I think risks associated with E-commerce services include breach of customer PII and financial data.
PCI DSS is the ideal framework for any ecommerce business today, they have 6 guidelines that are split into 12 objectives to help online businesses secure cardholder data and servers that process, transmit and store the data.
Buffer overflow attack may damage integrity and confidentiality of security objectives. Attackers exploit buffer overflow vulnerability by overwriting the memory of a software which may damage files and expose sensitive information. In other words, attacker can change the execution path and transfer its control to attacker’s malicious code. After gaining control over the process, attacker can do anything, he/she can crash or change variables.
Personally, according to OWASP TOP 10, I think injection attacks are the biggest risk facing web application today. Hackers can find vulnerabilities from code and put injection to the script in order to gain unauthorized access to server and network.
In general, it is suggested that injection is the top risk to web applications. However, I think that this answer may vary if you consider individual web applications and the assets that may be behind them.
I think the the biggest risk posed to applications in general are developers who don’t care about security. This is why there are still flaws in many programs or simple attacks work because secure coding techniques were thrown out the window. Making sure the development team is invested in security is a great first step to ensuring secure coding practices are taking place.
The importance of testing servers during the applications life cycle are as following purposes to ensure that;
– Meets the business and technical requirements that guided its design and development
– Works as per the requirement
– Can be implemented with the same characteristics
Hi Akshay,
IT Auditors can test following approaches:
• Ensure that the web application is safeguarded against injection attacks,
• Review session management and authentication methods,
• Ensure that sensitive data is protected with using appropriate encryption technologies,
• Verify proper access controls is in place,
• Ensure controls over secure configuration of web servers,
• Ensure that developers receive adequate secure coding training.
Thank you for this list. I observe that this list is aligned for checking applications for the OWASP top 10 attacks and can certainly provide a good baseline for IT Auditors to assess the security of an application.
Hi Akshay,
Besides Zeynep’s response, IT auditors can review policy and procedure related to web application assessment. Policy and procedure is the significant fundamental which identify the scope and control safeguards.
You have correctly mentioned, polices and procedures are always a good starting point for auditors to understand what are the procedures used in making the web application functional and whether requisite security components are included.
In regard to protect confidentiality of VoIP, encryption can be used against eavesdropping. To protect integrity, in other words, providing unaltered information by unauthorized people, strong authentication schemes can be used, and caller ID should be verified, never be trusted. To protect availability, VoIP network should be protected against DoS attacks. To do so, firewalls should be in place to filter abnormal signals, and strong authentication methods should be applied to make sure legitimate parts are communicating.
I thin kine of the most important steps in securing an asset is properly assessing the risk level of the asset. If you assign something a moderate risk level when it should have been high then your going to under protect the asset. Making sure you understand what the asset is and the selecting the proper controls is the difficult part.
The Attack Surface Analysis is important and complex. As an IT auditor, what type of software is needed for this Analysis? (suppose the importance is prioritized due to cost control)
Microsoft provides attacker surface analyzer from their website. Here is a description for the software.
Attack Surface Analyzer is developed by the Microsoft Customer Security and Trust group. It is the same tool used by Microsoft’s internal product groups to catalogue changes made to operating system attack surface by the installation of new software. This version represents a rewrite of the classic tool 1.0 version of the tools released in 2012 which was dedicated to older versions of Windows.
What are the risks associated with e-commerce services and which areas in e-commerce business processes should be reviewed by an IT Auditor?
I think risks associated with E-commerce services include breach of customer PII and financial data.
PCI DSS is the ideal framework for any ecommerce business today, they have 6 guidelines that are split into 12 objectives to help online businesses secure cardholder data and servers that process, transmit and store the data.
with the explanations provided in this chapter which security principle is impacted by a buffer overfow attack ? . And if none, why ?.
Hi Innocent,
Buffer overflow attack may damage integrity and confidentiality of security objectives. Attackers exploit buffer overflow vulnerability by overwriting the memory of a software which may damage files and expose sensitive information. In other words, attacker can change the execution path and transfer its control to attacker’s malicious code. After gaining control over the process, attacker can do anything, he/she can crash or change variables.
What is the biggest risk facing web applications today?
Personally, according to OWASP TOP 10, I think injection attacks are the biggest risk facing web application today. Hackers can find vulnerabilities from code and put injection to the script in order to gain unauthorized access to server and network.
In general, it is suggested that injection is the top risk to web applications. However, I think that this answer may vary if you consider individual web applications and the assets that may be behind them.
I think the the biggest risk posed to applications in general are developers who don’t care about security. This is why there are still flaws in many programs or simple attacks work because secure coding techniques were thrown out the window. Making sure the development team is invested in security is a great first step to ensuring secure coding practices are taking place.
Can you give the example of VoIP threats from real-world situation? How hackers used this technique? What was the impact?
What do you think about this owasp web code review checklist?
https://www.owasp.org/images/2/2e/OWASP_Code_Review_Guide-V1_1.pdf
what is the importance of testing servers during the applications life cycle?
The importance of testing servers during the applications life cycle are as following purposes to ensure that;
– Meets the business and technical requirements that guided its design and development
– Works as per the requirement
– Can be implemented with the same characteristics
As an IT Auditor with only a fundamental knowledge of coding, what aspects can be looked at of a web application to assess its security posture?
Hi Akshay,
IT Auditors can test following approaches:
• Ensure that the web application is safeguarded against injection attacks,
• Review session management and authentication methods,
• Ensure that sensitive data is protected with using appropriate encryption technologies,
• Verify proper access controls is in place,
• Ensure controls over secure configuration of web servers,
• Ensure that developers receive adequate secure coding training.
Hello Zeynep,
Thank you for this list. I observe that this list is aligned for checking applications for the OWASP top 10 attacks and can certainly provide a good baseline for IT Auditors to assess the security of an application.
Hi Akshay,
Besides Zeynep’s response, IT auditors can review policy and procedure related to web application assessment. Policy and procedure is the significant fundamental which identify the scope and control safeguards.
Hello Num,
You have correctly mentioned, polices and procedures are always a good starting point for auditors to understand what are the procedures used in making the web application functional and whether requisite security components are included.
Of the OWASP’s Top Ten, which of the threats shown did you have the hardest time developing an understanding of?
I think the most difficult to understand is XML External Entities (XEE).
What are some ways to secure VoIP?
Hi Sarah,
In regard to protect confidentiality of VoIP, encryption can be used against eavesdropping. To protect integrity, in other words, providing unaltered information by unauthorized people, strong authentication schemes can be used, and caller ID should be verified, never be trusted. To protect availability, VoIP network should be protected against DoS attacks. To do so, firewalls should be in place to filter abnormal signals, and strong authentication methods should be applied to make sure legitimate parts are communicating.
What do we think is the most important step to securing a asset? Is it on the surface or with encrypting the asset itself?
I thin kine of the most important steps in securing an asset is properly assessing the risk level of the asset. If you assign something a moderate risk level when it should have been high then your going to under protect the asset. Making sure you understand what the asset is and the selecting the proper controls is the difficult part.
The Attack Surface Analysis is important and complex. As an IT auditor, what type of software is needed for this Analysis? (suppose the importance is prioritized due to cost control)
Microsoft provides attacker surface analyzer from their website. Here is a description for the software.
Attack Surface Analyzer is developed by the Microsoft Customer Security and Trust group. It is the same tool used by Microsoft’s internal product groups to catalogue changes made to operating system attack surface by the installation of new software. This version represents a rewrite of the classic tool 1.0 version of the tools released in 2012 which was dedicated to older versions of Windows.
How can we do attack surface analysis without reaching the code? Do we need a programer to understand how their application or website work?