This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
“the cash desk, the derivatives desk, the program desk … bring them all together”
“ Do you have trading technology that allows you to trade across every asset in every country? ”
“Our traders can trade across multiple asset classes simultaneously”
“We offer you the ability to trade from your PDA”
How long can you be out of the market for?
5OWASP
Motivation
How long can you be out of the market for?
Regulatory requirements
Business loss opportunities
Liability issues regarding prices
Increase in number of people on the floor
6OWASP
The Freakonomics of Security and Personel Scenario: Member of Staff A, holds a
password of ‘operational importance’ Technical Attack Approach
Password is stored in the form of a 128 bit hashThe cost of obtaining the hash would require an insider’s presenceTo check for a single value would cost: $0.00000000001To check for more than half of the values: ≈$ 184 million
Human Attack Approach
Clerical A Staff Salary pays: $ 40 K / YearA successful career of, say 25 yearsTotal Earnings: ≈ $ 1 million
Secure Development TrainingApplication AssessmentNetwork AssessmentVPN / RAS Test
Firewall ReviewVPN / RAS TestMessaging System Audit
9OWASP
Typical Assessment Findings
10OWASP
Scenario
Operational System
Risk Assessment Initiated
Initial Internal Assessment
External Penetration Test
11OWASP
Scenario Results
External Penetration TestA1: Cross Site ScriptingA2: Cross Site Request ForgeryA4: Web Application DoSA7: Weak Session CookiesA9: Insecure Communications
Final Risk Assessment
A1: Non Internet Facing Application A2: Scarce Data Manipulation Attacks A4: Application recovers successfullyA7: Users not technical enough A9: Internal Switched Network
Fun and Profit Enterprise Attack
A4: Cause a Web Denial of ServiceA1: Mass Internal Phishing Email A2: Manipulate Data being on the flyA7: Hijack administrator’s data A9: Bounce data off mail gateway
12OWASP
Conclusions
Complex “Enterprise Level” applications will experience “Enterprise Level” attacks
An application, subsystem or component must be able to withstand a targeted specialized attack
Simplicity is key for a Secure System Implementation