Enviar pesquisa
Carregar
Where the money is – Security of CBS.
•
Transferir como PPT, PDF
•
0 gostou
•
858 visualizações
Positive Hack Days
Seguir
Tecnologia
Notícias e política
Denunciar
Compartilhar
Denunciar
Compartilhar
1 de 29
Baixar agora
Recomendados
11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)
Jeremiah Grossman
Not my bug! Reasons for software bug report reassignments
Not my bug! Reasons for software bug report reassignments
Thomas Zimmermann
Cajas para, vinos y licores tot red
Cajas para, vinos y licores tot red
Andres Gaudi Cornella
How To Draw Tigger!
How To Draw Tigger!
WDSHE Goodies
Cv y portfolio daniel dominguez ramírez
Cv y portfolio daniel dominguez ramírez
Daniel Domínguez
Equipo 7 dieta mediterránea y test
Equipo 7 dieta mediterránea y test
andrea vazquez celio
Easytalk english-guide 2011-10-03
Easytalk english-guide 2011-10-03
celikel
Interaprendizaje de Matemática empleando las TIC y el Poliprisma 9.1
Interaprendizaje de Matemática empleando las TIC y el Poliprisma 9.1
Mario Suárez
Recomendados
11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)
Jeremiah Grossman
Not my bug! Reasons for software bug report reassignments
Not my bug! Reasons for software bug report reassignments
Thomas Zimmermann
Cajas para, vinos y licores tot red
Cajas para, vinos y licores tot red
Andres Gaudi Cornella
How To Draw Tigger!
How To Draw Tigger!
WDSHE Goodies
Cv y portfolio daniel dominguez ramírez
Cv y portfolio daniel dominguez ramírez
Daniel Domínguez
Equipo 7 dieta mediterránea y test
Equipo 7 dieta mediterránea y test
andrea vazquez celio
Easytalk english-guide 2011-10-03
Easytalk english-guide 2011-10-03
celikel
Interaprendizaje de Matemática empleando las TIC y el Poliprisma 9.1
Interaprendizaje de Matemática empleando las TIC y el Poliprisma 9.1
Mario Suárez
Zenith tv shot semana18
Zenith tv shot semana18
Zenith España
Gmo form 2013
Gmo form 2013
nitishguptamaps
17 latour, bruno_-_reagregando_o_social_uma_introdução_a_teoria_do_ator-rede
17 latour, bruno_-_reagregando_o_social_uma_introdução_a_teoria_do_ator-rede
Milena Silvester
Pueblo que se dobla pero no se truencha
Pueblo que se dobla pero no se truencha
Omar Abreu Del Valle
Océano morador de las aguas profundas de la psiquis humana signed
Océano morador de las aguas profundas de la psiquis humana signed
E. J. Ríos
Ito_Clower
Ito_Clower
Erica Clower
Curso de lider coach
Curso de lider coach
Eesae Salamanca
How Direct Marketing Applies in a Multichannel Marketing World
How Direct Marketing Applies in a Multichannel Marketing World
amdia
Geoener 2014.presentación geoter
Geoener 2014.presentación geoter
Geoter Geothermal Energy
Ensayo Diseñadores Gráficos Venezolanos e internacionales.
Ensayo Diseñadores Gráficos Venezolanos e internacionales.
Mariasabel MarinAnes
Publicidad de Emplazamiento
Publicidad de Emplazamiento
MindProject
Tuneup utilities
Tuneup utilities
JoselinH
Lesson 1
Lesson 1
Vladimir Arevalo
Aves magacinedicion5
Aves magacinedicion5
Los Cinco Peña
Lean sigma cambio acelerado qce_jf
Lean sigma cambio acelerado qce_jf
Jorge Flores
Proyecto ultimo corregido
Proyecto ultimo corregido
julian duque
HACIA UNA FORMACIÓN CIENTÍFICA EN Y PARA LA CIVILIDAD: LA ARGUMENTACIÓN EN EL...
HACIA UNA FORMACIÓN CIENTÍFICA EN Y PARA LA CIVILIDAD: LA ARGUMENTACIÓN EN EL...
James Stevan
ECODISEÑO EMPRENDIMIENTOAnexo 41 laboratorio de emprendimiento c3+d mxp.lab
ECODISEÑO EMPRENDIMIENTOAnexo 41 laboratorio de emprendimiento c3+d mxp.lab
AMA.RILLO (MXP.LAB)
Construcción industrializada con elementos prefabricados de hormigón
Construcción industrializada con elementos prefabricados de hormigón
ANDECE
Apts and other stuff
Apts and other stuff
Positive Hack Days
The Savvy Security Leader: Using Guerrilla Tactics to ID Security Program Res...
The Savvy Security Leader: Using Guerrilla Tactics to ID Security Program Res...
Denim Group
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
NCC Group
Mais conteúdo relacionado
Destaque
Zenith tv shot semana18
Zenith tv shot semana18
Zenith España
Gmo form 2013
Gmo form 2013
nitishguptamaps
17 latour, bruno_-_reagregando_o_social_uma_introdução_a_teoria_do_ator-rede
17 latour, bruno_-_reagregando_o_social_uma_introdução_a_teoria_do_ator-rede
Milena Silvester
Pueblo que se dobla pero no se truencha
Pueblo que se dobla pero no se truencha
Omar Abreu Del Valle
Océano morador de las aguas profundas de la psiquis humana signed
Océano morador de las aguas profundas de la psiquis humana signed
E. J. Ríos
Ito_Clower
Ito_Clower
Erica Clower
Curso de lider coach
Curso de lider coach
Eesae Salamanca
How Direct Marketing Applies in a Multichannel Marketing World
How Direct Marketing Applies in a Multichannel Marketing World
amdia
Geoener 2014.presentación geoter
Geoener 2014.presentación geoter
Geoter Geothermal Energy
Ensayo Diseñadores Gráficos Venezolanos e internacionales.
Ensayo Diseñadores Gráficos Venezolanos e internacionales.
Mariasabel MarinAnes
Publicidad de Emplazamiento
Publicidad de Emplazamiento
MindProject
Tuneup utilities
Tuneup utilities
JoselinH
Lesson 1
Lesson 1
Vladimir Arevalo
Aves magacinedicion5
Aves magacinedicion5
Los Cinco Peña
Lean sigma cambio acelerado qce_jf
Lean sigma cambio acelerado qce_jf
Jorge Flores
Proyecto ultimo corregido
Proyecto ultimo corregido
julian duque
HACIA UNA FORMACIÓN CIENTÍFICA EN Y PARA LA CIVILIDAD: LA ARGUMENTACIÓN EN EL...
HACIA UNA FORMACIÓN CIENTÍFICA EN Y PARA LA CIVILIDAD: LA ARGUMENTACIÓN EN EL...
James Stevan
ECODISEÑO EMPRENDIMIENTOAnexo 41 laboratorio de emprendimiento c3+d mxp.lab
ECODISEÑO EMPRENDIMIENTOAnexo 41 laboratorio de emprendimiento c3+d mxp.lab
AMA.RILLO (MXP.LAB)
Construcción industrializada con elementos prefabricados de hormigón
Construcción industrializada con elementos prefabricados de hormigón
ANDECE
Destaque
(19)
Zenith tv shot semana18
Zenith tv shot semana18
Gmo form 2013
Gmo form 2013
17 latour, bruno_-_reagregando_o_social_uma_introdução_a_teoria_do_ator-rede
17 latour, bruno_-_reagregando_o_social_uma_introdução_a_teoria_do_ator-rede
Pueblo que se dobla pero no se truencha
Pueblo que se dobla pero no se truencha
Océano morador de las aguas profundas de la psiquis humana signed
Océano morador de las aguas profundas de la psiquis humana signed
Ito_Clower
Ito_Clower
Curso de lider coach
Curso de lider coach
How Direct Marketing Applies in a Multichannel Marketing World
How Direct Marketing Applies in a Multichannel Marketing World
Geoener 2014.presentación geoter
Geoener 2014.presentación geoter
Ensayo Diseñadores Gráficos Venezolanos e internacionales.
Ensayo Diseñadores Gráficos Venezolanos e internacionales.
Publicidad de Emplazamiento
Publicidad de Emplazamiento
Tuneup utilities
Tuneup utilities
Lesson 1
Lesson 1
Aves magacinedicion5
Aves magacinedicion5
Lean sigma cambio acelerado qce_jf
Lean sigma cambio acelerado qce_jf
Proyecto ultimo corregido
Proyecto ultimo corregido
HACIA UNA FORMACIÓN CIENTÍFICA EN Y PARA LA CIVILIDAD: LA ARGUMENTACIÓN EN EL...
HACIA UNA FORMACIÓN CIENTÍFICA EN Y PARA LA CIVILIDAD: LA ARGUMENTACIÓN EN EL...
ECODISEÑO EMPRENDIMIENTOAnexo 41 laboratorio de emprendimiento c3+d mxp.lab
ECODISEÑO EMPRENDIMIENTOAnexo 41 laboratorio de emprendimiento c3+d mxp.lab
Construcción industrializada con elementos prefabricados de hormigón
Construcción industrializada con elementos prefabricados de hormigón
Semelhante a Where the money is – Security of CBS.
Apts and other stuff
Apts and other stuff
Positive Hack Days
The Savvy Security Leader: Using Guerrilla Tactics to ID Security Program Res...
The Savvy Security Leader: Using Guerrilla Tactics to ID Security Program Res...
Denim Group
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
NCC Group
Solution Architecture And Solution Security
Solution Architecture And Solution Security
Alan McSweeney
Applicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit Program
Michael Davis
Assessing IBM i Security Risks: A Conversation with Dan Riehl
Assessing IBM i Security Risks: A Conversation with Dan Riehl
Precisely
Riscure Assurance for Premium Content at a glance
Riscure Assurance for Premium Content at a glance
Riscure
Security and DevOps Overview
Security and DevOps Overview
Adrian Sanabria
What Suppliers Don't Tell You About Security?
What Suppliers Don't Tell You About Security?
PECB
5 Ways to Reduce 3rd Party Developer Risk
5 Ways to Reduce 3rd Party Developer Risk
Security Innovation
Top 5 myths of it security in the light of current events tisa pro talk 4 2554
Top 5 myths of it security in the light of current events tisa pro talk 4 2554
TISA
Reduce Third Party Developer Risks
Reduce Third Party Developer Risks
Kevo Meehan
Beyond security testing
Beyond security testing
Cu Nguyen
Null application security in an agile world
Null application security in an agile world
Stefan Streichsbier
Risks vs real life
Risks vs real life
Mona Arkhipova
Cyber51 Company Presentation Public
Cyber51 Company Presentation Public
martinvoelk
Power System Cybersecurity: Barriers and Challenges
Power System Cybersecurity: Barriers and Challenges
Nathan Wallace, PhD, PE
The Future of Software Security Assurance
The Future of Software Security Assurance
Rafal Los
Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...
Kevin Fealey
Edward Bonver Security Testing.ppt
Edward Bonver Security Testing.ppt
yadihef254
Semelhante a Where the money is – Security of CBS.
(20)
Apts and other stuff
Apts and other stuff
The Savvy Security Leader: Using Guerrilla Tactics to ID Security Program Res...
The Savvy Security Leader: Using Guerrilla Tactics to ID Security Program Res...
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
Solution Architecture And Solution Security
Solution Architecture And Solution Security
Applicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit Program
Assessing IBM i Security Risks: A Conversation with Dan Riehl
Assessing IBM i Security Risks: A Conversation with Dan Riehl
Riscure Assurance for Premium Content at a glance
Riscure Assurance for Premium Content at a glance
Security and DevOps Overview
Security and DevOps Overview
What Suppliers Don't Tell You About Security?
What Suppliers Don't Tell You About Security?
5 Ways to Reduce 3rd Party Developer Risk
5 Ways to Reduce 3rd Party Developer Risk
Top 5 myths of it security in the light of current events tisa pro talk 4 2554
Top 5 myths of it security in the light of current events tisa pro talk 4 2554
Reduce Third Party Developer Risks
Reduce Third Party Developer Risks
Beyond security testing
Beyond security testing
Null application security in an agile world
Null application security in an agile world
Risks vs real life
Risks vs real life
Cyber51 Company Presentation Public
Cyber51 Company Presentation Public
Power System Cybersecurity: Barriers and Challenges
Power System Cybersecurity: Barriers and Challenges
The Future of Software Security Assurance
The Future of Software Security Assurance
Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...
Edward Bonver Security Testing.ppt
Edward Bonver Security Testing.ppt
Mais de Positive Hack Days
Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Positive Hack Days
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows Docker
Positive Hack Days
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive Technologies
Positive Hack Days
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + Qlik
Positive Hack Days
Использование анализатора кода SonarQube
Использование анализатора кода SonarQube
Positive Hack Days
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps Community
Positive Hack Days
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Positive Hack Days
Автоматизация построения правил для Approof
Автоматизация построения правил для Approof
Positive Hack Days
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»
Positive Hack Days
Формальные методы защиты приложений
Формальные методы защиты приложений
Positive Hack Days
Эвристические методы защиты приложений
Эвристические методы защиты приложений
Positive Hack Days
Теоретические основы Application Security
Теоретические основы Application Security
Positive Hack Days
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 лет
Positive Hack Days
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Positive Hack Days
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПО
Positive Hack Days
Формальная верификация кода на языке Си
Формальная верификация кода на языке Си
Positive Hack Days
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET Core
Positive Hack Days
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опыт
Positive Hack Days
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services Center
Positive Hack Days
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атаки
Positive Hack Days
Mais de Positive Hack Days
(20)
Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows Docker
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive Technologies
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + Qlik
Использование анализатора кода SonarQube
Использование анализатора кода SonarQube
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps Community
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Автоматизация построения правил для Approof
Автоматизация построения правил для Approof
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»
Формальные методы защиты приложений
Формальные методы защиты приложений
Эвристические методы защиты приложений
Эвристические методы защиты приложений
Теоретические основы Application Security
Теоретические основы Application Security
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 лет
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПО
Формальная верификация кода на языке Си
Формальная верификация кода на языке Си
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET Core
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опыт
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services Center
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атаки
Último
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
Michael W. Hawkins
Slack Application Development 101 Slides
Slack Application Development 101 Slides
praypatel2
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
Anna Loughnan Colquhoun
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Neo4j
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
Antenna Manufacturer Coco
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
Radu Cotescu
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
naman860154
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
Khem
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
The Digital Insurer
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
Maria Levchenko
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
wesley chun
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
RTylerCroy
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
Último
(20)
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
Slack Application Development 101 Slides
Slack Application Development 101 Slides
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
Where the money is – Security of CBS.
1.
Where the money
is. – Security of CBS. Advisor for your information security. Version: 1.0 Autor: Ulrich Fleck Verantwortlich: Ulrich Fleck Datum: 27.5.2012 Vertraulichkeitsstufe: Public
2.
Agenda
• About SEC Consult • About the study • Threats and Drivers for Application Security in CBS • Maturity of Application Security in CBS • Security Crash Test of selected CBS products • Resume • Discussion Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH – 2 Confidentiality Class: Public All rights reserved
3.
SEC Consult– Who
we are • Leading international application security consultancy • Founded 2002 • Headquarters near Vienna, Canada Germany Lithuania Austria Austria Central and Easter Europe • Delivery Centers in Austria, Germany, Lithuania and Singapore • Strong customer base in Central Singapore and Eastern Europe • Increasing customer base of clients with global business (esp. out of Top-10 US and European software vendors) • 45+ application security experts • Industry focus banks, software SEC Consult Headquarter vendors, government SEC Consult Office Other SEC Consult Clients Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH – Confidentiality Class: Public All rights reserved
4.
Our Key Question
What is the promise and the reality of applications security for core banking systems??? Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH – 4 Confidentiality Class: Public All rights reserved
5.
Part 2 –
Security Crash Test at Part 1 – Answers provided vendor • We created a questionnaire with some • As the answers to the questionnaire 50 questions about security especially are just a subjective picture of the with regards to core banking systems vendors themselves we wanted to test • This questionnaire was provided to a perform real life security crash tests preselected set of vendors together ad the vendors with the offer to participate in our • Therefore we offered all vendors an study application security check conducted • We recommended that the IT security by SEC Consult consultants responsible person should answers or • We asked for access to the respective at least quality assure the questions test system and ensured that those and answers test results will be only published high • The methodology for the survey part level in this study and detailed reports was based common known security about the test case results are handed standards, best practices and over solely to the respective vendor guidelines and the experience of Capgemini and SEC Consult Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH – 5 Confidentiality Class: Public All rights reserved
6.
Part 2 –
Security Crash Test at Part 1 – Answers provided vendor • As the answers to the–questionnaire Alternative Part 2 Security Crash • We created a questionnaire with some are just a selected banks of the tests at subjective picture 50 questions about security especially vendors themselves we wanted quite • Some of the vendors where to test with regards to core banking systems perform real life security crash tests interested and seriously considering a • This questionnaire was provided to a ad “Part 2” participation – however none the vendors preselected set of vendors together • Therefore we agree all vendors an did finally offered with the offer to participate in our • Therefore we had to consider an application security check conducted study alternative solution by SEC Consult consultants • We recommended that the IT security • asked for access to the respective • WeFortunately three interested banks, responsible person should answers or test system big interest in thisthose showing and ensured that study, at least quality assure the questions test results the opportunity to perform gave us will be only published high and answers level in this crash tests detailed reports security study and on there system (three CBS in scope of this study) about the test case results are handed • The methodology for the survey part was based common known security • The applied methodology was based over solely to the respective vendor standards, best practices and on common known security standards guidelines and the experience of for applications security, best practices Capgemini and SEC Consult in security tests with a black-box approach and the experience of SEC Consult Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH – 6 Confidentiality Class: Public All rights reserved
7.
CBS Vendors of
this Study Major vendors relevant for the international and European market. Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH – 7 Confidentiality Class: Public All rights reserved
8.
Title: Where the
money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH – 8 Confidentiality Class: Public All rights reserved
9.
Attack surface for
core banking systems (simplified) Presentation Layer … Business Logic Tier … Database Layer … … Databases Network … potential entry points for attacker Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH – 9 Confidentiality Class: Public All rights reserved
10.
What did the
vendors say? • Information security of vendor organization • Most of the vendors have an Information Security Management System (ISMS) in place • Software development organization • Roles and responsibilities in the development process documented in accordance to security policies • 90-100% of the (core) development staff on applications security • Methods for secure software development • The enforcement of methods for secure software development Microsoft SDL, OpenSAMM, BSIMM, CMM-SSE is in progress at some vendors Threat modeling and security requirement • Most of the vendors have up to date threat model for each CBS module available Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH – 10 Confidentiality Class: Public All rights reserved
11.
What did the
vendors say? Security Incident Response • Most of the vendors have Software Security Incident Response Process • (Technical) standards and best practices for application security • Technical) application security best practices and standards for web technologies like OWASP, ÖNORM A 7700 (Security requirements for web applications), etc. are already important for vendors • Data privacy standards for applications like EuroPriSe are not in the focus yet • No certifications conducted on application security Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH – 11 Confidentiality Class: Public All rights reserved
12.
What did the
vendors say about complexity? Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH – 12 Confidentiality Class: Public All rights reserved
13.
What did the
vendors say? – Internal QA • Identified Security Vulnerabilities from 1.1.2008 till 30.6.2010 by internal QA/testers before the software was released • Many vendors don’t provide an answer • Range from “none” to hundreds • Identified Security Vulnerabilities from 1.1.2008 till 30.6.2010 security vulnerabilities in already released software modules (“zero-day vulnerabilities”) • Many vendors don’t provide an answer • Range from “none” to hundreds Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH – 13 Confidentiality Class: Public All rights reserved
14.
Test coverage for
application Security Significant differences in the test coverage for different test approaches between the vendors. Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH – 14 Confidentiality Class: Public All rights reserved
15.
How do you
define the maturity level of state of the art (application) security for your CBS product? 30+ years with no known security issues. strong & impenetrable security foundation Highly sophisticated CMMi Level 4. High Mature. Mature. Mature. All vendors position themselves to achieve (at least) state-of-the- art application security. This is a clear and consistent commitment and promise to the market. Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH – 15 Confidentiality Class: Public All rights reserved
16.
Crashtest for 3
CBS (out of 8) Test set-up: • Non of the eight vendor accepted offer for a free of charge security crash test • 3 major European banks stepped in with 3 product of this study – Thanks!!! • Crash-Test with black-box approach and limited effort budget (approx. 15 person days for each product) • Access to CBS with one low privilege user account (standard user) Test objective for a crash test: • Check for toxic (=seriously insecure) software • Identify application security vulnerabilities in Source: http://www.spiegel.de/fotostrecke/fotostrecke-22584-3.html CBS to break the confidentiality, availability or integrity of CBS Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH – 16 Confidentiality Class: Public All rights reserved
17.
Why attack the
CBS from a standard working place? The attacker has several choices to get access to a standard working place: •One active Trojan Hoarse malware Core Banking •Access by cleaning personal, System maintenance, contractors, volunteers, etc •Drive-by infection from website(s) •… Browser Then the attacker starts to look for vulnerabilities to access the Core Banking System in depth… Standard Working Place for CBS For the test we used a low privilege user and tried to expand the privileges and to access sensible data of the Core Banking System. Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH – 17 Confidentiality Class: Public All rights reserved
18.
Hundreds to thousends
CBS szandard working places to choose from For the test we used a low privilege user and tried to expand the privileges and to access sensible data of the Core Banking System. Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH – 18 Confidentiality Class: Public All rights reserved
19.
Standard Blackbox Approach
Tasks: • Use selective special tools and scripts for s ck exploiting security vulnerabilities based on ta vulnerability classes At • Check compliance to state of the art standards Presentation Layer for application security (A7700, OWASP, …) • Adapt or write new exploit code if necessary Business Logic Tier • Validate vulnerabilities • Develop proof of concept material (screen Database Layer shots, dumps, passwords, etc.) • Assess risk and define recommendation Databas e Network Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH – 19 Confidentiality Class: Public All rights reserved
20.
CBS – Cross
site scripting • The problem: • A Cross Site Scripting security vulnerability is used to steal the identity information of a CBS user. First the attacker writes an email to this user with a malicious link, including hidden script code (very short software program). The user receives the email and clicks on that link. The malicious script runs in (the context of) the web browser of the attacked user. • Vulnerability class: • Web application security Input- and Output Validation • Impact for bank: • Account theft • Remotely control the web browser • Record all activities of the user • Initiate changes in transactions (e.g. target account numbers of a transaction on the fly). Secure software development: • Architecture/Design: Failed • Programming: Failed • Test and Quality Assurance: Failed Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH – 20 Confidentiality Class: Public All rights reserved
21.
CBS – Weak
encryption • The problem: • First the attacker traces the data traffic between the CBS client and the CBS server. Due to the weak encryption security vulnerability of the CBS the attacker can bypass the login mechanism. • Vulnerability class: • Design flaw in client- server communication (hash is being build on the client) • Impact for bank: • Account theft • Privilege escalation • Perform a misuse of the account of the user Secure software development: • Architecture/Design: Failed • Programming: Failed • Test and Quality Assurance: Failed Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH – 21 Confidentiality Class: Public All rights reserved
22.
CBS – Privilege
escalation – missing authorization • The problem: • By enumerating several request parameters arbitrary accounts can be overtaken and misused by non privileged users. • Vulnerability class: • Design flaw based on missing authorization • Impact for bank: • Account theft • Privilege escalation • The attacker becomes a more powerful user • Access to administrative functionality • The attacker can misuse the CBS by performing high privilege transactions and functions Secure software development: • Architecture/Design: Failed • Programming: Failed • Test and Quality Assurance: Failed Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH – 22 Confidentiality Class: Public All rights reserved
23.
CBS – SQL
Injection • The problem: • Nothing to add here should be an extinct vulnerability class • Vulnerability class: • Web application security input–validation & design flaw • Impact for bank: • Extracts valuable (data theft) data of the database • Manipulate data in the database • Account theft • Privilege escalation Secure software development: • Architecture/Design: Failed • Programming: Failed • Test and Quality Assurance: Failed Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH – 23 Confidentiality Class: Public All rights reserved
24.
CBS – Direct
OS Command execution • The problem: • Several flaws led to access to the underlying operating system for non privileged users. • Vulnerability class: • Web application security input–validation & design flaw • Vulnerability class: • Control over the operating system of the server of the CBS. • The CBS system can be shut down or wiped or manipulated with wrong data by the attacker. • Data of the server can be copied to a repository of the attacker. • Additionally, this vulnerability can be used to attack other systems of the bank • Account theft and privilege escalation • Total compromise of system, data backends etc. Secure software development: • Architecture/Design: Failed • Programming: Failed • Test and Quality Assurance: Failed Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH – 24 Confidentiality Class: Public All rights reserved
25.
Summarizing
! L ED 3 of 3 tested CBS fail application security standard: I ! FA D •e.g. Open Web Application Security Project (OWASP), I LE WASC, BSI ISi-Reihe (Germany), ÖNORM A 7700 (Austria), E D! FA etc.) L F AI 3 of 3 tested CBS are not state of the art in application security CMMi Level 4. High Mature. Mature. Mature. 3 of 3 tested CBS have deficiencies in secure software development •Architecture/Design: Failed •Programming: Failed •Test and Quality Assurance: Failed Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH – 25 Confidentiality Class: Public All rights reserved
26.
Business Impact for
Banks • The found vulnerabilities in 3 of 3 tested CBS • enable unauthorized access Attacks Presentation Layer • disable segregation of duties Business Logic Tier • circumvent the effectiveness of auditing and logging Database Layer • circumvent the effectiveness of strict access control and enable privilege escalation Databas e and therefore can cause violations of compliance Network requirements such as Basel II, SAS70, ISO 27001, national Data privacy protection laws, notational banking specific laws, etc.) Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH – 26 Confidentiality Class: Public All rights reserved
27.
What to do
if you are a bank? Demand state-the-art-application security for CBS • Vendor contracts with mandatory state-of-the-art applications security requirements • Define penalties for not achieving state-of-the-art applications security requirements • Cost sharing for unsuccessful application security tests Prove the vendor claims and promises by testing application security of CBS • Application security tests (Security Quality Gates) Establish additional multi-lines of defense • Measures to at least temporary mitigate some risks of an insecure CBS on other levels of defense (infrastructure, organizational, awareness of users, etc.) The best point in time to detect toxic (=seriously insecure) software is when you buy it. Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH – 27 Confidentiality Class: Public All rights reserved
28.
Software Vendors already
using SEC Consult. Title: SEC Consult Software Security Assurance Services © 2011 SEC Consult Version/Date: 1.1/May 2011 Unternehmensberatung GmbH – Responsible: U. Fleck All rights reserved
29.
How to reach
us/me? Austria Ulrich Fleck Mooslackengasse 17 Director A-1190 Vienna Sales and Business Development Austria +43 676 840 301 719 Tel: +43-(0)1-890 30 43-0 Fax: +43-(0)1-890 30 43-15 Email: u.fleck@sec-consult.com Email: office@sec-consult.com www.sec-consult.com Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH – 29 Confidentiality Class: Public All rights reserved
Baixar agora