Secure Code Warrior - Privacy
Download as PPTX, PDF•0 likes•83 views
The document outlines essential security practices for application development, emphasizing the need for protection of sensitive information from attacks such as data sniffing and unauthorized access. It provides examples, including the internet payment company 'paybuddy,' which failed to secure credit card information leading to potential fraud. Additionally, it stresses proper data handling protocols, such as only storing necessary information and utilizing encryption, to mitigate privacy issues and protect user data.
Secure Code Warrior - Privacy
- 1. Data Protection & Privacy Application Security Fundamentals by Secure Code Warrior Limited is licensed under CC BY-ND 4.0
- 2. The application should implement security controls to ensure the protection and integrity of its sensitive information. What could happen? An attacker could retrieve sensitive and private information through stolen log files, caching, man-in-the- middle attacks or other means. How to implement it? Only store private information that is absolutely required. Make sure any stored or transmitted information is properly secured using encryption. What’s the concept about?
- 3. An internet payment company called “Paybuddy” is taking precautions to protect its customers from credit card theft. Communications to and from the site are protected using TLS, preventing attackers from sniffing the traffic. Credit card numbers are stored encrypted in the database using a strong algorithm. Credit card numbers are never displayed in full, so attackers cannot view the numbers through shoulder surfing. Caching is turned off as well. Data Protection & Privacy Understanding the concept Properly protected data Web application User: John Doe User Credit Card John 69d4a73c196f60c3e453a9832fb4 admin 086569d4a73c196f60c3e453a983 Bart a73c196f60c3e453a9832fb4fz90o bcrypt(creditcard) CC: XXXXXXX420
- 4. This time, “Paybuddy” forgot to take precautions to properly protect their customers and their data. An attacker sniffs traffic between the client and the server. He is able to steal sensitive information, such as the user’s credit card number. An attacker that is able to retrieve weakly hashed credit card numbers won’t have difficulties to decrypt them using rainbow tables. An attacker that is shoulder surfing can see a full credit card number in the application, which can be abused to commit fraud. Data Protection & Privacy What could happen with the concept? Unprotected data Web application User: John Doe User Credit Card John a73c196f60c3e453a9832fb4 admin 69d4a73c196f60c3e453a983 Bart a7360c3e453a9832fb4fz90o md5(creditcard) User: John Doe CC: 475629420 CC: 475629420
- 5. A software company is very careful in protecting the source code of their new mobile application. The source code repository is stored on encrypted hardware in a secured server room. To protect the source code in production, heavy obfuscation techniques are applied to the application. The source code repository can only be accessed from their internal network. Access to the repository is limited to developers with the right clearance. Data Protection & Privacy Understanding the concept Source code protection 0101011 1010010 1001010 1011011 1001010 Developer X Developer Y Developer Z
- 6. The company’s intellectual property is in danger due to a lack of source code protection. The repository is stored on a physically accessible server. Local attackers can copy the code, which is stored in clear text. Without obfuscation, users can decompile the application and retrieve the source. It can be modified and repackaged to be sold by a third party. The repository is publicly accessible and therefore easier to target by attackers. Data Protection & Privacy What could happen with the concept? Source code unprotected 0101011 1010010 1001010 1011011 1001010 Developer X Developer Y
- 7. Data Protection & Privacy Understanding the concept User’s privacy respected User: John Doe DoB: 29/02/1973 Sex: M Location: Sydney Religion: Pastafari John’s info DB Admin A certain web application allows users to create a profile. The application stores date of birth, sex, location, and religion. The user’s private information is stored in a database with restricted access. Only the database administrator has access to the database and the information. Additionally, he had to sign a non-disclosure agreement.
- 8. A certain web application allows users to create a profile. The application stores date of birth, sex, location, and religion. The user’s private information is stored in a database with restricted access. All developers working on the application can view the user’s private information in the development database. This clearly causes privacy issues. Before a new release, the database contents is copied to a development environment for testing purposes. Data Protection & Privacy What could happen with the concept? Privacy issues User: John Doe DoB: 29/02/1973 Sex: M Location: Sydney Religion: Pastafari John’s info John’s info Developer 1 Developer 2 Development
- 9. Data Protection & Privacy Typical controls Only store private information if absolutely needed. Don’t hard-code secret information in source code. Don’t store DB credentials or encryptions keys in plain text. Securely store all sensitive user information. Send traffic over a secure communication channel. Inform users using a privacy policy.