OWASP ASVS for NFTaaS in Financial Services · PDF fileOWASP ASVS for NFTaaS in Financial...
-
Upload
hoangkhanh -
Category
Documents
-
view
223 -
download
0
Transcript of OWASP ASVS for NFTaaS in Financial Services · PDF fileOWASP ASVS for NFTaaS in Financial...
![Page 1: OWASP ASVS for NFTaaS in Financial Services · PDF fileOWASP ASVS for NFTaaS in Financial Services OLEKSANDR KAZYMYROV, TECHNICAL TEST ANALYST . Agenda • Chapter I - Brief Introduction](https://reader033.fdocuments.in/reader033/viewer/2022052708/5a7758937f8b9aa3618de607/html5/thumbnails/1.jpg)
OWASP ASVS for NFTaaS in Financial Services
OLEKSANDR KAZYMYROV, TECHNICAL TEST ANALYST
![Page 2: OWASP ASVS for NFTaaS in Financial Services · PDF fileOWASP ASVS for NFTaaS in Financial Services OLEKSANDR KAZYMYROV, TECHNICAL TEST ANALYST . Agenda • Chapter I - Brief Introduction](https://reader033.fdocuments.in/reader033/viewer/2022052708/5a7758937f8b9aa3618de607/html5/thumbnails/2.jpg)
Agenda
• Chapter I - Brief Introduction • Chapter II - Why OWASP ASVS? • Chapter III - OWAS ASVS in Practice • Chapter IV – Summary
![Page 3: OWASP ASVS for NFTaaS in Financial Services · PDF fileOWASP ASVS for NFTaaS in Financial Services OLEKSANDR KAZYMYROV, TECHNICAL TEST ANALYST . Agenda • Chapter I - Brief Introduction](https://reader033.fdocuments.in/reader033/viewer/2022052708/5a7758937f8b9aa3618de607/html5/thumbnails/3.jpg)
CHAPTER I Brief Introduction
![Page 4: OWASP ASVS for NFTaaS in Financial Services · PDF fileOWASP ASVS for NFTaaS in Financial Services OLEKSANDR KAZYMYROV, TECHNICAL TEST ANALYST . Agenda • Chapter I - Brief Introduction](https://reader033.fdocuments.in/reader033/viewer/2022052708/5a7758937f8b9aa3618de607/html5/thumbnails/4.jpg)
PRESENTATION TITLE 4
Who am I?
Education
Candidate of Engineering Sciences in
Information Security KHNURE, Ukraine
Ph.D. in Cryptology University of Bergen,
Norway
Other
Certificates • Certified Ethical Hacker • Certified Encryption Specialist
Standards • DSTU 7624:2014 • DSTU 7564:2014
Job
Technical Test Analyst at EVRY
![Page 5: OWASP ASVS for NFTaaS in Financial Services · PDF fileOWASP ASVS for NFTaaS in Financial Services OLEKSANDR KAZYMYROV, TECHNICAL TEST ANALYST . Agenda • Chapter I - Brief Introduction](https://reader033.fdocuments.in/reader033/viewer/2022052708/5a7758937f8b9aa3618de607/html5/thumbnails/5.jpg)
100+ employees
• 50 towns and cities with capacity to deliver • 11 regional offices with specialist competencies • 10.000 employees
EVRY – Nordic Champion
Women
26%
Age
39yrs
Universum
#4
![Page 6: OWASP ASVS for NFTaaS in Financial Services · PDF fileOWASP ASVS for NFTaaS in Financial Services OLEKSANDR KAZYMYROV, TECHNICAL TEST ANALYST . Agenda • Chapter I - Brief Introduction](https://reader033.fdocuments.in/reader033/viewer/2022052708/5a7758937f8b9aa3618de607/html5/thumbnails/6.jpg)
6
EVRY GROUP - Geographic distribution
Nordics Rest of the World (Global Delivery)
![Page 7: OWASP ASVS for NFTaaS in Financial Services · PDF fileOWASP ASVS for NFTaaS in Financial Services OLEKSANDR KAZYMYROV, TECHNICAL TEST ANALYST . Agenda • Chapter I - Brief Introduction](https://reader033.fdocuments.in/reader033/viewer/2022052708/5a7758937f8b9aa3618de607/html5/thumbnails/7.jpg)
7
NFT Department
Performance
Front-end
Load
Endurance
Stress
Spike
Reliability
Failover
Interruption
Recoverability
Load balancing
Security
Application layer
Network layer
Wireless
PCI DSS
![Page 8: OWASP ASVS for NFTaaS in Financial Services · PDF fileOWASP ASVS for NFTaaS in Financial Services OLEKSANDR KAZYMYROV, TECHNICAL TEST ANALYST . Agenda • Chapter I - Brief Introduction](https://reader033.fdocuments.in/reader033/viewer/2022052708/5a7758937f8b9aa3618de607/html5/thumbnails/8.jpg)
CHAPTER II Why OWASP ASVS?
![Page 9: OWASP ASVS for NFTaaS in Financial Services · PDF fileOWASP ASVS for NFTaaS in Financial Services OLEKSANDR KAZYMYROV, TECHNICAL TEST ANALYST . Agenda • Chapter I - Brief Introduction](https://reader033.fdocuments.in/reader033/viewer/2022052708/5a7758937f8b9aa3618de607/html5/thumbnails/9.jpg)
9
PCI DSS Requirement 11.3
![Page 10: OWASP ASVS for NFTaaS in Financial Services · PDF fileOWASP ASVS for NFTaaS in Financial Services OLEKSANDR KAZYMYROV, TECHNICAL TEST ANALYST . Agenda • Chapter I - Brief Introduction](https://reader033.fdocuments.in/reader033/viewer/2022052708/5a7758937f8b9aa3618de607/html5/thumbnails/10.jpg)
10
PCI DSS Penetration Testing
External
AL NL
Internal
AL NL
Segmentation Checks
![Page 11: OWASP ASVS for NFTaaS in Financial Services · PDF fileOWASP ASVS for NFTaaS in Financial Services OLEKSANDR KAZYMYROV, TECHNICAL TEST ANALYST . Agenda • Chapter I - Brief Introduction](https://reader033.fdocuments.in/reader033/viewer/2022052708/5a7758937f8b9aa3618de607/html5/thumbnails/11.jpg)
11
NIST SP 800-115: Appendix C - Application Security Testing and Examination
![Page 12: OWASP ASVS for NFTaaS in Financial Services · PDF fileOWASP ASVS for NFTaaS in Financial Services OLEKSANDR KAZYMYROV, TECHNICAL TEST ANALYST . Agenda • Chapter I - Brief Introduction](https://reader033.fdocuments.in/reader033/viewer/2022052708/5a7758937f8b9aa3618de607/html5/thumbnails/12.jpg)
12
NIST SP 800-115: Appendix E - Table E-2. Online Resources
![Page 13: OWASP ASVS for NFTaaS in Financial Services · PDF fileOWASP ASVS for NFTaaS in Financial Services OLEKSANDR KAZYMYROV, TECHNICAL TEST ANALYST . Agenda • Chapter I - Brief Introduction](https://reader033.fdocuments.in/reader033/viewer/2022052708/5a7758937f8b9aa3618de607/html5/thumbnails/13.jpg)
Methodology • PCI DSS Penetration Testing Guidance
• NIST Special Publication 800-115
• Open Source Security Testing Methodology Manual
Testing Guide • Open Source Security Testing Methodology Manual (“OSSTMM”)
• OWASP Testing Guide • Penetration Testing Execution Standard
• Penetration Testing Framework
PCI DSS Requirement 6.5 • Injection flaws • Insecure communications • Improper error handling • Improper access control • Cross-site scripting (XSS) • etc.
PCI DSS Requirement 11.3 • Perform external penetration testing
• Perform internal penetration testing
• Verify segmentation methods
13
PCI DSS Penetration Testing - Summary
![Page 14: OWASP ASVS for NFTaaS in Financial Services · PDF fileOWASP ASVS for NFTaaS in Financial Services OLEKSANDR KAZYMYROV, TECHNICAL TEST ANALYST . Agenda • Chapter I - Brief Introduction](https://reader033.fdocuments.in/reader033/viewer/2022052708/5a7758937f8b9aa3618de607/html5/thumbnails/14.jpg)
14
OWASP Testing Guide (from PCI Pentest Guide)
![Page 15: OWASP ASVS for NFTaaS in Financial Services · PDF fileOWASP ASVS for NFTaaS in Financial Services OLEKSANDR KAZYMYROV, TECHNICAL TEST ANALYST . Agenda • Chapter I - Brief Introduction](https://reader033.fdocuments.in/reader033/viewer/2022052708/5a7758937f8b9aa3618de607/html5/thumbnails/15.jpg)
15
OWASP Top 10 2013 vs PCI DSS O
WA
SP T
op 1
0 20
13 • A1 Injection
• A2 Broken Authentication and Session Management
• A3 Cross-Site Scripting (XSS) • A4 Insecure Direct Object References • A5 Security Misconfiguration • A6 Sensitive Data Exposure • A7 Missing Function Level Access Control • A8 Cross-Site Request Forgery (CSRF) • A9 Using Components with Known
Vulnerabilities • A10 Invalidated Redirects and Forwards
PCI D
SS R
equi
rem
ents
• 6.5.1 Injection flaws / 6.5.2 Buffer overflows • 6.5.10 Broken authentication and session
management • 6.5.7 XSS • ? - • ? 6.5.6 All “high risk” vulnerabilities • ? 6.5.5 Improper error handling • 6.5.8 Improper access control / 6.5.3 Insec.
cryptostorage • 6.5.9 CSRF • 6.5.6 All “high risk” vulnerabilities
• ? 6.5.4 Insecure communications
![Page 16: OWASP ASVS for NFTaaS in Financial Services · PDF fileOWASP ASVS for NFTaaS in Financial Services OLEKSANDR KAZYMYROV, TECHNICAL TEST ANALYST . Agenda • Chapter I - Brief Introduction](https://reader033.fdocuments.in/reader033/viewer/2022052708/5a7758937f8b9aa3618de607/html5/thumbnails/16.jpg)
16
OWASP Application Security Verification Standard (ASVS)
OWASP Web Top 10
OWASP Code Review
Top 9
Architecture
OWASP ASVS v3.0.1
![Page 17: OWASP ASVS for NFTaaS in Financial Services · PDF fileOWASP ASVS for NFTaaS in Financial Services OLEKSANDR KAZYMYROV, TECHNICAL TEST ANALYST . Agenda • Chapter I - Brief Introduction](https://reader033.fdocuments.in/reader033/viewer/2022052708/5a7758937f8b9aa3618de607/html5/thumbnails/17.jpg)
17
Key parts of OWAS ASVS
Scope for the application security verification standard
Description of security verification levels
Requirements / Controls
Standards Mappings
![Page 18: OWASP ASVS for NFTaaS in Financial Services · PDF fileOWASP ASVS for NFTaaS in Financial Services OLEKSANDR KAZYMYROV, TECHNICAL TEST ANALYST . Agenda • Chapter I - Brief Introduction](https://reader033.fdocuments.in/reader033/viewer/2022052708/5a7758937f8b9aa3618de607/html5/thumbnails/18.jpg)
18
OWAS ASVS Verification Controls (v3.0.1)
![Page 19: OWASP ASVS for NFTaaS in Financial Services · PDF fileOWASP ASVS for NFTaaS in Financial Services OLEKSANDR KAZYMYROV, TECHNICAL TEST ANALYST . Agenda • Chapter I - Brief Introduction](https://reader033.fdocuments.in/reader033/viewer/2022052708/5a7758937f8b9aa3618de607/html5/thumbnails/19.jpg)
19
OWASP ASVS: Standards Mappings
![Page 20: OWASP ASVS for NFTaaS in Financial Services · PDF fileOWASP ASVS for NFTaaS in Financial Services OLEKSANDR KAZYMYROV, TECHNICAL TEST ANALYST . Agenda • Chapter I - Brief Introduction](https://reader033.fdocuments.in/reader033/viewer/2022052708/5a7758937f8b9aa3618de607/html5/thumbnails/20.jpg)
20
OWASP ASVS
OWASP Top 10
PCI DSS
Relation Between Requirements
![Page 21: OWASP ASVS for NFTaaS in Financial Services · PDF fileOWASP ASVS for NFTaaS in Financial Services OLEKSANDR KAZYMYROV, TECHNICAL TEST ANALYST . Agenda • Chapter I - Brief Introduction](https://reader033.fdocuments.in/reader033/viewer/2022052708/5a7758937f8b9aa3618de607/html5/thumbnails/21.jpg)
OWASP TOP 10
EVRY
PCI DSS
EVRY FS
21
Scope for pentesting of web applications
Security
![Page 22: OWASP ASVS for NFTaaS in Financial Services · PDF fileOWASP ASVS for NFTaaS in Financial Services OLEKSANDR KAZYMYROV, TECHNICAL TEST ANALYST . Agenda • Chapter I - Brief Introduction](https://reader033.fdocuments.in/reader033/viewer/2022052708/5a7758937f8b9aa3618de607/html5/thumbnails/22.jpg)
CHAPTER III OWAS ASVS in Practice
![Page 23: OWASP ASVS for NFTaaS in Financial Services · PDF fileOWASP ASVS for NFTaaS in Financial Services OLEKSANDR KAZYMYROV, TECHNICAL TEST ANALYST . Agenda • Chapter I - Brief Introduction](https://reader033.fdocuments.in/reader033/viewer/2022052708/5a7758937f8b9aa3618de607/html5/thumbnails/23.jpg)
23
OWAS ASVS Verification Controls
![Page 24: OWASP ASVS for NFTaaS in Financial Services · PDF fileOWASP ASVS for NFTaaS in Financial Services OLEKSANDR KAZYMYROV, TECHNICAL TEST ANALYST . Agenda • Chapter I - Brief Introduction](https://reader033.fdocuments.in/reader033/viewer/2022052708/5a7758937f8b9aa3618de607/html5/thumbnails/24.jpg)
24
OWAS ASVS Verification Controls (v3.0.1)
![Page 25: OWASP ASVS for NFTaaS in Financial Services · PDF fileOWASP ASVS for NFTaaS in Financial Services OLEKSANDR KAZYMYROV, TECHNICAL TEST ANALYST . Agenda • Chapter I - Brief Introduction](https://reader033.fdocuments.in/reader033/viewer/2022052708/5a7758937f8b9aa3618de607/html5/thumbnails/25.jpg)
25
OWASP ASVS Levels
Cursory
Opportunistic
Standard
Advanced
Security
0
1
2
3
![Page 26: OWASP ASVS for NFTaaS in Financial Services · PDF fileOWASP ASVS for NFTaaS in Financial Services OLEKSANDR KAZYMYROV, TECHNICAL TEST ANALYST . Agenda • Chapter I - Brief Introduction](https://reader033.fdocuments.in/reader033/viewer/2022052708/5a7758937f8b9aa3618de607/html5/thumbnails/26.jpg)
26
An Issue With Level Definition
Requirements Level AUT
![Page 27: OWASP ASVS for NFTaaS in Financial Services · PDF fileOWASP ASVS for NFTaaS in Financial Services OLEKSANDR KAZYMYROV, TECHNICAL TEST ANALYST . Agenda • Chapter I - Brief Introduction](https://reader033.fdocuments.in/reader033/viewer/2022052708/5a7758937f8b9aa3618de607/html5/thumbnails/27.jpg)
27
Relation Between Project and NFT
NFT Manager
Project Manager
Test Env Manager
Functional Test
Manager
Development Manager
Project Architect
NFT Manager
NFT Coordinator
NFT Analyst
![Page 28: OWASP ASVS for NFTaaS in Financial Services · PDF fileOWASP ASVS for NFTaaS in Financial Services OLEKSANDR KAZYMYROV, TECHNICAL TEST ANALYST . Agenda • Chapter I - Brief Introduction](https://reader033.fdocuments.in/reader033/viewer/2022052708/5a7758937f8b9aa3618de607/html5/thumbnails/28.jpg)
28
Compliance Selection at Financial Services
![Page 29: OWASP ASVS for NFTaaS in Financial Services · PDF fileOWASP ASVS for NFTaaS in Financial Services OLEKSANDR KAZYMYROV, TECHNICAL TEST ANALYST . Agenda • Chapter I - Brief Introduction](https://reader033.fdocuments.in/reader033/viewer/2022052708/5a7758937f8b9aa3618de607/html5/thumbnails/29.jpg)
29
EVRY FINancial suite Operational Domains in SaaS (FINODS)
Card Services
Issuing, Acquiring and Security
Portal, Internetbank and “non card clients”
WebServices – load-balancers / MQ
EDB ESB WS_PROXY Card Portal / Clients
Bank Services (non-Card)
Batch, Analysis, Security, Online
Disk SAN – dedicated SAN's to critical systems
Database servers – serving area C and E
http-servers, MQ, filetransfer, SQLproxy, Internet Proxy
Loadbalancers
= Security areas
Area A
Area B
Area C
Area D
Area E
Area F
Area G
Database servers – Cards
PCI NON PCI
![Page 30: OWASP ASVS for NFTaaS in Financial Services · PDF fileOWASP ASVS for NFTaaS in Financial Services OLEKSANDR KAZYMYROV, TECHNICAL TEST ANALYST . Agenda • Chapter I - Brief Introduction](https://reader033.fdocuments.in/reader033/viewer/2022052708/5a7758937f8b9aa3618de607/html5/thumbnails/30.jpg)
30
Authentication in Cardholder Client (CHC) Using LoginService2 (LS2)
Browser
LoginService2
Cardholder Client
SO Service
3 4
5 6
1 7
2
8
9 10
![Page 31: OWASP ASVS for NFTaaS in Financial Services · PDF fileOWASP ASVS for NFTaaS in Financial Services OLEKSANDR KAZYMYROV, TECHNICAL TEST ANALYST . Agenda • Chapter I - Brief Introduction](https://reader033.fdocuments.in/reader033/viewer/2022052708/5a7758937f8b9aa3618de607/html5/thumbnails/31.jpg)
31
LoginService2
![Page 32: OWASP ASVS for NFTaaS in Financial Services · PDF fileOWASP ASVS for NFTaaS in Financial Services OLEKSANDR KAZYMYROV, TECHNICAL TEST ANALYST . Agenda • Chapter I - Brief Introduction](https://reader033.fdocuments.in/reader033/viewer/2022052708/5a7758937f8b9aa3618de607/html5/thumbnails/32.jpg)
32
Cardholder Client
![Page 33: OWASP ASVS for NFTaaS in Financial Services · PDF fileOWASP ASVS for NFTaaS in Financial Services OLEKSANDR KAZYMYROV, TECHNICAL TEST ANALYST . Agenda • Chapter I - Brief Introduction](https://reader033.fdocuments.in/reader033/viewer/2022052708/5a7758937f8b9aa3618de607/html5/thumbnails/33.jpg)
33
General Information on LS2 and CHC
LoginSevice2
LS2 stays in front of almost all applications
It is the first major security barrier
LS2 helps to retrieve tokens (Secure Object or simply SO) and hand over it to the 3rd
party applications
Available through the Internet
Cardholder Client CHC is a part of EVRY’s NetBank (Online
banking)
It can be integrated with any 3rd party web application
EVRY’s NetBank is protected by LoginsService2 in front of CHC
After logging in CHC uses SO as the main parameter in session management
Available through the Internet
OWASP ASVS Level 3 OWASP ASVS Level 2
![Page 34: OWASP ASVS for NFTaaS in Financial Services · PDF fileOWASP ASVS for NFTaaS in Financial Services OLEKSANDR KAZYMYROV, TECHNICAL TEST ANALYST . Agenda • Chapter I - Brief Introduction](https://reader033.fdocuments.in/reader033/viewer/2022052708/5a7758937f8b9aa3618de607/html5/thumbnails/34.jpg)
34
Security Application Life Cycle
6 months (1 year by PCI DSS)
No or minor changes
Security assessment
Application update
Partial
Full
New functionality Full pentest
![Page 35: OWASP ASVS for NFTaaS in Financial Services · PDF fileOWASP ASVS for NFTaaS in Financial Services OLEKSANDR KAZYMYROV, TECHNICAL TEST ANALYST . Agenda • Chapter I - Brief Introduction](https://reader033.fdocuments.in/reader033/viewer/2022052708/5a7758937f8b9aa3618de607/html5/thumbnails/35.jpg)
35
Summary
• PCI DSS is a good starting point for any infrastructure
• OWASP ASVS is a flexible standard with minimal effort for adaptation
• For a stable security development lifecycle the following should be implemented o Standard operation procedures
o Methodology for security testing
o Security risk assessment
o Role descriptions
o General compliance levels
![Page 36: OWASP ASVS for NFTaaS in Financial Services · PDF fileOWASP ASVS for NFTaaS in Financial Services OLEKSANDR KAZYMYROV, TECHNICAL TEST ANALYST . Agenda • Chapter I - Brief Introduction](https://reader033.fdocuments.in/reader033/viewer/2022052708/5a7758937f8b9aa3618de607/html5/thumbnails/36.jpg)
PRESENTATION TITLE 36