OWASP Top 10 – Broken Authentication

  • Dictionary attack
  • leaked credentials
  • attacker gains access then causes identity theft, frauds, money, card, data frauds.

Solutions

  1. Confirm users identity and session management
  2. implement multi-factor authentication.
  3. no default credentials ( or credential standards)
  4. Implement weak password checks
  5. length, complexity, history check,
  6. limit failed logins
  7. log every activity regardless of success or failure
  8. SERVER-SIDE SESSION IDENTIFIER.

 

Probably implement something using https://haveibeenpwned.com/

OWASP Top 10 – Injection

Occurs when untrusted data is sent to an interpreter as a part of command.

Solutions

  1. Handle Error Messages, errors gracefully. Return custom error page do not reveal DB details/query.
  2. Sanitize inputs
  3. Escape characters (ex. whitelisting)
  4. SELECT, UNION, INSERT, filternation
  5. Parameter typecasting
  6. Add Query Building layer. Keep untrusted data separate from queries.

Or in other words

Level One = Parameter, datatype, length check

Level Two = Number of parameters sent to query.

Level Three = Don’t show query and other errors on production

OWASP Top 10

  1. Injection
  2. Broken Authentication
  3. Sensitive Data Exposure
  4. XML External Entities
  5. Broken Access Control
  6. Security Misconfiguration
  7. XSS
  8. Insecure Deserialization
  9. Using Components with Known Vulnerabilities
  10. Insufficient Logging and Monitoring

Worthy mention from the past Cross Site Request Forgery

SANS 25 – Software Errors

Insecure Interaction between Components

  • 89 – Improper neutralization of SQL [SQL Injection]
  • 78 – OS Command Injection
  • 79 – XSS
  • 434 – Unrestricted file uploads
  • 352 – CSRF
  • 601 – Open redirect [URL redirects to un-trusted site]

Risky Resource Management

  • 120 – Buffer Overflow
  • 22 – Path Traversal
  • 494 – Download of code without integrity check
  • 829 – Untrusted functionality inclusion
  • 676 – Using potentially dangerous functions.
  • 131 – incorrect calculation of buffer size.
  • 134 – Uncontrolled format string
  • 190 – integer overflow or wrap around

Porous Defenses

  • 306 – missing authentication of critical function
  • 862 – missing authorization
  • 798 – using hard-coded passwords
  • 311 – missing encryption
  • 807 – untrusted input
  • 250 unnecessary privileges
  • 863 – incorrect authorization
  • 732 – incorrect permission assignment for critical resources
  • 327 – Using broken / Risky cryptographic algorithm
  • 307 unrestricted authentication attempts
  • 759 – using one way hash without SALT.

 

PCI DSS 3.2

  • Self Assessment Questionnaire
  • Pin Transaction Security (Encrypting Pin Pad Device)
  • Validated Payment Applications

These were best practices, now these are mandated requirements from February 1st 2018.

List of Controls

  1. Install and maintain firewall configuration to protect card data.
  2. Do not use system defaults.
  3. Protect stored cardholder data.
  4. Encrypt transmission of card data across open public network.
  5. Protect system against malware and regularly update antivirus software.
  6. Develop and Maintain secure system and applications.
  7. Restrict access to card data environment by business need.
  8. Identify and Authenticate access to system components.
  9. Restrict physical access to cardholder data.
  10. Track and monitor all access to network resources and card data.
  11. Regularly test security systems and processes.
  12. Maintain a policy that addresses information security for all personnel.

PCI DSS 2.0 3.0 and 3.1

Provides clarification, additional guidance and puts in evolving requirements.

  • Network Diagram essential
  • Maintain system component inventory
  • Mitigation of malware threats
  • Usage of antivirus software mandatory
  • Coding practices for Broken Authentication & Session Management
  • Password Complexity requirements
  • Authentication on remote access
  • Physical Access
  • Point Of Sale (POS)  Device Security
  • User Identification and Authorization
  • Audit Logs
  • Inventory of authorized wireless access points
  • Scheduled Penetration Testing
  • Cardholder Data Environment [CDE] isolation
  • Annual Risk Assessment
  • Compliance of Service Providers
  • Written Acknowledgement

3.1 Change log

  • SSL no longer secure technology
  • From June 30th 2016, TLS 1.2 is mandatory
  • Disable / Remove Inactive accounts by 90 days

SSAE 16 Audit

  • InfoSec – Protect Confidentiality, Integrity of consumer data.
  • Logical Access – Database, Operating System, Applications restricted for authorized users only.
  • Computer Operations and Monitoring – System availability is monitored to protect from interruptions. Incidents are identified and resolved timely.
  • Backup Data files and Programs –Periodic backups and backup testing.

 

Security Code Reviews

  • Deprecated Features
  • Parameter Typecasting
  • Unused Variables
  • Input Sanitization
  • NO HARD-CODED Passwords
  • Sensitive code in user interface (Source Comments)
  • No Unlimited Result set
  • Don’t hit database unless needed (DDoS)
  • User Groups and Permissions
  • no MD5, SHA-1, RC3, Rc4 algorithms
  • explicit changes in configuration files
  • file upload verification
  • Change session ID after user has successfully authenticated
  • Secure Application Design and Development