Reduced n. f penetratin tests N critical/high findings pst develpment Enables agile develpment Secure Sftware/System develpment Micrsft SDL BSIMM Sarath Geethakumar (@sarathgk) 24 September 2014 11
Questins? Sarath Geethakumar mail@sarath-g.cm @sarathgk Sarath Geethakumar (@sarathgk) 24 September 2014 12