SlideShare uma empresa Scribd logo

Nikhil wagholikar _risk_based_penetration_testing - ClubHack2009

ClubHack
ClubHack
Tecnologia
1 de 45
Baixar para ler offline
What is on your mind, is on your body Nikhil Wagholikar Practice Lead | Security Assessments & Digital Forensics Member, Mumbai OWASP Chapter www.niiconsulting.com nikhil@niiconsulting.com
 CEH, ISO 27001:LA  Penetration testing, Security Auditing, Digital Forensics, GRC, Solutions, Performance Auditing  Numerous India and Middle East based clients  Conducted training on various fields of Information security like GRC, IT Security, Green IT, VAPT, Incident Response, Digital Forensics, Application Security
 Articles  Dare to Delete my files – Checkmate  Universal Extractor – Checkmate http://www.niiconsulting.com/checkmate/  Assessing Bandwidth Use as a Function of Network Performance – ITAudit http://www.theiia.org/ITAuditArchive/index.cfm? catid=21&iid=571  Essential Aspects of an Effective Network Performance Audit – ITAudit http://www.theiia.org/ITAuditArchive/index.c fm?iid=575&catid=21&aid=2901
 Regular pen-testing vs. Risk-based pentesting  The process of risk-based testing ◦ Understanding the business ◦ Legal & regulatory requirements ◦ Understanding the risks ◦ Examples ◦ Client-side attacks ◦ Beyond hacking technology  Conclusion
Lack of Business Risk Perspective – US Department of Homeland Security: “Most penetration testing processes and tools do little, if anything, to substantively address the business risks... This is largely due to the fact that the tools and the testers view the target systems with “technology blinders” on... Although many testing tools and services claim to rank vulnerabilities in terms of technical severity, they do not typically take business risk into account in any significant sense. At best, the test teams conduct interviews with the business owners of the applications and the application architects in an attempt to ascertain some degree of business impact, but that connection is tenuous. …the business perspectives, however limited, that these processes can determine are all post facto. That is, they make their business impact rankings after the test is completed...This is a key shortcoming of penetration testing practices today.” https://buildsecurityin.us-cert.gov/daisy/bsi/articles/best- practices/penetration/655-BSI.html Software Security – building security in, Chapter 6 on “Penetration Testing Today” “The problem? No clue about security risk. No idea whether the most critical security risks have been identified, how much more risk remains in the system, and how many bugs are lurking in the zillions of lines of code”
“Penetration testing is dead. The concept as we know it is on its death bed, waiting to die and come back as something else.” - Brian Chess, Co-Founder, Fortify Software
Some theory
 Client: “Please provide quote for black-box penetration test”  SP: “Please provide list of IP addresses and URLs, and application test IDs” Pre-sales Approach - Evolved  Client: “Please provide quote for black-box penetration test”  SP: “Hang on...”  SP: “I‟d first like to know…”
Traditional Pentesting Risk-based Pentesting Focus is on technical Focus is on business risks vulnerabilities Requires strong technical know- Requires both technical and business how process know-how Having the right set of tools is Understanding the workings of the critical business and applications is critical Is usually zero-knowledge Requires a person who understands the business process to play a significant role – usually an insider Understanding the regulatory Understanding the regulatory environment is good environment is mandatory
Traditional Pentesting Risk-based Pentesting Severity levels are based on Severity levels are based on risk to technical parameters the business Risk levels in report are assigned Risk levels in report reflect the levels post facto assigned prior to testing Test cases are build based on Tests cases additionally build on risk testing methodologies or generic scenarios testing processes Audience for the report is usually Audience for the report also includes the IT and Security teams the business process owners and heads of departments
 Corporate Banking Platform – allows 3 logins ◦ Maker who enters the transaction into the system ◦ Verifier who checks the transaction data ◦ Authorizer who authorizes the final payment  Each screen in the web application is different based on privilege level of logged in user  Security implemented by: ◦ Restricting access to URLs that allow certain transactions ◦ Parameters that trigger certain transactions
 RA Phase ◦ Understand business process ◦ Understand business risks ◦ Define test cases  Can maker do what verifier does  Can verifier do what authorizer does  Can client‟s admin do what bank‟s admin does  So forth  Pentesting discovers ◦ http://www.bankPay.co.in/BankPayApp/authorizePaymentA ction.action is available only to Authorizer ◦ But what if Maker puts it in his browser? ◦ Transaction still doesn‟t get authorized ◦ Further investigation reveals a parameter:  Filter=„block‟ ◦ When this value is changed to:  Filter=„submitToPay‟
 Who are the key actors – employees, departments, customers, partners, vendors, investors, brokers, franchisees, resellers?  What applications do they use?  What data do they access through these applications?  What are the risks if any of these actors turns bad?  What possibilities exist if an actor should decide to misuse the data – building fraud scenarios?
 PCI DSS ◦ For all credit card processing merchants ◦ Quarterly, semi-annual, annual network scans and penetration tests ◦ Focus on web application security ◦ Requires high-level of protection of credit card data ◦ There are no fines for non-compliance but breaches of security could put you out of business  HIPAA ◦ For healthcare and pharma providers ◦ Requires high-level of protection for patient records and medical history ◦ Fines for non-compliance are usually high ◦ Breaches could put you out of practice/business
 FDA  FFIEC  SOX  Indian IT Act 2008  RBI / Other Central Bank  Others
CWE 717
 A local search engine with millions of hits on the website  Key concerns are: ◦ Growing competition ◦ Need to expand rapidly through resellers and franchisee model ◦ Threat of exposure of data to unscrupulous elements ◦ Low competitive entry barrier - biggest threat of corporate espionage  External web application test ◦ Running repeated search queries – changing session IDs, changing source IP addresses ◦ Exploiting other channels – WAP, Toolbar, sub-domains  Internal business applications tested from perspective of a: ◦ Tele-caller ◦ Marketing agent ◦ Developer
Internationally acclaimed publications website  Earns income via paid subscription to researched publications  Publications are key intellectual property  Membership levels and subscription values differ based on sensitivity and type of information accessible  Use of the Google Search appliance leads to indexing of all data  While members only data is not accessible directly, it is accessible via the „Text Version‟ link from the Google search results!
 Investors use the stock exchange via brokers  However, direct interactions with exchange include: ◦ Registering with the exchange to obtain investor IDs ◦ Modifying investor personal data ◦ Nominating others to trade on their behalf ◦ Obtaining trade summaries ◦ Obtaining research reports  One of the key risks identified: ◦ Violation of privacy
 Website analysis reveals two areas of interest ◦ A local search functionality ◦ Online access to personal trading history and balance sheets  Each investor has a personal investor number – National Investor ID (NID)  Website also offers educational games and documents on how to trade  Guessing passwords for user IDs gives access to complete trade history and balance sheets  Entering interesting search terms results in personal details of investors being revealed
 Driven by business risks and regulatory requirements  Identify all sensitive data, not just authentication credentials  PCI DSS requires encryption of credit card data ◦ Between the client and the web server ◦ When stored in the database ◦ Between the web application server and the database server  HIPAA requires securing of all patient data ◦ Prescriptions ◦ Medical history ◦ Diagnostic results ◦ Transcriptions
Taking it further – Pentesting ERP
For a procure-2-pay cycle, possible fraud scenarios could include? ◦ Adding a vendor without proper approval ◦ Changing the banking data of a vendor so that payments go into the wrong bank account ◦ Approving a quote by violating access rights ◦ Approving an invoice without a goods-received- note being present ◦ Colluding with another user to perpetrate a fraud ◦ Violating maker-checker controls
 Main actors involved are: ◦ Brokers ◦ Franchisees ◦ Investors  Possible frauds could occur as follows: ◦ Attacker gathers enough data to social engineer a broker ◦ Attacker places trades on behalf of investors by violating web application security – jacking up share prices ◦ Attacker is able to determine trading patterns of HNIs – High Networth Individuals ◦ Attacker violates payment gateway controls to channel money into his/her own account ◦ Attacker impersonates a broker/franchisee and social engineers the share trading company
 Internal audit of a Southern India-based retail store contracts us to do a „tiger team‟ attack  Objective of the exercise is to determine controls over financial information  Risks identified: ◦ Access sensitive financial information? ◦ Modify goods prices and accounts information significantly? ◦ Change tags on goods to buy them at lower price?
CWE - 352
Social networking website  Value of website derives from focus on privacy and ease-of-use  Peer-feedback is the key to the popularity  Messages posted privately and on public „walls‟, „scrapbooks‟, „blogs‟  Integrity of messages is key  Social engineering can be used to trigger CSRF and XSS attacks
Or HTML Injection?
 Explaining the technicality of the issue to developers and management  Explaining exploitability and impact of the issue  Demonstrating practical risk from it  In some situations, explaining it additionally as HTML injection may help
And other techniques
 Vote for Cyber Security!
 Browser-based exploits  Trojaned MS Office/PDF files  Combine with SE on social networking sites ◦ LinkedIn ◦ Monster.com and job sites ◦ Social networking sites  Phishing attacks  Evil maid attacks  Windows Metafile-type exploits  RSA (2-factor) hacks
 Fear of the unknown  Client resistance  Simply a checklist item  Cost  Time
 Real-world hackers are hacking the business, not the technology – they always have been  Penetration testers need to bring their approach up to speed – go beyond the norm  Endeavor to obtain greater business know-how and a larger perspective than “technical blinkers”  Cookie-cutter pen-testing methods don‟t add value  Technical testing needs to be combined with physical penetration testing and social engineering  Reports and executive summaries should reflect this deeper understanding of the business perspective
Nikhil Wagholikar Practice Lead | Security Assessments & Digital Forensics NII Consulting nikhil@niiconsulting.com www.niiconsulting.com

Recomendados

Core.co.enterprise.deck.06.16.10
Core.co.enterprise.deck.06.16.10Core.co.enterprise.deck.06.16.10
Core.co.enterprise.deck.06.16.10Core Security Technologies
 
Security_360_Marketing_Package
Security_360_Marketing_PackageSecurity_360_Marketing_Package
Security_360_Marketing_PackageRandy B.
 
ProjectReport_Finalversion
ProjectReport_FinalversionProjectReport_Finalversion
ProjectReport_FinalversionMamoon Ismail Khalid
 
M Kamens Iia Financial Services Presentation At Disney
M Kamens Iia Financial Services Presentation At DisneyM Kamens Iia Financial Services Presentation At Disney
M Kamens Iia Financial Services Presentation At Disneykamensm02
 
Emerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and SecurityEmerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and SecurityJessica Santamaria
 
Don't let them take a byte
Don't let them take a byteDon't let them take a byte
Don't let them take a bytelgcdcpas
 
A Case Study on Payment Card Industry Data Security Standards
A Case Study on Payment Card Industry Data Security StandardsA Case Study on Payment Card Industry Data Security Standards
A Case Study on Payment Card Industry Data Security StandardsVictor Oluwajuwon Badejo
 
Powerpoint v7
Powerpoint v7Powerpoint v7
Powerpoint v7Veronica Pereira
 

Recomendados

Core.co.enterprise.deck.06.16.10
Core.co.enterprise.deck.06.16.10Core.co.enterprise.deck.06.16.10
Core.co.enterprise.deck.06.16.10Core Security Technologies
 
Security_360_Marketing_Package
Security_360_Marketing_PackageSecurity_360_Marketing_Package
Security_360_Marketing_PackageRandy B.
 
ProjectReport_Finalversion
ProjectReport_FinalversionProjectReport_Finalversion
ProjectReport_FinalversionMamoon Ismail Khalid
 
M Kamens Iia Financial Services Presentation At Disney
M Kamens Iia Financial Services Presentation At DisneyM Kamens Iia Financial Services Presentation At Disney
M Kamens Iia Financial Services Presentation At Disneykamensm02
 
Emerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and SecurityEmerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and SecurityJessica Santamaria
 
Don't let them take a byte
Don't let them take a byteDon't let them take a byte
Don't let them take a bytelgcdcpas
 
A Case Study on Payment Card Industry Data Security Standards
A Case Study on Payment Card Industry Data Security StandardsA Case Study on Payment Card Industry Data Security Standards
A Case Study on Payment Card Industry Data Security StandardsVictor Oluwajuwon Badejo
 
Powerpoint v7
Powerpoint v7Powerpoint v7
Powerpoint v7Veronica Pereira
 
ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson
ISACA NA CACS 2012 Orlando session 414 Ulf MattssonISACA NA CACS 2012 Orlando session 414 Ulf Mattsson
ISACA NA CACS 2012 Orlando session 414 Ulf MattssonUlf Mattsson
 
Heartlandpt3
Heartlandpt3Heartlandpt3
Heartlandpt3grimesjo
 
Heartlandpt3
Heartlandpt3Heartlandpt3
Heartlandpt3grimesjo
 
Emerging Trends in Information Security and Privacy
Emerging Trends in Information Security and PrivacyEmerging Trends in Information Security and Privacy
Emerging Trends in Information Security and Privacylgcdcpas
 
Heartland
HeartlandHeartland
Heartlandgrimesjo
 
Cyber Security
Cyber SecurityCyber Security
Cyber SecurityNC Military Business Center
 
How really to prepare for a credit card compromise (PCI) forensics investigat...
How really to prepare for a credit card compromise (PCI) forensics investigat...How really to prepare for a credit card compromise (PCI) forensics investigat...
How really to prepare for a credit card compromise (PCI) forensics investigat...Security B-Sides
 
Data Sheet For Erg
Data Sheet For ErgData Sheet For Erg
Data Sheet For Ergmjschreck
 
Security For Outsourced IT Contracts
Security For Outsourced IT ContractsSecurity For Outsourced IT Contracts
Security For Outsourced IT ContractsBill Lisse
 
GDPR & Capacity Management
GDPR & Capacity ManagementGDPR & Capacity Management
GDPR & Capacity ManagementPrecisely
 
Prevent Insider Threats with User Activity Monitoring
Prevent Insider Threats with User Activity MonitoringPrevent Insider Threats with User Activity Monitoring
Prevent Insider Threats with User Activity MonitoringObserveIT
 
Bridging the Social Media Implementation/Audit Gap
Bridging the Social Media Implementation/Audit GapBridging the Social Media Implementation/Audit Gap
Bridging the Social Media Implementation/Audit GapJerod Brennen
 
2010 07 BSidesLV Mobilizing The PCI Resistance 1c
2010 07 BSidesLV Mobilizing The PCI Resistance 1c2010 07 BSidesLV Mobilizing The PCI Resistance 1c
2010 07 BSidesLV Mobilizing The PCI Resistance 1cGene Kim
 
Rhd + Visual Risk Iq Presentation On Continuous Auditing District Conferenc...
Rhd + Visual Risk Iq Presentation On Continuous Auditing District Conferenc...Rhd + Visual Risk Iq Presentation On Continuous Auditing District Conferenc...
Rhd + Visual Risk Iq Presentation On Continuous Auditing District Conferenc...Joe Oringel
 
Cryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for bankingCryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for bankingHai Nguyen
 
PCI DSS Certification
PCI DSS CertificationPCI DSS Certification
PCI DSS Certificationhodonoghue
 
Introduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationIntroduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationKimberly Simon MBA
 
Flight East 2018 Presentation–Data Breaches and the Law
Flight East 2018 Presentation–Data Breaches and the LawFlight East 2018 Presentation–Data Breaches and the Law
Flight East 2018 Presentation–Data Breaches and the LawSynopsys Software Integrity Group
 
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...IRJET-An Economical and Secured Approach for Continuous and Transparent User ...
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...IRJET Journal
 
Insider Threats: Out of Sight, Out of Mind?
Insider Threats: Out of Sight, Out of Mind?Insider Threats: Out of Sight, Out of Mind?
Insider Threats: Out of Sight, Out of Mind?ObserveIT
 
PCI Certification and remediation services
PCI Certification and remediation servicesPCI Certification and remediation services
PCI Certification and remediation servicesTariq Juneja
 
Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Risk Crew
 

Mais conteúdo relacionado

Mais procurados

ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson
ISACA NA CACS 2012 Orlando session 414 Ulf MattssonISACA NA CACS 2012 Orlando session 414 Ulf Mattsson
ISACA NA CACS 2012 Orlando session 414 Ulf MattssonUlf Mattsson
 
Heartlandpt3
Heartlandpt3Heartlandpt3
Heartlandpt3grimesjo
 
Heartlandpt3
Heartlandpt3Heartlandpt3
Heartlandpt3grimesjo
 
Emerging Trends in Information Security and Privacy
Emerging Trends in Information Security and PrivacyEmerging Trends in Information Security and Privacy
Emerging Trends in Information Security and Privacylgcdcpas
 
How really to prepare for a credit card compromise (PCI) forensics investigat...
How really to prepare for a credit card compromise (PCI) forensics investigat...How really to prepare for a credit card compromise (PCI) forensics investigat...
How really to prepare for a credit card compromise (PCI) forensics investigat...Security B-Sides
 
Data Sheet For Erg
Data Sheet For ErgData Sheet For Erg
Data Sheet For Ergmjschreck
 
Security For Outsourced IT Contracts
Security For Outsourced IT ContractsSecurity For Outsourced IT Contracts
Security For Outsourced IT ContractsBill Lisse
 
GDPR & Capacity Management
GDPR & Capacity ManagementGDPR & Capacity Management
GDPR & Capacity ManagementPrecisely
 
Prevent Insider Threats with User Activity Monitoring
Prevent Insider Threats with User Activity MonitoringPrevent Insider Threats with User Activity Monitoring
Prevent Insider Threats with User Activity MonitoringObserveIT
 
Bridging the Social Media Implementation/Audit Gap
Bridging the Social Media Implementation/Audit GapBridging the Social Media Implementation/Audit Gap
Bridging the Social Media Implementation/Audit GapJerod Brennen
 
2010 07 BSidesLV Mobilizing The PCI Resistance 1c
2010 07 BSidesLV Mobilizing The PCI Resistance 1c2010 07 BSidesLV Mobilizing The PCI Resistance 1c
2010 07 BSidesLV Mobilizing The PCI Resistance 1cGene Kim
 
Rhd + Visual Risk Iq Presentation On Continuous Auditing District Conferenc...
Rhd + Visual Risk Iq Presentation On Continuous Auditing District Conferenc...Rhd + Visual Risk Iq Presentation On Continuous Auditing District Conferenc...
Rhd + Visual Risk Iq Presentation On Continuous Auditing District Conferenc...Joe Oringel
 
Cryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for bankingCryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for bankingHai Nguyen
 
PCI DSS Certification
PCI DSS CertificationPCI DSS Certification
PCI DSS Certificationhodonoghue
 
Introduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationIntroduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationKimberly Simon MBA
 
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...IRJET-An Economical and Secured Approach for Continuous and Transparent User ...
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...IRJET Journal
 
Insider Threats: Out of Sight, Out of Mind?
Insider Threats: Out of Sight, Out of Mind?Insider Threats: Out of Sight, Out of Mind?
Insider Threats: Out of Sight, Out of Mind?ObserveIT
 

Mais procurados (20)

ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson
ISACA NA CACS 2012 Orlando session 414 Ulf MattssonISACA NA CACS 2012 Orlando session 414 Ulf Mattsson
ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson
 
Heartlandpt3
Heartlandpt3Heartlandpt3
Heartlandpt3
 
Heartlandpt3
Heartlandpt3Heartlandpt3
Heartlandpt3
 
Emerging Trends in Information Security and Privacy
Emerging Trends in Information Security and PrivacyEmerging Trends in Information Security and Privacy
Emerging Trends in Information Security and Privacy
 
Heartland
HeartlandHeartland
Heartland
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
 
How really to prepare for a credit card compromise (PCI) forensics investigat...
How really to prepare for a credit card compromise (PCI) forensics investigat...How really to prepare for a credit card compromise (PCI) forensics investigat...
How really to prepare for a credit card compromise (PCI) forensics investigat...
 
Data Sheet For Erg
Data Sheet For ErgData Sheet For Erg
Data Sheet For Erg
 
Security For Outsourced IT Contracts
Security For Outsourced IT ContractsSecurity For Outsourced IT Contracts
Security For Outsourced IT Contracts
 
GDPR & Capacity Management
GDPR & Capacity ManagementGDPR & Capacity Management
GDPR & Capacity Management
 
Prevent Insider Threats with User Activity Monitoring
Prevent Insider Threats with User Activity MonitoringPrevent Insider Threats with User Activity Monitoring
Prevent Insider Threats with User Activity Monitoring
 
Bridging the Social Media Implementation/Audit Gap
Bridging the Social Media Implementation/Audit GapBridging the Social Media Implementation/Audit Gap
Bridging the Social Media Implementation/Audit Gap
 
2010 07 BSidesLV Mobilizing The PCI Resistance 1c
2010 07 BSidesLV Mobilizing The PCI Resistance 1c2010 07 BSidesLV Mobilizing The PCI Resistance 1c
2010 07 BSidesLV Mobilizing The PCI Resistance 1c
 
Rhd + Visual Risk Iq Presentation On Continuous Auditing District Conferenc...
Rhd + Visual Risk Iq Presentation On Continuous Auditing District Conferenc...Rhd + Visual Risk Iq Presentation On Continuous Auditing District Conferenc...
Rhd + Visual Risk Iq Presentation On Continuous Auditing District Conferenc...
 
Cryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for bankingCryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for banking
 
PCI DSS Certification
PCI DSS CertificationPCI DSS Certification
PCI DSS Certification
 
Introduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationIntroduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) Certification
 
Flight East 2018 Presentation–Data Breaches and the Law
Flight East 2018 Presentation–Data Breaches and the LawFlight East 2018 Presentation–Data Breaches and the Law
Flight East 2018 Presentation–Data Breaches and the Law
 
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...IRJET-An Economical and Secured Approach for Continuous and Transparent User ...
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...
 
Insider Threats: Out of Sight, Out of Mind?
Insider Threats: Out of Sight, Out of Mind?Insider Threats: Out of Sight, Out of Mind?
Insider Threats: Out of Sight, Out of Mind?
 

Semelhante a Nikhil wagholikar _risk_based_penetration_testing - ClubHack2009

PCI Certification and remediation services
PCI Certification and remediation servicesPCI Certification and remediation services
PCI Certification and remediation servicesTariq Juneja
 
Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Risk Crew
 
Dealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation StyleDealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation StyleRochester Security Summit
 
Application Security Review 5 Dec 09 Final
Application Security Review 5 Dec 09 FinalApplication Security Review 5 Dec 09 Final
Application Security Review 5 Dec 09 FinalManoj Agarwal
 
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...Core Security
 
I Series User Management
I Series User ManagementI Series User Management
I Series User ManagementSJeffrey23
 
Third Party Risk Management
Third Party Risk ManagementThird Party Risk Management
Third Party Risk ManagementEC-Council
 
Eric Anklesaria. Secure SDLC - Core Banking
Eric Anklesaria. Secure SDLC - Core BankingEric Anklesaria. Secure SDLC - Core Banking
Eric Anklesaria. Secure SDLC - Core BankingPositive Hack Days
 
24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'Positive Hack Days
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
A systematic approach to pci compliance using rsa archer
A systematic approach to pci compliance using rsa archerA systematic approach to pci compliance using rsa archer
A systematic approach to pci compliance using rsa archerSubhajit Bhuiya
 
ByteCode pentest report example
ByteCode pentest report exampleByteCode pentest report example
ByteCode pentest report exampleIhor Uzhvenko
 
Understanding Identity Management and Security.
Understanding Identity Management and Security.Understanding Identity Management and Security.
Understanding Identity Management and Security.Chinatu Uzuegbu
 
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05 Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05 sucesuminas
 
Whitepaper - Application Delivery in PCI DSS Compliant Environments
Whitepaper - Application Delivery in PCI DSS Compliant EnvironmentsWhitepaper - Application Delivery in PCI DSS Compliant Environments
Whitepaper - Application Delivery in PCI DSS Compliant EnvironmentsJason Dover
 
Authentication_Best_Practices_WP(EN)_web
Authentication_Best_Practices_WP(EN)_webAuthentication_Best_Practices_WP(EN)_web
Authentication_Best_Practices_WP(EN)_webSafeNet
 
Security Testing In The Secured World
Security Testing In The Secured WorldSecurity Testing In The Secured World
Security Testing In The Secured WorldJennifer Mary
 

Semelhante a Nikhil wagholikar _risk_based_penetration_testing - ClubHack2009 (20)

PCI Certification and remediation services
PCI Certification and remediation servicesPCI Certification and remediation services
PCI Certification and remediation services
 
Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892
 
Dealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation StyleDealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation Style
 
Secure Iowa Oct 2016
Secure Iowa Oct 2016Secure Iowa Oct 2016
Secure Iowa Oct 2016
 
Application Security Review 5 Dec 09 Final
Application Security Review 5 Dec 09 FinalApplication Security Review 5 Dec 09 Final
Application Security Review 5 Dec 09 Final
 
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
 
I Series User Management
I Series User ManagementI Series User Management
I Series User Management
 
Third Party Risk Management
Third Party Risk ManagementThird Party Risk Management
Third Party Risk Management
 
Eric Anklesaria. Secure SDLC - Core Banking
Eric Anklesaria. Secure SDLC - Core BankingEric Anklesaria. Secure SDLC - Core Banking
Eric Anklesaria. Secure SDLC - Core Banking
 
24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
 
A systematic approach to pci compliance using rsa archer
A systematic approach to pci compliance using rsa archerA systematic approach to pci compliance using rsa archer
A systematic approach to pci compliance using rsa archer
 
ByteCode pentest report example
ByteCode pentest report exampleByteCode pentest report example
ByteCode pentest report example
 
Understanding Identity Management and Security.
Understanding Identity Management and Security.Understanding Identity Management and Security.
Understanding Identity Management and Security.
 
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05 Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
 
Whitepaper - Application Delivery in PCI DSS Compliant Environments
Whitepaper - Application Delivery in PCI DSS Compliant EnvironmentsWhitepaper - Application Delivery in PCI DSS Compliant Environments
Whitepaper - Application Delivery in PCI DSS Compliant Environments
 
Authentication_Best_Practices_WP(EN)_web
Authentication_Best_Practices_WP(EN)_webAuthentication_Best_Practices_WP(EN)_web
Authentication_Best_Practices_WP(EN)_web
 
Under Defense
Under DefenseUnder Defense
Under Defense
 
Security Testing In The Secured World
Security Testing In The Secured WorldSecurity Testing In The Secured World
Security Testing In The Secured World
 
Third Party Network Webinar Slide Deck 110718 FINAL
Third Party Network Webinar Slide Deck 110718 FINALThird Party Network Webinar Slide Deck 110718 FINAL
Third Party Network Webinar Slide Deck 110718 FINAL
 

Mais de ClubHack

India legal 31 october 2014
India legal 31 october 2014India legal 31 october 2014
India legal 31 october 2014ClubHack
 
Cyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ Bangalore
Cyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ BangaloreCyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ Bangalore
Cyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ BangaloreClubHack
 
Cyber Insurance
Cyber InsuranceCyber Insurance
Cyber InsuranceClubHack
 
Summarising Snowden and Snowden as internal threat
Summarising Snowden and Snowden as internal threatSummarising Snowden and Snowden as internal threat
Summarising Snowden and Snowden as internal threatClubHack
 
Fatcat Automatic Web SQL Injector by Sandeep Kamble
Fatcat Automatic Web SQL Injector by Sandeep KambleFatcat Automatic Web SQL Injector by Sandeep Kamble
Fatcat Automatic Web SQL Injector by Sandeep KambleClubHack
 
The Difference Between the Reality and Feeling of Security by Thomas Kurian
The Difference Between the Reality and Feeling of Security by Thomas KurianThe Difference Between the Reality and Feeling of Security by Thomas Kurian
The Difference Between the Reality and Feeling of Security by Thomas KurianClubHack
 
Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...
Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...
Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...ClubHack
 
Smart Grid Security by Falgun Rathod
Smart Grid Security by Falgun RathodSmart Grid Security by Falgun Rathod
Smart Grid Security by Falgun RathodClubHack
 
Legal Nuances to the Cloud by Ritambhara Agrawal
Legal Nuances to the Cloud by Ritambhara AgrawalLegal Nuances to the Cloud by Ritambhara Agrawal
Legal Nuances to the Cloud by Ritambhara AgrawalClubHack
 
Infrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy HiremathInfrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy HiremathClubHack
 
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar Kuppan
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar KuppanHybrid Analyzer for Web Application Security (HAWAS) by Lavakumar Kuppan
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar KuppanClubHack
 
Hacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish BomissttyHacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish BomissttyClubHack
 
Critical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh BelgiCritical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh BelgiClubHack
 
Content Type Attack Dark Hole in the Secure Environment by Raman Gupta
Content Type Attack Dark Hole in the Secure Environment by Raman GuptaContent Type Attack Dark Hole in the Secure Environment by Raman Gupta
Content Type Attack Dark Hole in the Secure Environment by Raman GuptaClubHack
 
XSS Shell by Vandan Joshi
XSS Shell by Vandan JoshiXSS Shell by Vandan Joshi
XSS Shell by Vandan JoshiClubHack
 
Clubhack Magazine Issue February 2012
Clubhack Magazine Issue February 2012Clubhack Magazine Issue February 2012
Clubhack Magazine Issue February 2012ClubHack
 
ClubHack Magazine issue 26 March 2012
ClubHack Magazine issue 26 March 2012ClubHack Magazine issue 26 March 2012
ClubHack Magazine issue 26 March 2012ClubHack
 
ClubHack Magazine issue April 2012
ClubHack Magazine issue April 2012ClubHack Magazine issue April 2012
ClubHack Magazine issue April 2012ClubHack
 
ClubHack Magazine Issue May 2012
ClubHack Magazine Issue May 2012ClubHack Magazine Issue May 2012
ClubHack Magazine Issue May 2012ClubHack
 
ClubHack Magazine – December 2011
ClubHack Magazine – December 2011ClubHack Magazine – December 2011
ClubHack Magazine – December 2011ClubHack
 

Mais de ClubHack (20)

India legal 31 october 2014
India legal 31 october 2014India legal 31 october 2014
India legal 31 october 2014
 
Cyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ Bangalore
Cyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ BangaloreCyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ Bangalore
Cyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ Bangalore
 
Cyber Insurance
Cyber InsuranceCyber Insurance
Cyber Insurance
 
Summarising Snowden and Snowden as internal threat
Summarising Snowden and Snowden as internal threatSummarising Snowden and Snowden as internal threat
Summarising Snowden and Snowden as internal threat
 
Fatcat Automatic Web SQL Injector by Sandeep Kamble
Fatcat Automatic Web SQL Injector by Sandeep KambleFatcat Automatic Web SQL Injector by Sandeep Kamble
Fatcat Automatic Web SQL Injector by Sandeep Kamble
 
The Difference Between the Reality and Feeling of Security by Thomas Kurian
The Difference Between the Reality and Feeling of Security by Thomas KurianThe Difference Between the Reality and Feeling of Security by Thomas Kurian
The Difference Between the Reality and Feeling of Security by Thomas Kurian
 
Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...
Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...
Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...
 
Smart Grid Security by Falgun Rathod
Smart Grid Security by Falgun RathodSmart Grid Security by Falgun Rathod
Smart Grid Security by Falgun Rathod
 
Legal Nuances to the Cloud by Ritambhara Agrawal
Legal Nuances to the Cloud by Ritambhara AgrawalLegal Nuances to the Cloud by Ritambhara Agrawal
Legal Nuances to the Cloud by Ritambhara Agrawal
 
Infrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy HiremathInfrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy Hiremath
 
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar Kuppan
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar KuppanHybrid Analyzer for Web Application Security (HAWAS) by Lavakumar Kuppan
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar Kuppan
 
Hacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish BomissttyHacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish Bomisstty
 
Critical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh BelgiCritical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh Belgi
 
Content Type Attack Dark Hole in the Secure Environment by Raman Gupta
Content Type Attack Dark Hole in the Secure Environment by Raman GuptaContent Type Attack Dark Hole in the Secure Environment by Raman Gupta
Content Type Attack Dark Hole in the Secure Environment by Raman Gupta
 
XSS Shell by Vandan Joshi
XSS Shell by Vandan JoshiXSS Shell by Vandan Joshi
XSS Shell by Vandan Joshi
 
Clubhack Magazine Issue February 2012
Clubhack Magazine Issue February 2012Clubhack Magazine Issue February 2012
Clubhack Magazine Issue February 2012
 
ClubHack Magazine issue 26 March 2012
ClubHack Magazine issue 26 March 2012ClubHack Magazine issue 26 March 2012
ClubHack Magazine issue 26 March 2012
 
ClubHack Magazine issue April 2012
ClubHack Magazine issue April 2012ClubHack Magazine issue April 2012
ClubHack Magazine issue April 2012
 
ClubHack Magazine Issue May 2012
ClubHack Magazine Issue May 2012ClubHack Magazine Issue May 2012
ClubHack Magazine Issue May 2012
 
ClubHack Magazine – December 2011
ClubHack Magazine – December 2011ClubHack Magazine – December 2011
ClubHack Magazine – December 2011
 

Último

Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdfChristopherTHyatt
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 

Último (20)

Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 

Nikhil wagholikar _risk_based_penetration_testing - ClubHack2009

  • 1. What is on your mind, is on your body Nikhil Wagholikar Practice Lead | Security Assessments & Digital Forensics Member, Mumbai OWASP Chapter www.niiconsulting.com nikhil@niiconsulting.com
  • 2. CEH, ISO 27001:LA  Penetration testing, Security Auditing, Digital Forensics, GRC, Solutions, Performance Auditing  Numerous India and Middle East based clients  Conducted training on various fields of Information security like GRC, IT Security, Green IT, VAPT, Incident Response, Digital Forensics, Application Security
  • 3.  Articles  Dare to Delete my files – Checkmate  Universal Extractor – Checkmate http://www.niiconsulting.com/checkmate/  Assessing Bandwidth Use as a Function of Network Performance – ITAudit http://www.theiia.org/ITAuditArchive/index.cfm? catid=21&iid=571  Essential Aspects of an Effective Network Performance Audit – ITAudit http://www.theiia.org/ITAuditArchive/index.c fm?iid=575&catid=21&aid=2901
  • 4. Regular pen-testing vs. Risk-based pentesting  The process of risk-based testing ◦ Understanding the business ◦ Legal & regulatory requirements ◦ Understanding the risks ◦ Examples ◦ Client-side attacks ◦ Beyond hacking technology  Conclusion
  • 5.
  • 6. Lack of Business Risk Perspective – US Department of Homeland Security: “Most penetration testing processes and tools do little, if anything, to substantively address the business risks... This is largely due to the fact that the tools and the testers view the target systems with “technology blinders” on... Although many testing tools and services claim to rank vulnerabilities in terms of technical severity, they do not typically take business risk into account in any significant sense. At best, the test teams conduct interviews with the business owners of the applications and the application architects in an attempt to ascertain some degree of business impact, but that connection is tenuous. …the business perspectives, however limited, that these processes can determine are all post facto. That is, they make their business impact rankings after the test is completed...This is a key shortcoming of penetration testing practices today.” https://buildsecurityin.us-cert.gov/daisy/bsi/articles/best- practices/penetration/655-BSI.html Software Security – building security in, Chapter 6 on “Penetration Testing Today” “The problem? No clue about security risk. No idea whether the most critical security risks have been identified, how much more risk remains in the system, and how many bugs are lurking in the zillions of lines of code”
  • 7. “Penetration testing is dead. The concept as we know it is on its death bed, waiting to die and come back as something else.” - Brian Chess, Co-Founder, Fortify Software
  • 9. Client: “Please provide quote for black-box penetration test”  SP: “Please provide list of IP addresses and URLs, and application test IDs” Pre-sales Approach - Evolved  Client: “Please provide quote for black-box penetration test”  SP: “Hang on...”  SP: “I‟d first like to know…”
  • 10. Traditional Pentesting Risk-based Pentesting Focus is on technical Focus is on business risks vulnerabilities Requires strong technical know- Requires both technical and business how process know-how Having the right set of tools is Understanding the workings of the critical business and applications is critical Is usually zero-knowledge Requires a person who understands the business process to play a significant role – usually an insider Understanding the regulatory Understanding the regulatory environment is good environment is mandatory
  • 11. Traditional Pentesting Risk-based Pentesting Severity levels are based on Severity levels are based on risk to technical parameters the business Risk levels in report are assigned Risk levels in report reflect the levels post facto assigned prior to testing Test cases are build based on Tests cases additionally build on risk testing methodologies or generic scenarios testing processes Audience for the report is usually Audience for the report also includes the IT and Security teams the business process owners and heads of departments
  • 12. Corporate Banking Platform – allows 3 logins ◦ Maker who enters the transaction into the system ◦ Verifier who checks the transaction data ◦ Authorizer who authorizes the final payment  Each screen in the web application is different based on privilege level of logged in user  Security implemented by: ◦ Restricting access to URLs that allow certain transactions ◦ Parameters that trigger certain transactions
  • 13. RA Phase ◦ Understand business process ◦ Understand business risks ◦ Define test cases  Can maker do what verifier does  Can verifier do what authorizer does  Can client‟s admin do what bank‟s admin does  So forth  Pentesting discovers ◦ http://www.bankPay.co.in/BankPayApp/authorizePaymentA ction.action is available only to Authorizer ◦ But what if Maker puts it in his browser? ◦ Transaction still doesn‟t get authorized ◦ Further investigation reveals a parameter:  Filter=„block‟ ◦ When this value is changed to:  Filter=„submitToPay‟
  • 14. Who are the key actors – employees, departments, customers, partners, vendors, investors, brokers, franchisees, resellers?  What applications do they use?  What data do they access through these applications?  What are the risks if any of these actors turns bad?  What possibilities exist if an actor should decide to misuse the data – building fraud scenarios?
  • 15. PCI DSS ◦ For all credit card processing merchants ◦ Quarterly, semi-annual, annual network scans and penetration tests ◦ Focus on web application security ◦ Requires high-level of protection of credit card data ◦ There are no fines for non-compliance but breaches of security could put you out of business  HIPAA ◦ For healthcare and pharma providers ◦ Requires high-level of protection for patient records and medical history ◦ Fines for non-compliance are usually high ◦ Breaches could put you out of practice/business
  • 16. FDA  FFIEC  SOX  Indian IT Act 2008  RBI / Other Central Bank  Others
  • 18. A local search engine with millions of hits on the website  Key concerns are: ◦ Growing competition ◦ Need to expand rapidly through resellers and franchisee model ◦ Threat of exposure of data to unscrupulous elements ◦ Low competitive entry barrier - biggest threat of corporate espionage  External web application test ◦ Running repeated search queries – changing session IDs, changing source IP addresses ◦ Exploiting other channels – WAP, Toolbar, sub-domains  Internal business applications tested from perspective of a: ◦ Tele-caller ◦ Marketing agent ◦ Developer
  • 19.
  • 20. Internationally acclaimed publications website  Earns income via paid subscription to researched publications  Publications are key intellectual property  Membership levels and subscription values differ based on sensitivity and type of information accessible  Use of the Google Search appliance leads to indexing of all data  While members only data is not accessible directly, it is accessible via the „Text Version‟ link from the Google search results!
  • 21.
  • 22. Investors use the stock exchange via brokers  However, direct interactions with exchange include: ◦ Registering with the exchange to obtain investor IDs ◦ Modifying investor personal data ◦ Nominating others to trade on their behalf ◦ Obtaining trade summaries ◦ Obtaining research reports  One of the key risks identified: ◦ Violation of privacy
  • 23. Website analysis reveals two areas of interest ◦ A local search functionality ◦ Online access to personal trading history and balance sheets  Each investor has a personal investor number – National Investor ID (NID)  Website also offers educational games and documents on how to trade  Guessing passwords for user IDs gives access to complete trade history and balance sheets  Entering interesting search terms results in personal details of investors being revealed
  • 24.
  • 25. Driven by business risks and regulatory requirements  Identify all sensitive data, not just authentication credentials  PCI DSS requires encryption of credit card data ◦ Between the client and the web server ◦ When stored in the database ◦ Between the web application server and the database server  HIPAA requires securing of all patient data ◦ Prescriptions ◦ Medical history ◦ Diagnostic results ◦ Transcriptions
  • 26. Taking it further – Pentesting ERP
  • 27. For a procure-2-pay cycle, possible fraud scenarios could include? ◦ Adding a vendor without proper approval ◦ Changing the banking data of a vendor so that payments go into the wrong bank account ◦ Approving a quote by violating access rights ◦ Approving an invoice without a goods-received- note being present ◦ Colluding with another user to perpetrate a fraud ◦ Violating maker-checker controls
  • 28. Main actors involved are: ◦ Brokers ◦ Franchisees ◦ Investors  Possible frauds could occur as follows: ◦ Attacker gathers enough data to social engineer a broker ◦ Attacker places trades on behalf of investors by violating web application security – jacking up share prices ◦ Attacker is able to determine trading patterns of HNIs – High Networth Individuals ◦ Attacker violates payment gateway controls to channel money into his/her own account ◦ Attacker impersonates a broker/franchisee and social engineers the share trading company
  • 29. Internal audit of a Southern India-based retail store contracts us to do a „tiger team‟ attack  Objective of the exercise is to determine controls over financial information  Risks identified: ◦ Access sensitive financial information? ◦ Modify goods prices and accounts information significantly? ◦ Change tags on goods to buy them at lower price?
  • 30.
  • 31.
  • 33. Social networking website  Value of website derives from focus on privacy and ease-of-use  Peer-feedback is the key to the popularity  Messages posted privately and on public „walls‟, „scrapbooks‟, „blogs‟  Integrity of messages is key  Social engineering can be used to trigger CSRF and XSS attacks
  • 35. Explaining the technicality of the issue to developers and management  Explaining exploitability and impact of the issue  Demonstrating practical risk from it  In some situations, explaining it additionally as HTML injection may help
  • 36.
  • 37.
  • 39. Vote for Cyber Security!
  • 40.
  • 41.
  • 42. Browser-based exploits  Trojaned MS Office/PDF files  Combine with SE on social networking sites ◦ LinkedIn ◦ Monster.com and job sites ◦ Social networking sites  Phishing attacks  Evil maid attacks  Windows Metafile-type exploits  RSA (2-factor) hacks
  • 43. Fear of the unknown  Client resistance  Simply a checklist item  Cost  Time
  • 44. Real-world hackers are hacking the business, not the technology – they always have been  Penetration testers need to bring their approach up to speed – go beyond the norm  Endeavor to obtain greater business know-how and a larger perspective than “technical blinkers”  Cookie-cutter pen-testing methods don‟t add value  Technical testing needs to be combined with physical penetration testing and social engineering  Reports and executive summaries should reflect this deeper understanding of the business perspective
  • 45. Nikhil Wagholikar Practice Lead | Security Assessments & Digital Forensics NII Consulting nikhil@niiconsulting.com www.niiconsulting.com